lumma | 4c16edebd158f250b0fba02dce4f49fa9126e95139016e65b96642f2323930db

Analysis

max time kernel
32s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20-04-2024 11:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fcb5695a58313c7c0341bd5a6a0e8bf7_JaffaCakes118.exe
Size

102KB
MD5

fcb5695a58313c7c0341bd5a6a0e8bf7
SHA1

cc791671160e423aa7845566fdfe0e6c792401f5
SHA256

4c16edebd158f250b0fba02dce4f49fa9126e95139016e65b96642f2323930db
SHA512

64c9bf3ff64b15baed32ee60c53cbbadd69a29176176e7cc94eb932c93a8bdc8062f4d6daca95797dfd4cd8861905700439ed077bff01545f0c1e39dafd1c321
SSDEEP

3072:zDlFYy7UFiiL5/GJCj1GYsyKnuADfzRUlbt3Tzq7h6l:PB7Ur+bYs/uAPe3P/

Score

10^/10

lumma metasploit backdoor stealer trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

Detect Lumma Stealer payload V4 64 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1084-0-0x0000000000400000-0x00000000004E7000-memory.dmp	family_lumma_v4
behavioral1/memory/2272-13-0x0000000000400000-0x00000000004E7000-memory.dmp	family_lumma_v4
behavioral1/memory/1084-16-0x0000000000400000-0x00000000004E7000-memory.dmp	family_lumma_v4
behavioral1/memory/2608-27-0x0000000000400000-0x00000000004E7000-memory.dmp	family_lumma_v4
behavioral1/memory/2272-31-0x0000000000400000-0x00000000004E7000-memory.dmp	family_lumma_v4
behavioral1/memory/2608-41-0x0000000000400000-0x00000000004E7000-memory.dmp	family_lumma_v4
behavioral1/memory/2356-51-0x0000000000400000-0x00000000004E7000-memory.dmp	family_lumma_v4
behavioral1/memory/2356-63-0x0000000002250000-0x0000000002337000-memory.dmp	family_lumma_v4
behavioral1/memory/2584-56-0x0000000000400000-0x00000000004E7000-memory.dmp	family_lumma_v4
behavioral1/memory/2348-66-0x0000000000400000-0x00000000004E7000-memory.dmp	family_lumma_v4
behavioral1/memory/2356-69-0x0000000000400000-0x00000000004E7000-memory.dmp	family_lumma_v4
behavioral1/memory/2924-80-0x0000000000400000-0x00000000004E7000-memory.dmp	family_lumma_v4
behavioral1/memory/2348-84-0x0000000000400000-0x00000000004E7000-memory.dmp	family_lumma_v4
behavioral1/memory/2924-98-0x0000000000400000-0x00000000004E7000-memory.dmp	family_lumma_v4
behavioral1/memory/640-106-0x0000000002850000-0x0000000002937000-memory.dmp	family_lumma_v4
behavioral1/memory/640-107-0x0000000002850000-0x0000000002937000-memory.dmp	family_lumma_v4
behavioral1/memory/1968-108-0x0000000000400000-0x00000000004E7000-memory.dmp	family_lumma_v4
behavioral1/memory/640-109-0x0000000000400000-0x00000000004E7000-memory.dmp	family_lumma_v4
behavioral1/memory/1968-120-0x0000000000400000-0x00000000004E7000-memory.dmp	family_lumma_v4
behavioral1/memory/2312-131-0x0000000002750000-0x0000000002837000-memory.dmp	family_lumma_v4
behavioral1/memory/1704-133-0x0000000000400000-0x00000000004E7000-memory.dmp	family_lumma_v4
behavioral1/memory/1704-145-0x0000000002730000-0x0000000002817000-memory.dmp	family_lumma_v4
behavioral1/memory/1592-146-0x0000000000400000-0x00000000004E7000-memory.dmp	family_lumma_v4
behavioral1/memory/2312-137-0x0000000000400000-0x00000000004E7000-memory.dmp	family_lumma_v4
behavioral1/memory/1704-150-0x0000000000400000-0x00000000004E7000-memory.dmp	family_lumma_v4
behavioral1/memory/1592-162-0x0000000000400000-0x00000000004E7000-memory.dmp	family_lumma_v4
behavioral1/memory/2656-172-0x00000000026D0000-0x00000000027B7000-memory.dmp	family_lumma_v4
behavioral1/memory/2656-174-0x00000000026D0000-0x00000000027B7000-memory.dmp	family_lumma_v4
behavioral1/memory/2640-173-0x0000000000400000-0x00000000004E7000-memory.dmp	family_lumma_v4
behavioral1/memory/2656-178-0x0000000000400000-0x00000000004E7000-memory.dmp	family_lumma_v4
behavioral1/memory/2640-186-0x0000000002590000-0x0000000002677000-memory.dmp	family_lumma_v4
behavioral1/memory/2716-188-0x0000000000400000-0x00000000004E7000-memory.dmp	family_lumma_v4
behavioral1/memory/2640-190-0x0000000000400000-0x00000000004E7000-memory.dmp	family_lumma_v4
behavioral1/memory/2716-202-0x0000000000400000-0x00000000004E7000-memory.dmp	family_lumma_v4
behavioral1/memory/1904-213-0x0000000000400000-0x00000000004E7000-memory.dmp	family_lumma_v4
behavioral1/memory/2708-228-0x00000000028F0000-0x00000000029D7000-memory.dmp	family_lumma_v4
behavioral1/memory/2748-229-0x0000000000400000-0x00000000004E7000-memory.dmp	family_lumma_v4
behavioral1/memory/2868-221-0x0000000000400000-0x00000000004E7000-memory.dmp	family_lumma_v4
behavioral1/memory/2708-230-0x0000000000400000-0x00000000004E7000-memory.dmp	family_lumma_v4
behavioral1/memory/2748-237-0x00000000027D0000-0x00000000028B7000-memory.dmp	family_lumma_v4
behavioral1/memory/2748-238-0x00000000027D0000-0x00000000028B7000-memory.dmp	family_lumma_v4
behavioral1/memory/888-239-0x0000000000400000-0x00000000004E7000-memory.dmp	family_lumma_v4
behavioral1/memory/2748-241-0x0000000000400000-0x00000000004E7000-memory.dmp	family_lumma_v4
behavioral1/memory/888-248-0x00000000026E0000-0x00000000027C7000-memory.dmp	family_lumma_v4
behavioral1/memory/1340-249-0x0000000000400000-0x00000000004E7000-memory.dmp	family_lumma_v4
behavioral1/memory/888-250-0x0000000000400000-0x00000000004E7000-memory.dmp	family_lumma_v4
behavioral1/memory/2912-257-0x0000000000400000-0x00000000004E7000-memory.dmp	family_lumma_v4
behavioral1/memory/1340-258-0x0000000000400000-0x00000000004E7000-memory.dmp	family_lumma_v4
behavioral1/memory/2912-265-0x00000000028E0000-0x00000000029C7000-memory.dmp	family_lumma_v4
behavioral1/memory/2912-266-0x00000000028E0000-0x00000000029C7000-memory.dmp	family_lumma_v4
behavioral1/memory/2828-267-0x0000000000400000-0x00000000004E7000-memory.dmp	family_lumma_v4
behavioral1/memory/2912-268-0x0000000000400000-0x00000000004E7000-memory.dmp	family_lumma_v4
behavioral1/memory/2828-275-0x0000000002920000-0x0000000002A07000-memory.dmp	family_lumma_v4
behavioral1/memory/2588-276-0x0000000000400000-0x00000000004E7000-memory.dmp	family_lumma_v4
behavioral1/memory/2828-277-0x0000000000400000-0x00000000004E7000-memory.dmp	family_lumma_v4
behavioral1/memory/2588-284-0x00000000027F0000-0x00000000028D7000-memory.dmp	family_lumma_v4
behavioral1/memory/2848-285-0x0000000000400000-0x00000000004E7000-memory.dmp	family_lumma_v4
behavioral1/memory/2588-286-0x0000000000400000-0x00000000004E7000-memory.dmp	family_lumma_v4
behavioral1/memory/2848-293-0x0000000002860000-0x0000000002947000-memory.dmp	family_lumma_v4
behavioral1/memory/2848-294-0x0000000002860000-0x0000000002947000-memory.dmp	family_lumma_v4
behavioral1/memory/2360-295-0x0000000000400000-0x00000000004E7000-memory.dmp	family_lumma_v4
behavioral1/memory/2848-297-0x0000000000400000-0x00000000004E7000-memory.dmp	family_lumma_v4
behavioral1/memory/2360-305-0x0000000002780000-0x0000000002867000-memory.dmp	family_lumma_v4
behavioral1/memory/2360-306-0x0000000002780000-0x0000000002867000-memory.dmp	family_lumma_v4

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 64 IoCs

Processes:

lpdpbus.exeaemzhyl.exehmizbov.exeslmxmnu.execgnhbhd.exehqvkknj.exerwwziuo.exetonxaqw.exedjohikf.exeaojhosp.exeszxaopq.exeduqkekq.exezvixzvc.exemmdaidi.exeohgcdex.exeujoxtbu.exeyvhfnlh.exeiyfqaoo.exetuyahio.exeabtacyy.exehusfzro.exeprcsidr.execmliogq.exejxsnlay.exerfgffyh.exebagynsi.exejerdwdt.exeddhgzba.exennwqmeo.exeuvkigtq.exehibymxx.exehppyhmg.exerambuqm.exebkcgzgo.exelvrqujv.exescejgye.exenbvljwl.exeptmbbst.exezontjmu.exeknzrblb.exeuqpbooi.exegojexwn.exernobhvv.exevesodbg.exeirkejff.exenedmchk.exexswjaox.exehrihlne.exermjzshf.exewruzmrs.exehnvrtmt.exerxlcopz.exeaaimcsf.exeiekrtdq.exesdwxdcq.exedzphlwy.exengbfdvg.exeuopfqkh.execvkxkar.exemuouuzy.exeztrxdhe.exeivhhykk.exewiqxeoj.exegicuonr.exe

pid	process
2272	lpdpbus.exe
2608	aemzhyl.exe
2584	hmizbov.exe
2356	slmxmnu.exe
2348	cgnhbhd.exe
2924	hqvkknj.exe
640	rwwziuo.exe
1968	tonxaqw.exe
2312	djohikf.exe
1704	aojhosp.exe
1592	szxaopq.exe
2656	duqkekq.exe
2640	zvixzvc.exe
2716	mmdaidi.exe
1904	ohgcdex.exe
2868	ujoxtbu.exe
2708	yvhfnlh.exe
2748	iyfqaoo.exe
888	tuyahio.exe
1340	abtacyy.exe
2912	husfzro.exe
2828	prcsidr.exe
2588	cmliogq.exe
2848	jxsnlay.exe
2360	rfgffyh.exe
2412	bagynsi.exe
2332	jerdwdt.exe
1448	ddhgzba.exe
800	nnwqmeo.exe
1828	uvkigtq.exe
2324	hibymxx.exe
1500	hppyhmg.exe
3032	rambuqm.exe
2132	bkcgzgo.exe
380	lvrqujv.exe
440	scejgye.exe
1580	nbvljwl.exe
1116	ptmbbst.exe
1120	zontjmu.exe
2852	knzrblb.exe
2972	uqpbooi.exe
2224	gojexwn.exe
2148	rnobhvv.exe
2024	vesodbg.exe
1728	irkejff.exe
2576	nedmchk.exe
2128	xswjaox.exe
2376	hrihlne.exe
2768	rmjzshf.exe
856	wruzmrs.exe
2084	hnvrtmt.exe
1944	rxlcopz.exe
2200	aaimcsf.exe
1900	iekrtdq.exe
1648	sdwxdcq.exe
1948	dzphlwy.exe
528	ngbfdvg.exe
2040	uopfqkh.exe
324	cvkxkar.exe
2816	muouuzy.exe
1800	ztrxdhe.exe
1752	ivhhykk.exe
2172	wiqxeoj.exe
3000	gicuonr.exe

Loads dropped DLL 64 IoCs

Processes:

fcb5695a58313c7c0341bd5a6a0e8bf7_JaffaCakes118.exelpdpbus.exeaemzhyl.exehmizbov.exeslmxmnu.execgnhbhd.exehqvkknj.exerwwziuo.exetonxaqw.exedjohikf.exeaojhosp.exeszxaopq.exeduqkekq.exezvixzvc.exemmdaidi.exeohgcdex.exeujoxtbu.exeyvhfnlh.exeiyfqaoo.exetuyahio.exeabtacyy.exehusfzro.exeprcsidr.execmliogq.exejxsnlay.exerfgffyh.exebagynsi.exejerdwdt.exeddhgzba.exennwqmeo.exeuvkigtq.exehibymxx.exe

pid	process
1084	fcb5695a58313c7c0341bd5a6a0e8bf7_JaffaCakes118.exe
1084	fcb5695a58313c7c0341bd5a6a0e8bf7_JaffaCakes118.exe
2272	lpdpbus.exe
2272	lpdpbus.exe
2608	aemzhyl.exe
2608	aemzhyl.exe
2584	hmizbov.exe
2584	hmizbov.exe
2356	slmxmnu.exe
2356	slmxmnu.exe
2348	cgnhbhd.exe
2348	cgnhbhd.exe
2924	hqvkknj.exe
2924	hqvkknj.exe
640	rwwziuo.exe
640	rwwziuo.exe
1968	tonxaqw.exe
1968	tonxaqw.exe
2312	djohikf.exe
2312	djohikf.exe
1704	aojhosp.exe
1704	aojhosp.exe
1592	szxaopq.exe
1592	szxaopq.exe
2656	duqkekq.exe
2656	duqkekq.exe
2640	zvixzvc.exe
2640	zvixzvc.exe
2716	mmdaidi.exe
2716	mmdaidi.exe
1904	ohgcdex.exe
1904	ohgcdex.exe
2868	ujoxtbu.exe
2868	ujoxtbu.exe
2708	yvhfnlh.exe
2708	yvhfnlh.exe
2748	iyfqaoo.exe
2748	iyfqaoo.exe
888	tuyahio.exe
888	tuyahio.exe
1340	abtacyy.exe
1340	abtacyy.exe
2912	husfzro.exe
2912	husfzro.exe
2828	prcsidr.exe
2828	prcsidr.exe
2588	cmliogq.exe
2588	cmliogq.exe
2848	jxsnlay.exe
2848	jxsnlay.exe
2360	rfgffyh.exe
2360	rfgffyh.exe
2412	bagynsi.exe
2412	bagynsi.exe
2332	jerdwdt.exe
2332	jerdwdt.exe
1448	ddhgzba.exe
1448	ddhgzba.exe
800	nnwqmeo.exe
800	nnwqmeo.exe
1828	uvkigtq.exe
1828	uvkigtq.exe
2324	hibymxx.exe
2324	hibymxx.exe

Drops file in System32 directory 64 IoCs

Processes:

excpcxg.execmliogq.exengbfdvg.exeuqpbooi.exeuopfqkh.execopltzj.exewvqulsj.exelvrqujv.exewiqxeoj.exelpdpbus.exeivhhykk.exexpdcnnk.exeypiypcu.exeaaimcsf.exeuekdoux.exeiydagfc.exeokkoioq.exexarrqzl.exeszxaopq.exenbvljwl.exeepznbxd.exefvoutfg.exennwqmeo.exeqvucsbt.exejxsnlay.exeuaigdmc.exehmizbov.exenedmchk.exevesodbg.exexjvtgdu.exekepnvst.exeubcohna.exeptmbbst.exeesbkkiz.exeipwkxfv.exehibymxx.exeknzrblb.exerxlcopz.exeoolsmwl.exefdfczkw.exeaemzhyl.exeohgcdex.exebagynsi.exennujyil.exeduqkekq.exeuolpctj.exehrihlne.exeslmxmnu.exerfgffyh.exezontjmu.exevajypxx.exeiqkpbpq.exe

description	ioc	process
File created	C:\Windows\SysWOW64\iqkpbpq.exe	excpcxg.exe
File opened for modification	C:\Windows\SysWOW64\jxsnlay.exe	cmliogq.exe
File created	C:\Windows\SysWOW64\uopfqkh.exe	ngbfdvg.exe
File opened for modification	C:\Windows\SysWOW64\gojexwn.exe	uqpbooi.exe
File created	C:\Windows\SysWOW64\cvkxkar.exe	uopfqkh.exe
File opened for modification	C:\Windows\SysWOW64\lrfwgup.exe	copltzj.exe
File opened for modification	C:\Windows\SysWOW64\ipwkxfv.exe	wvqulsj.exe
File opened for modification	C:\Windows\SysWOW64\scejgye.exe	lvrqujv.exe
File created	C:\Windows\SysWOW64\gicuonr.exe	wiqxeoj.exe
File created	C:\Windows\SysWOW64\aemzhyl.exe	lpdpbus.exe
File opened for modification	C:\Windows\SysWOW64\wiqxeoj.exe	ivhhykk.exe
File created	C:\Windows\SysWOW64\kfffwwp.exe	xpdcnnk.exe
File opened for modification	C:\Windows\SysWOW64\mcrovgt.exe	ypiypcu.exe
File created	C:\Windows\SysWOW64\iekrtdq.exe	aaimcsf.exe
File created	C:\Windows\SysWOW64\epznbxd.exe	uekdoux.exe
File created	C:\Windows\SysWOW64\syqyqek.exe	iydagfc.exe
File opened for modification	C:\Windows\SysWOW64\woutszs.exe	okkoioq.exe
File opened for modification	C:\Windows\SysWOW64\gdguluz.exe	xarrqzl.exe
File opened for modification	C:\Windows\SysWOW64\duqkekq.exe	szxaopq.exe
File created	C:\Windows\SysWOW64\ptmbbst.exe	nbvljwl.exe
File opened for modification	C:\Windows\SysWOW64\gicuonr.exe	wiqxeoj.exe
File opened for modification	C:\Windows\SysWOW64\oolsmwl.exe	epznbxd.exe
File opened for modification	C:\Windows\SysWOW64\uolpctj.exe	fvoutfg.exe
File opened for modification	C:\Windows\SysWOW64\uvkigtq.exe	nnwqmeo.exe
File opened for modification	C:\Windows\SysWOW64\fdfczkw.exe	qvucsbt.exe
File created	C:\Windows\SysWOW64\rfgffyh.exe	jxsnlay.exe
File opened for modification	C:\Windows\SysWOW64\ewjqkhc.exe	uaigdmc.exe
File created	C:\Windows\SysWOW64\slmxmnu.exe	hmizbov.exe
File created	C:\Windows\SysWOW64\xswjaox.exe	nedmchk.exe
File created	C:\Windows\SysWOW64\irkejff.exe	vesodbg.exe
File created	C:\Windows\SysWOW64\hizqqcb.exe	xjvtgdu.exe
File created	C:\Windows\SysWOW64\uaigdmc.exe	kepnvst.exe
File created	C:\Windows\SysWOW64\eagmzmi.exe	ubcohna.exe
File opened for modification	C:\Windows\SysWOW64\zontjmu.exe	ptmbbst.exe
File opened for modification	C:\Windows\SysWOW64\uopfqkh.exe	ngbfdvg.exe
File created	C:\Windows\SysWOW64\lrfwgup.exe	copltzj.exe
File created	C:\Windows\SysWOW64\mcrovgt.exe	ypiypcu.exe
File created	C:\Windows\SysWOW64\wvqulsj.exe	esbkkiz.exe
File opened for modification	C:\Windows\SysWOW64\udkulxx.exe	ipwkxfv.exe
File opened for modification	C:\Windows\SysWOW64\iekrtdq.exe	aaimcsf.exe
File opened for modification	C:\Windows\SysWOW64\hppyhmg.exe	hibymxx.exe
File created	C:\Windows\SysWOW64\uqpbooi.exe	knzrblb.exe
File created	C:\Windows\SysWOW64\aaimcsf.exe	rxlcopz.exe
File created	C:\Windows\SysWOW64\lxtncuq.exe	oolsmwl.exe
File created	C:\Windows\SysWOW64\fvoutfg.exe	fdfczkw.exe
File opened for modification	C:\Windows\SysWOW64\hmizbov.exe	aemzhyl.exe
File created	C:\Windows\SysWOW64\ujoxtbu.exe	ohgcdex.exe
File opened for modification	C:\Windows\SysWOW64\jerdwdt.exe	bagynsi.exe
File created	C:\Windows\SysWOW64\hppyhmg.exe	hibymxx.exe
File opened for modification	C:\Windows\SysWOW64\epznbxd.exe	uekdoux.exe
File created	C:\Windows\SysWOW64\woutszs.exe	okkoioq.exe
File opened for modification	C:\Windows\SysWOW64\xjvtgdu.exe	nnujyil.exe
File created	C:\Windows\SysWOW64\uolpctj.exe	fvoutfg.exe
File created	C:\Windows\SysWOW64\zvixzvc.exe	duqkekq.exe
File opened for modification	C:\Windows\SysWOW64\mhorkly.exe	uolpctj.exe
File created	C:\Windows\SysWOW64\mhorkly.exe	uolpctj.exe
File created	C:\Windows\SysWOW64\rmjzshf.exe	hrihlne.exe
File opened for modification	C:\Windows\SysWOW64\syqyqek.exe	iydagfc.exe
File opened for modification	C:\Windows\SysWOW64\eagmzmi.exe	ubcohna.exe
File created	C:\Windows\SysWOW64\cgnhbhd.exe	slmxmnu.exe
File opened for modification	C:\Windows\SysWOW64\bagynsi.exe	rfgffyh.exe
File opened for modification	C:\Windows\SysWOW64\knzrblb.exe	zontjmu.exe
File created	C:\Windows\SysWOW64\iydagfc.exe	vajypxx.exe
File created	C:\Windows\SysWOW64\qvucsbt.exe	iqkpbpq.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1084 wrote to memory of 2272	1084	fcb5695a58313c7c0341bd5a6a0e8bf7_JaffaCakes118.exe	lpdpbus.exe
PID 1084 wrote to memory of 2272	1084	fcb5695a58313c7c0341bd5a6a0e8bf7_JaffaCakes118.exe	lpdpbus.exe
PID 1084 wrote to memory of 2272	1084	fcb5695a58313c7c0341bd5a6a0e8bf7_JaffaCakes118.exe	lpdpbus.exe
PID 1084 wrote to memory of 2272	1084	fcb5695a58313c7c0341bd5a6a0e8bf7_JaffaCakes118.exe	lpdpbus.exe
PID 2272 wrote to memory of 2608	2272	lpdpbus.exe	aemzhyl.exe
PID 2272 wrote to memory of 2608	2272	lpdpbus.exe	aemzhyl.exe
PID 2272 wrote to memory of 2608	2272	lpdpbus.exe	aemzhyl.exe
PID 2272 wrote to memory of 2608	2272	lpdpbus.exe	aemzhyl.exe
PID 2608 wrote to memory of 2584	2608	aemzhyl.exe	hmizbov.exe
PID 2608 wrote to memory of 2584	2608	aemzhyl.exe	hmizbov.exe
PID 2608 wrote to memory of 2584	2608	aemzhyl.exe	hmizbov.exe
PID 2608 wrote to memory of 2584	2608	aemzhyl.exe	hmizbov.exe
PID 2584 wrote to memory of 2356	2584	hmizbov.exe	slmxmnu.exe
PID 2584 wrote to memory of 2356	2584	hmizbov.exe	slmxmnu.exe
PID 2584 wrote to memory of 2356	2584	hmizbov.exe	slmxmnu.exe
PID 2584 wrote to memory of 2356	2584	hmizbov.exe	slmxmnu.exe
PID 2356 wrote to memory of 2348	2356	slmxmnu.exe	cgnhbhd.exe
PID 2356 wrote to memory of 2348	2356	slmxmnu.exe	cgnhbhd.exe
PID 2356 wrote to memory of 2348	2356	slmxmnu.exe	cgnhbhd.exe
PID 2356 wrote to memory of 2348	2356	slmxmnu.exe	cgnhbhd.exe
PID 2348 wrote to memory of 2924	2348	cgnhbhd.exe	hqvkknj.exe
PID 2348 wrote to memory of 2924	2348	cgnhbhd.exe	hqvkknj.exe
PID 2348 wrote to memory of 2924	2348	cgnhbhd.exe	hqvkknj.exe
PID 2348 wrote to memory of 2924	2348	cgnhbhd.exe	hqvkknj.exe
PID 2924 wrote to memory of 640	2924	hqvkknj.exe	rwwziuo.exe
PID 2924 wrote to memory of 640	2924	hqvkknj.exe	rwwziuo.exe
PID 2924 wrote to memory of 640	2924	hqvkknj.exe	rwwziuo.exe
PID 2924 wrote to memory of 640	2924	hqvkknj.exe	rwwziuo.exe
PID 640 wrote to memory of 1968	640	rwwziuo.exe	tonxaqw.exe
PID 640 wrote to memory of 1968	640	rwwziuo.exe	tonxaqw.exe
PID 640 wrote to memory of 1968	640	rwwziuo.exe	tonxaqw.exe
PID 640 wrote to memory of 1968	640	rwwziuo.exe	tonxaqw.exe
PID 1968 wrote to memory of 2312	1968	tonxaqw.exe	djohikf.exe
PID 1968 wrote to memory of 2312	1968	tonxaqw.exe	djohikf.exe
PID 1968 wrote to memory of 2312	1968	tonxaqw.exe	djohikf.exe
PID 1968 wrote to memory of 2312	1968	tonxaqw.exe	djohikf.exe
PID 2312 wrote to memory of 1704	2312	djohikf.exe	aojhosp.exe
PID 2312 wrote to memory of 1704	2312	djohikf.exe	aojhosp.exe
PID 2312 wrote to memory of 1704	2312	djohikf.exe	aojhosp.exe
PID 2312 wrote to memory of 1704	2312	djohikf.exe	aojhosp.exe
PID 1704 wrote to memory of 1592	1704	aojhosp.exe	szxaopq.exe
PID 1704 wrote to memory of 1592	1704	aojhosp.exe	szxaopq.exe
PID 1704 wrote to memory of 1592	1704	aojhosp.exe	szxaopq.exe
PID 1704 wrote to memory of 1592	1704	aojhosp.exe	szxaopq.exe
PID 1592 wrote to memory of 2656	1592	szxaopq.exe	duqkekq.exe
PID 1592 wrote to memory of 2656	1592	szxaopq.exe	duqkekq.exe
PID 1592 wrote to memory of 2656	1592	szxaopq.exe	duqkekq.exe
PID 1592 wrote to memory of 2656	1592	szxaopq.exe	duqkekq.exe
PID 2656 wrote to memory of 2640	2656	duqkekq.exe	zvixzvc.exe
PID 2656 wrote to memory of 2640	2656	duqkekq.exe	zvixzvc.exe
PID 2656 wrote to memory of 2640	2656	duqkekq.exe	zvixzvc.exe
PID 2656 wrote to memory of 2640	2656	duqkekq.exe	zvixzvc.exe
PID 2640 wrote to memory of 2716	2640	zvixzvc.exe	mmdaidi.exe
PID 2640 wrote to memory of 2716	2640	zvixzvc.exe	mmdaidi.exe
PID 2640 wrote to memory of 2716	2640	zvixzvc.exe	mmdaidi.exe
PID 2640 wrote to memory of 2716	2640	zvixzvc.exe	mmdaidi.exe
PID 2716 wrote to memory of 1904	2716	mmdaidi.exe	ohgcdex.exe
PID 2716 wrote to memory of 1904	2716	mmdaidi.exe	ohgcdex.exe
PID 2716 wrote to memory of 1904	2716	mmdaidi.exe	ohgcdex.exe
PID 2716 wrote to memory of 1904	2716	mmdaidi.exe	ohgcdex.exe
PID 1904 wrote to memory of 2868	1904	ohgcdex.exe	ujoxtbu.exe
PID 1904 wrote to memory of 2868	1904	ohgcdex.exe	ujoxtbu.exe
PID 1904 wrote to memory of 2868	1904	ohgcdex.exe	ujoxtbu.exe
PID 1904 wrote to memory of 2868	1904	ohgcdex.exe	ujoxtbu.exe

C:\Users\Admin\AppData\Local\Temp\fcb5695a58313c7c0341bd5a6a0e8bf7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fcb5695a58313c7c0341bd5a6a0e8bf7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\SysWOW64\lpdpbus.exe
C:\Windows\system32\lpdpbus.exe 476 "C:\Users\Admin\AppData\Local\Temp\fcb5695a58313c7c0341bd5a6a0e8bf7_JaffaCakes118.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2272

C:\Windows\SysWOW64\aemzhyl.exe
C:\Windows\system32\aemzhyl.exe 512 "C:\Windows\SysWOW64\lpdpbus.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2608

C:\Windows\SysWOW64\hmizbov.exe
C:\Windows\system32\hmizbov.exe 516 "C:\Windows\SysWOW64\aemzhyl.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2584

C:\Windows\SysWOW64\slmxmnu.exe
C:\Windows\system32\slmxmnu.exe 452 "C:\Windows\SysWOW64\hmizbov.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2356

C:\Windows\SysWOW64\cgnhbhd.exe
C:\Windows\system32\cgnhbhd.exe 524 "C:\Windows\SysWOW64\slmxmnu.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348

C:\Windows\SysWOW64\hqvkknj.exe
C:\Windows\system32\hqvkknj.exe 528 "C:\Windows\SysWOW64\cgnhbhd.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924

C:\Windows\SysWOW64\rwwziuo.exe
C:\Windows\system32\rwwziuo.exe 532 "C:\Windows\SysWOW64\hqvkknj.exe"
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\SysWOW64\tonxaqw.exe
C:\Windows\system32\tonxaqw.exe 492 "C:\Windows\SysWOW64\rwwziuo.exe"
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SysWOW64\djohikf.exe
C:\Windows\system32\djohikf.exe 464 "C:\Windows\SysWOW64\tonxaqw.exe"
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2312

C:\Windows\SysWOW64\aojhosp.exe
C:\Windows\system32\aojhosp.exe 544 "C:\Windows\SysWOW64\djohikf.exe"
11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\SysWOW64\szxaopq.exe
C:\Windows\system32\szxaopq.exe 548 "C:\Windows\SysWOW64\aojhosp.exe"
12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\SysWOW64\duqkekq.exe
C:\Windows\system32\duqkekq.exe 564 "C:\Windows\SysWOW64\szxaopq.exe"
13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\SysWOW64\zvixzvc.exe
C:\Windows\system32\zvixzvc.exe 552 "C:\Windows\SysWOW64\duqkekq.exe"
14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640

C:\Windows\SysWOW64\mmdaidi.exe
C:\Windows\system32\mmdaidi.exe 556 "C:\Windows\SysWOW64\zvixzvc.exe"
15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\SysWOW64\ohgcdex.exe
C:\Windows\system32\ohgcdex.exe 560 "C:\Windows\SysWOW64\mmdaidi.exe"
16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\SysWOW64\ujoxtbu.exe
C:\Windows\system32\ujoxtbu.exe 580 "C:\Windows\SysWOW64\ohgcdex.exe"
17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2868

C:\Windows\SysWOW64\yvhfnlh.exe
C:\Windows\system32\yvhfnlh.exe 572 "C:\Windows\SysWOW64\ujoxtbu.exe"
18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708

C:\Windows\SysWOW64\iyfqaoo.exe
C:\Windows\system32\iyfqaoo.exe 584 "C:\Windows\SysWOW64\yvhfnlh.exe"
19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2748

C:\Windows\SysWOW64\tuyahio.exe
C:\Windows\system32\tuyahio.exe 568 "C:\Windows\SysWOW64\iyfqaoo.exe"
20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:888

C:\Windows\SysWOW64\abtacyy.exe
C:\Windows\system32\abtacyy.exe 500 "C:\Windows\SysWOW64\tuyahio.exe"
21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1340

C:\Windows\SysWOW64\husfzro.exe
C:\Windows\system32\husfzro.exe 604 "C:\Windows\SysWOW64\abtacyy.exe"
22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2912

C:\Windows\SysWOW64\prcsidr.exe
C:\Windows\system32\prcsidr.exe 592 "C:\Windows\SysWOW64\husfzro.exe"
23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2828

C:\Windows\SysWOW64\cmliogq.exe
C:\Windows\system32\cmliogq.exe 588 "C:\Windows\SysWOW64\prcsidr.exe"
24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2588

C:\Windows\SysWOW64\jxsnlay.exe
C:\Windows\system32\jxsnlay.exe 460 "C:\Windows\SysWOW64\cmliogq.exe"
25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2848

C:\Windows\SysWOW64\rfgffyh.exe
C:\Windows\system32\rfgffyh.exe 600 "C:\Windows\SysWOW64\jxsnlay.exe"
26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2360

C:\Windows\SysWOW64\bagynsi.exe
C:\Windows\system32\bagynsi.exe 576 "C:\Windows\SysWOW64\rfgffyh.exe"
27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2412

C:\Windows\SysWOW64\jerdwdt.exe
C:\Windows\system32\jerdwdt.exe 612 "C:\Windows\SysWOW64\bagynsi.exe"
28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2332

C:\Windows\SysWOW64\ddhgzba.exe
C:\Windows\system32\ddhgzba.exe 432 "C:\Windows\SysWOW64\jerdwdt.exe"
29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1448

C:\Windows\SysWOW64\nnwqmeo.exe
C:\Windows\system32\nnwqmeo.exe 620 "C:\Windows\SysWOW64\ddhgzba.exe"
30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:800

C:\Windows\SysWOW64\uvkigtq.exe
C:\Windows\system32\uvkigtq.exe 624 "C:\Windows\SysWOW64\nnwqmeo.exe"
31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1828

C:\Windows\SysWOW64\hibymxx.exe
C:\Windows\system32\hibymxx.exe 636 "C:\Windows\SysWOW64\uvkigtq.exe"
32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2324

C:\Windows\SysWOW64\hppyhmg.exe
C:\Windows\system32\hppyhmg.exe 648 "C:\Windows\SysWOW64\hibymxx.exe"
33⤵
- Executes dropped EXE
PID:1500

C:\Windows\SysWOW64\rambuqm.exe
C:\Windows\system32\rambuqm.exe 628 "C:\Windows\SysWOW64\hppyhmg.exe"
34⤵
- Executes dropped EXE
PID:3032

C:\Windows\SysWOW64\bkcgzgo.exe
C:\Windows\system32\bkcgzgo.exe 632 "C:\Windows\SysWOW64\rambuqm.exe"
35⤵
- Executes dropped EXE
PID:2132

C:\Windows\SysWOW64\lvrqujv.exe
C:\Windows\system32\lvrqujv.exe 640 "C:\Windows\SysWOW64\bkcgzgo.exe"
36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:380

C:\Windows\SysWOW64\scejgye.exe
C:\Windows\system32\scejgye.exe 644 "C:\Windows\SysWOW64\lvrqujv.exe"
37⤵
- Executes dropped EXE
PID:440

C:\Windows\SysWOW64\nbvljwl.exe
C:\Windows\system32\nbvljwl.exe 652 "C:\Windows\SysWOW64\scejgye.exe"
38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1580

C:\Windows\SysWOW64\ptmbbst.exe
C:\Windows\system32\ptmbbst.exe 660 "C:\Windows\SysWOW64\nbvljwl.exe"
39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1116

C:\Windows\SysWOW64\zontjmu.exe
C:\Windows\system32\zontjmu.exe 656 "C:\Windows\SysWOW64\ptmbbst.exe"
40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1120

C:\Windows\SysWOW64\knzrblb.exe
C:\Windows\system32\knzrblb.exe 668 "C:\Windows\SysWOW64\zontjmu.exe"
41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2852

C:\Windows\SysWOW64\uqpbooi.exe
C:\Windows\system32\uqpbooi.exe 664 "C:\Windows\SysWOW64\knzrblb.exe"
42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2972

C:\Windows\SysWOW64\gojexwn.exe
C:\Windows\system32\gojexwn.exe 672 "C:\Windows\SysWOW64\uqpbooi.exe"
43⤵
- Executes dropped EXE
PID:2224

C:\Windows\SysWOW64\rnobhvv.exe
C:\Windows\system32\rnobhvv.exe 680 "C:\Windows\SysWOW64\gojexwn.exe"
44⤵
- Executes dropped EXE
PID:2148

C:\Windows\SysWOW64\vesodbg.exe
C:\Windows\system32\vesodbg.exe 688 "C:\Windows\SysWOW64\rnobhvv.exe"
45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2024

C:\Windows\SysWOW64\irkejff.exe
C:\Windows\system32\irkejff.exe 696 "C:\Windows\SysWOW64\vesodbg.exe"
46⤵
- Executes dropped EXE
PID:1728

C:\Windows\SysWOW64\nedmchk.exe
C:\Windows\system32\nedmchk.exe 692 "C:\Windows\SysWOW64\irkejff.exe"
47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2576

C:\Windows\SysWOW64\xswjaox.exe
C:\Windows\system32\xswjaox.exe 676 "C:\Windows\SysWOW64\nedmchk.exe"
48⤵
- Executes dropped EXE
PID:2128

C:\Windows\SysWOW64\hrihlne.exe
C:\Windows\system32\hrihlne.exe 704 "C:\Windows\SysWOW64\xswjaox.exe"
49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2376

C:\Windows\SysWOW64\rmjzshf.exe
C:\Windows\system32\rmjzshf.exe 684 "C:\Windows\SysWOW64\hrihlne.exe"
50⤵
- Executes dropped EXE
PID:2768

C:\Windows\SysWOW64\wruzmrs.exe
C:\Windows\system32\wruzmrs.exe 720 "C:\Windows\SysWOW64\rmjzshf.exe"
51⤵
- Executes dropped EXE
PID:856

C:\Windows\SysWOW64\hnvrtmt.exe
C:\Windows\system32\hnvrtmt.exe 700 "C:\Windows\SysWOW64\wruzmrs.exe"
52⤵
- Executes dropped EXE
PID:2084

C:\Windows\SysWOW64\rxlcopz.exe
C:\Windows\system32\rxlcopz.exe 708 "C:\Windows\SysWOW64\hnvrtmt.exe"
53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1944

C:\Windows\SysWOW64\aaimcsf.exe
C:\Windows\system32\aaimcsf.exe 712 "C:\Windows\SysWOW64\rxlcopz.exe"
54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2200

C:\Windows\SysWOW64\iekrtdq.exe
C:\Windows\system32\iekrtdq.exe 732 "C:\Windows\SysWOW64\aaimcsf.exe"
55⤵
- Executes dropped EXE
PID:1900

C:\Windows\SysWOW64\sdwxdcq.exe
C:\Windows\system32\sdwxdcq.exe 728 "C:\Windows\SysWOW64\iekrtdq.exe"
56⤵
- Executes dropped EXE
PID:1648

C:\Windows\SysWOW64\dzphlwy.exe
C:\Windows\system32\dzphlwy.exe 436 "C:\Windows\SysWOW64\sdwxdcq.exe"
57⤵
- Executes dropped EXE
PID:1948

C:\Windows\SysWOW64\ngbfdvg.exe
C:\Windows\system32\ngbfdvg.exe 724 "C:\Windows\SysWOW64\dzphlwy.exe"
58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:528

C:\Windows\SysWOW64\uopfqkh.exe
C:\Windows\system32\uopfqkh.exe 744 "C:\Windows\SysWOW64\ngbfdvg.exe"
59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2040

C:\Windows\SysWOW64\cvkxkar.exe
C:\Windows\system32\cvkxkar.exe 740 "C:\Windows\SysWOW64\uopfqkh.exe"
60⤵
- Executes dropped EXE
PID:324

C:\Windows\SysWOW64\muouuzy.exe
C:\Windows\system32\muouuzy.exe 736 "C:\Windows\SysWOW64\cvkxkar.exe"
61⤵
- Executes dropped EXE
PID:2816

C:\Windows\SysWOW64\ztrxdhe.exe
C:\Windows\system32\ztrxdhe.exe 748 "C:\Windows\SysWOW64\muouuzy.exe"
62⤵
- Executes dropped EXE
PID:1800

C:\Windows\SysWOW64\ivhhykk.exe
C:\Windows\system32\ivhhykk.exe 752 "C:\Windows\SysWOW64\ztrxdhe.exe"
63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1752

C:\Windows\SysWOW64\wiqxeoj.exe
C:\Windows\system32\wiqxeoj.exe 756 "C:\Windows\SysWOW64\ivhhykk.exe"
64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2172

C:\Windows\SysWOW64\gicuonr.exe
C:\Windows\system32\gicuonr.exe 764 "C:\Windows\SysWOW64\wiqxeoj.exe"
65⤵
- Executes dropped EXE
PID:3000

C:\Windows\SysWOW64\qpgszly.exe
C:\Windows\system32\qpgszly.exe 760 "C:\Windows\SysWOW64\gicuonr.exe"
66⤵
PID:2144

C:\Windows\SysWOW64\xanfwfg.exe
C:\Windows\system32\xanfwfg.exe 768 "C:\Windows\SysWOW64\qpgszly.exe"
67⤵
PID:2300

C:\Windows\SysWOW64\hzrcgeo.exe
C:\Windows\system32\hzrcgeo.exe 776 "C:\Windows\SysWOW64\xanfwfg.exe"
68⤵
PID:2876

C:\Windows\SysWOW64\xpdcnnk.exe
C:\Windows\system32\xpdcnnk.exe 784 "C:\Windows\SysWOW64\hzrcgeo.exe"
69⤵
- Drops file in System32 directory
PID:2436

C:\Windows\SysWOW64\kfffwwp.exe
C:\Windows\system32\kfffwwp.exe 772 "C:\Windows\SysWOW64\xpdcnnk.exe"
70⤵
PID:2404

C:\Windows\SysWOW64\uekdoux.exe
C:\Windows\system32\uekdoux.exe 780 "C:\Windows\SysWOW64\kfffwwp.exe"
71⤵
- Drops file in System32 directory
PID:2820

C:\Windows\SysWOW64\epznbxd.exe
C:\Windows\system32\epznbxd.exe 788 "C:\Windows\SysWOW64\uekdoux.exe"
72⤵
- Drops file in System32 directory
PID:2796

C:\Windows\SysWOW64\oolsmwl.exe
C:\Windows\system32\oolsmwl.exe 804 "C:\Windows\SysWOW64\epznbxd.exe"
73⤵
- Drops file in System32 directory
PID:2464

C:\Windows\SysWOW64\lxtncuq.exe
C:\Windows\system32\lxtncuq.exe 796 "C:\Windows\SysWOW64\oolsmwl.exe"
74⤵
PID:936

C:\Windows\SysWOW64\vajypxx.exe
C:\Windows\system32\vajypxx.exe 820 "C:\Windows\SysWOW64\lxtncuq.exe"
75⤵
- Drops file in System32 directory
PID:768

C:\Windows\SysWOW64\iydagfc.exe
C:\Windows\system32\iydagfc.exe 792 "C:\Windows\SysWOW64\vajypxx.exe"
76⤵
- Drops file in System32 directory
PID:1436

C:\Windows\SysWOW64\syqyqek.exe
C:\Windows\system32\syqyqek.exe 812 "C:\Windows\SysWOW64\iydagfc.exe"
77⤵
PID:1612

C:\Windows\SysWOW64\zfdqdtt.exe
C:\Windows\system32\zfdqdtt.exe 716 "C:\Windows\SysWOW64\syqyqek.exe"
78⤵
PID:1344

C:\Windows\SysWOW64\kepnvst.exe
C:\Windows\system32\kepnvst.exe 808 "C:\Windows\SysWOW64\zfdqdtt.exe"
79⤵
- Drops file in System32 directory
PID:1680

C:\Windows\SysWOW64\uaigdmc.exe
C:\Windows\system32\uaigdmc.exe 816 "C:\Windows\SysWOW64\kepnvst.exe"
80⤵
- Drops file in System32 directory
PID:2672

C:\Windows\SysWOW64\ewjqkhc.exe
C:\Windows\system32\ewjqkhc.exe 824 "C:\Windows\SysWOW64\uaigdmc.exe"
81⤵
PID:1044

C:\Windows\SysWOW64\okkoioq.exe
C:\Windows\system32\okkoioq.exe 828 "C:\Windows\SysWOW64\ewjqkhc.exe"
82⤵
- Drops file in System32 directory
PID:844

C:\Windows\SysWOW64\woutszs.exe
C:\Windows\system32\woutszs.exe 836 "C:\Windows\SysWOW64\okkoioq.exe"
83⤵
PID:1932

C:\Windows\SysWOW64\gnyykya.exe
C:\Windows\system32\gnyykya.exe 832 "C:\Windows\SysWOW64\woutszs.exe"
84⤵
PID:2100

C:\Windows\SysWOW64\tapoqcz.exe
C:\Windows\system32\tapoqcz.exe 848 "C:\Windows\SysWOW64\gnyykya.exe"
85⤵
PID:2760

C:\Windows\SysWOW64\dzulabg.exe
C:\Windows\system32\dzulabg.exe 840 "C:\Windows\SysWOW64\tapoqcz.exe"
86⤵
PID:2904

C:\Windows\SysWOW64\nnujyil.exe
C:\Windows\system32\nnujyil.exe 844 "C:\Windows\SysWOW64\dzulabg.exe"
87⤵
- Drops file in System32 directory
PID:2196

C:\Windows\SysWOW64\xjvtgdu.exe
C:\Windows\system32\xjvtgdu.exe 856 "C:\Windows\SysWOW64\nnujyil.exe"
88⤵
- Drops file in System32 directory
PID:2460

C:\Windows\SysWOW64\hizqqcb.exe
C:\Windows\system32\hizqqcb.exe 852 "C:\Windows\SysWOW64\xjvtgdu.exe"
89⤵
PID:2344

C:\Windows\SysWOW64\rspbmfi.exe
C:\Windows\system32\rspbmfi.exe 860 "C:\Windows\SysWOW64\hizqqcb.exe"
90⤵
PID:584

C:\Windows\SysWOW64\copltzj.exe
C:\Windows\system32\copltzj.exe 876 "C:\Windows\SysWOW64\rspbmfi.exe"
91⤵
- Drops file in System32 directory
PID:1764

C:\Windows\SysWOW64\lrfwgup.exe
C:\Windows\system32\lrfwgup.exe 864 "C:\Windows\SysWOW64\copltzj.exe"
92⤵
PID:956

C:\Windows\SysWOW64\ypiypcu.exe
C:\Windows\system32\ypiypcu.exe 868 "C:\Windows\SysWOW64\lrfwgup.exe"
93⤵
- Drops file in System32 directory
PID:2060

C:\Windows\SysWOW64\mcrovgt.exe
C:\Windows\system32\mcrovgt.exe 872 "C:\Windows\SysWOW64\ypiypcu.exe"
94⤵
PID:836

C:\Windows\SysWOW64\tnqbsaj.exe
C:\Windows\system32\tnqbsaj.exe 884 "C:\Windows\SysWOW64\mcrovgt.exe"
95⤵
PID:952

C:\Windows\SysWOW64\djrmzuk.exe
C:\Windows\system32\djrmzuk.exe 616 "C:\Windows\SysWOW64\tnqbsaj.exe"
96⤵
PID:2208

C:\Windows\SysWOW64\kuprwot.exe
C:\Windows\system32\kuprwot.exe 896 "C:\Windows\SysWOW64\djrmzuk.exe"
97⤵
PID:1440

C:\Windows\SysWOW64\ubcohna.exe
C:\Windows\system32\ubcohna.exe 892 "C:\Windows\SysWOW64\kuprwot.exe"
98⤵
- Drops file in System32 directory
PID:1040

C:\Windows\SysWOW64\eagmzmi.exe
C:\Windows\system32\eagmzmi.exe 888 "C:\Windows\SysWOW64\ubcohna.exe"
99⤵
PID:976

C:\Windows\SysWOW64\meqzjfk.exe
C:\Windows\system32\meqzjfk.exe 900 "C:\Windows\SysWOW64\eagmzmi.exe"
100⤵
PID:1276

C:\Windows\SysWOW64\xarrqzl.exe
C:\Windows\system32\xarrqzl.exe 904 "C:\Windows\SysWOW64\meqzjfk.exe"
101⤵
- Drops file in System32 directory
PID:2116

C:\Windows\SysWOW64\gdguluz.exe
C:\Windows\system32\gdguluz.exe 908 "C:\Windows\SysWOW64\xarrqzl.exe"
102⤵
PID:1732

C:\Windows\SysWOW64\uqyrryy.exe
C:\Windows\system32\uqyrryy.exe 912 "C:\Windows\SysWOW64\gdguluz.exe"
103⤵
PID:1096

C:\Windows\SysWOW64\excpcxg.exe
C:\Windows\system32\excpcxg.exe 916 "C:\Windows\SysWOW64\uqyrryy.exe"
104⤵
- Drops file in System32 directory
PID:2176

C:\Windows\SysWOW64\iqkpbpq.exe
C:\Windows\system32\iqkpbpq.exe 488 "C:\Windows\SysWOW64\excpcxg.exe"
105⤵
- Drops file in System32 directory
PID:2604

C:\Windows\SysWOW64\qvucsbt.exe
C:\Windows\system32\qvucsbt.exe 480 "C:\Windows\SysWOW64\iqkpbpq.exe"
106⤵
- Drops file in System32 directory
PID:2612

C:\Windows\SysWOW64\fdfczkw.exe
C:\Windows\system32\fdfczkw.exe 504 "C:\Windows\SysWOW64\qvucsbt.exe"
107⤵
- Drops file in System32 directory
PID:2424

C:\Windows\SysWOW64\fvoutfg.exe
C:\Windows\system32\fvoutfg.exe 440 "C:\Windows\SysWOW64\fdfczkw.exe"
108⤵
- Drops file in System32 directory
PID:1724

C:\Windows\SysWOW64\uolpctj.exe
C:\Windows\system32\uolpctj.exe 496 "C:\Windows\SysWOW64\fvoutfg.exe"
109⤵
- Drops file in System32 directory
PID:2252

C:\Windows\SysWOW64\mhorkly.exe
C:\Windows\system32\mhorkly.exe 444 "C:\Windows\SysWOW64\uolpctj.exe"
110⤵
PID:1488

C:\Windows\SysWOW64\esbkkiz.exe
C:\Windows\system32\esbkkiz.exe 520 "C:\Windows\SysWOW64\mhorkly.exe"
111⤵
- Drops file in System32 directory
PID:2320

C:\Windows\SysWOW64\wvqulsj.exe
C:\Windows\system32\wvqulsj.exe 448 "C:\Windows\SysWOW64\esbkkiz.exe"
112⤵
- Drops file in System32 directory
PID:948

C:\Windows\SysWOW64\ipwkxfv.exe
C:\Windows\system32\ipwkxfv.exe 540 "C:\Windows\SysWOW64\wvqulsj.exe"
113⤵
- Drops file in System32 directory
PID:2988

C:\Windows\SysWOW64\udkulxx.exe
C:\Windows\system32\udkulxx.exe 456 "C:\Windows\SysWOW64\ipwkxfv.exe"
114⤵
PID:1620

C:\Windows\SysWOW64\adonmxo.exe
C:\Windows\system32\adonmxo.exe 608 "C:\Windows\SysWOW64\udkulxx.exe"
115⤵
PID:1516

C:\Windows\SysWOW64\vluibzc.exe
C:\Windows\system32\vluibzc.exe 468 "C:\Windows\SysWOW64\adonmxo.exe"
116⤵
PID:2052

C:\Windows\SysWOW64\qvyghfa.exe
C:\Windows\system32\qvyghfa.exe 880 "C:\Windows\SysWOW64\vluibzc.exe"
117⤵
PID:2732

C:\Windows\SysWOW64\frfvfax.exe
C:\Windows\system32\frfvfax.exe 472 "C:\Windows\SysWOW64\qvyghfa.exe"
118⤵
PID:1688

C:\Windows\SysWOW64\xovbpce.exe
C:\Windows\system32\xovbpce.exe 924 "C:\Windows\SysWOW64\frfvfax.exe"
119⤵
PID:612

C:\Windows\SysWOW64\fjtlkhz.exe
C:\Windows\system32\fjtlkhz.exe 484 "C:\Windows\SysWOW64\xovbpce.exe"
120⤵
PID:3012

C:\Windows\SysWOW64\hewofag.exe
C:\Windows\system32\hewofag.exe 932 "C:\Windows\SysWOW64\fjtlkhz.exe"
121⤵
PID:2784

C:\Windows\SysWOW64\unzjiuv.exe
C:\Windows\system32\unzjiuv.exe 508 "C:\Windows\SysWOW64\hewofag.exe"
122⤵
PID:2268

C:\Windows\SysWOW64\kjuhmwk.exe
C:\Windows\system32\kjuhmwk.exe 940 "C:\Windows\SysWOW64\unzjiuv.exe"
123⤵
PID:2552

C:\Windows\SysWOW64\bnijngd.exe
C:\Windows\system32\bnijngd.exe 536 "C:\Windows\SysWOW64\kjuhmwk.exe"
124⤵
PID:1316

C:\Windows\SysWOW64\tbhpyhc.exe
C:\Windows\system32\tbhpyhc.exe 948 "C:\Windows\SysWOW64\bnijngd.exe"
125⤵
PID:1652

C:\Windows\SysWOW64\dpjrion.exe
C:\Windows\system32\dpjrion.exe 596 "C:\Windows\SysWOW64\tbhpyhc.exe"
126⤵
PID:2232

C:\Windows\SysWOW64\yqpxqkt.exe
C:\Windows\system32\yqpxqkt.exe 956 "C:\Windows\SysWOW64\dpjrion.exe"
127⤵
PID:2448

C:\Windows\SysWOW64\qqbupqw.exe
C:\Windows\system32\qqbupqw.exe 800 "C:\Windows\SysWOW64\yqpxqkt.exe"
128⤵
PID:1668

C:\Windows\SysWOW64\dshkbcj.exe
C:\Windows\system32\dshkbcj.exe 920 "C:\Windows\SysWOW64\qqbupqw.exe"
129⤵
PID:1768

C:\Windows\SysWOW64\ujqkuyl.exe
C:\Windows\system32\ujqkuyl.exe 1020 "C:\Windows\SysWOW64\dshkbcj.exe"
130⤵
PID:1696

C:\Windows\SysWOW64\pqrdhbp.exe
C:\Windows\system32\pqrdhbp.exe 968 "C:\Windows\SysWOW64\ujqkuyl.exe"
131⤵
PID:632

C:\Windows\SysWOW64\bwzgjze.exe
C:\Windows\system32\bwzgjze.exe 928 "C:\Windows\SysWOW64\pqrdhbp.exe"
132⤵
PID:476

C:\Windows\SysWOW64\rbhtnmb.exe
C:\Windows\system32\rbhtnmb.exe 976 "C:\Windows\SysWOW64\bwzgjze.exe"
133⤵
PID:904

C:\Windows\SysWOW64\qftykdk.exe
C:\Windows\system32\qftykdk.exe 936 "C:\Windows\SysWOW64\rbhtnmb.exe"
134⤵
PID:3052

C:\Windows\SysWOW64\ymprwtt.exe
C:\Windows\system32\ymprwtt.exe 1004 "C:\Windows\SysWOW64\qftykdk.exe"
135⤵
PID:1180

C:\Windows\SysWOW64\htrmauo.exe
C:\Windows\system32\htrmauo.exe 944 "C:\Windows\SysWOW64\ymprwtt.exe"
136⤵
PID:2240

C:\Windows\SysWOW64\uvxtmzs.exe
C:\Windows\system32\uvxtmzs.exe 988 "C:\Windows\SysWOW64\htrmauo.exe"
137⤵
PID:3024

C:\Windows\SysWOW64\erymbtb.exe
C:\Windows\system32\erymbtb.exe 992 "C:\Windows\SysWOW64\uvxtmzs.exe"
138⤵
PID:2776

C:\Windows\SysWOW64\mnizlmd.exe
C:\Windows\system32\mnizlmd.exe 1008 "C:\Windows\SysWOW64\erymbtb.exe"
139⤵
PID:2620

C:\Windows\SysWOW64\bgfmuag.exe
C:\Windows\system32\bgfmuag.exe 1064 "C:\Windows\SysWOW64\mnizlmd.exe"
140⤵
PID:2484

C:\Windows\SysWOW64\ganmtly.exe
C:\Windows\system32\ganmtly.exe 996 "C:\Windows\SysWOW64\bgfmuag.exe"
141⤵
PID:1884

C:\Windows\SysWOW64\qwoebfz.exe
C:\Windows\system32\qwoebfz.exe 1072 "C:\Windows\SysWOW64\ganmtly.exe"
142⤵
PID:2124

C:\Windows\SysWOW64\akqhkuj.exe
C:\Windows\system32\akqhkuj.exe 1076 "C:\Windows\SysWOW64\qwoebfz.exe"
143⤵
PID:1544

C:\Windows\SysWOW64\cjwxizx.exe
C:\Windows\system32\cjwxizx.exe 1080 "C:\Windows\SysWOW64\akqhkuj.exe"
144⤵
PID:912

C:\Windows\SysWOW64\miiutye.exe
C:\Windows\system32\miiutye.exe 1000 "C:\Windows\SysWOW64\cjwxizx.exe"
145⤵
PID:1152

C:\Windows\SysWOW64\zdakyud.exe
C:\Windows\system32\zdakyud.exe 1088 "C:\Windows\SysWOW64\miiutye.exe"
146⤵
PID:1508

C:\Windows\SysWOW64\goypvnm.exe
C:\Windows\system32\goypvnm.exe 1100 "C:\Windows\SysWOW64\zdakyud.exe"
147⤵
PID:2872

C:\Windows\SysWOW64\qncmgmt.exe
C:\Windows\system32\qncmgmt.exe 1096 "C:\Windows\SysWOW64\goypvnm.exe"
148⤵
PID:2516

C:\Windows\SysWOW64\bjdfvhu.exe
C:\Windows\system32\bjdfvhu.exe 1108 "C:\Windows\SysWOW64\qncmgmt.exe"
149⤵
PID:1684

C:\Windows\SysWOW64\lttpjki.exe
C:\Windows\system32\lttpjki.exe 1092 "C:\Windows\SysWOW64\bjdfvhu.exe"
150⤵
PID:1720

C:\Windows\SysWOW64\yknsrsg.exe
C:\Windows\system32\yknsrsg.exe 1104 "C:\Windows\SysWOW64\lttpjki.exe"
151⤵
PID:2560

C:\Windows\SysWOW64\ijapcrn.exe
C:\Windows\system32\ijapcrn.exe 1112 "C:\Windows\SysWOW64\yknsrsg.exe"
152⤵
PID:572

C:\Windows\SysWOW64\stpaxuu.exe
C:\Windows\system32\stpaxuu.exe 1116 "C:\Windows\SysWOW64\ijapcrn.exe"
153⤵
PID:2696

C:\Windows\SysWOW64\fghpdya.exe
C:\Windows\system32\fghpdya.exe 1124 "C:\Windows\SysWOW64\stpaxuu.exe"
154⤵
PID:1972

C:\Windows\SysWOW64\sxbslyy.exe
C:\Windows\system32\sxbslyy.exe 1120 "C:\Windows\SysWOW64\fghpdya.exe"
155⤵
PID:2156

C:\Windows\SysWOW64\chrcybm.exe
C:\Windows\system32\chrcybm.exe 1140 "C:\Windows\SysWOW64\sxbslyy.exe"
156⤵
PID:1556

C:\Windows\SysWOW64\lkgnues.exe
C:\Windows\system32\lkgnues.exe 1136 "C:\Windows\SysWOW64\chrcybm.exe"
157⤵
PID:2940

C:\Windows\SysWOW64\wrskeda.exe
C:\Windows\system32\wrskeda.exe 1132 "C:\Windows\SysWOW64\lkgnues.exe"
158⤵
PID:1912

C:\Windows\SysWOW64\jecakhz.exe
C:\Windows\system32\jecakhz.exe 1128 "C:\Windows\SysWOW64\wrskeda.exe"
159⤵
PID:592

C:\Windows\SysWOW64\thrkfkf.exe
C:\Windows\system32\thrkfkf.exe 1152 "C:\Windows\SysWOW64\jecakhz.exe"
160⤵
PID:2440

C:\Windows\SysWOW64\dgdiqjn.exe
C:\Windows\system32\dgdiqjn.exe 1148 "C:\Windows\SysWOW64\thrkfkf.exe"
161⤵
PID:2120

C:\Windows\SysWOW64\qbnxvel.exe
C:\Windows\system32\qbnxvel.exe 1144 "C:\Windows\SysWOW64\dgdiqjn.exe"
162⤵
PID:2976

C:\Windows\SysWOW64\uvdfuxe.exe
C:\Windows\system32\uvdfuxe.exe 1160 "C:\Windows\SysWOW64\qbnxvel.exe"
163⤵
PID:1664

C:\Windows\SysWOW64\fqeqcre.exe
C:\Windows\system32\fqeqcre.exe 1180 "C:\Windows\SysWOW64\uvdfuxe.exe"
164⤵
PID:872

C:\Windows\SysWOW64\ppinmqm.exe
C:\Windows\system32\ppinmqm.exe 1168 "C:\Windows\SysWOW64\fqeqcre.exe"
165⤵
PID:2812

C:\Windows\SysWOW64\urqidnk.exe
C:\Windows\system32\urqidnk.exe 1156 "C:\Windows\SysWOW64\ppinmqm.exe"
166⤵
PID:1552

C:\Windows\SysWOW64\bkpnapa.exe
C:\Windows\system32\bkpnapa.exe 1172 "C:\Windows\SysWOW64\urqidnk.exe"
167⤵
PID:1660

C:\Windows\SysWOW64\djbtkoi.exe
C:\Windows\system32\djbtkoi.exe 1176 "C:\Windows\SysWOW64\bkpnapa.exe"
168⤵
PID:2328

C:\Windows\SysWOW64\lkalzve.exe
C:\Windows\system32\lkalzve.exe 1200 "C:\Windows\SysWOW64\djbtkoi.exe"
169⤵
PID:108

C:\Windows\SysWOW64\svyyoou.exe
C:\Windows\system32\svyyoou.exe 1164 "C:\Windows\SysWOW64\lkalzve.exe"
170⤵
PID:2968

C:\Windows\SysWOW64\culvgnc.exe
C:\Windows\system32\culvgnc.exe 1184 "C:\Windows\SysWOW64\svyyoou.exe"
171⤵
PID:1784

C:\Windows\SysWOW64\npdgoic.exe
C:\Windows\system32\npdgoic.exe 1188 "C:\Windows\SysWOW64\culvgnc.exe"
172⤵
PID:1776

C:\Windows\SysWOW64\xpqdygk.exe
C:\Windows\system32\xpqdygk.exe 1192 "C:\Windows\SysWOW64\npdgoic.exe"
173⤵
PID:2740

C:\Windows\SysWOW64\eioivas.exe
C:\Windows\system32\eioivas.exe 1196 "C:\Windows\SysWOW64\xpqdygk.exe"
174⤵
PID:1760

C:\Windows\SysWOW64\rvggber.exe
C:\Windows\system32\rvggber.exe 1204 "C:\Windows\SysWOW64\eioivas.exe"
175⤵
PID:1820

C:\Windows\SysWOW64\tumozje.exe
C:\Windows\system32\tumozje.exe 1208 "C:\Windows\SysWOW64\rvggber.exe"
176⤵
PID:2744

C:\Windows\SysWOW64\bqwbquh.exe
C:\Windows\system32\bqwbquh.exe 980 "C:\Windows\SysWOW64\tumozje.exe"
177⤵
PID:896

C:\Windows\SysWOW64\lxiybtp.exe
C:\Windows\system32\lxiybtp.exe 1216 "C:\Windows\SysWOW64\bqwbquh.exe"
178⤵
PID:1672

C:\Windows\SysWOW64\yroomft.exe
C:\Windows\system32\yroomft.exe 1220 "C:\Windows\SysWOW64\lxiybtp.exe"
179⤵
PID:1716

C:\Windows\SysWOW64\nhawtpx.exe
C:\Windows\system32\nhawtpx.exe 1032 "C:\Windows\SysWOW64\yroomft.exe"
180⤵
PID:2980

C:\Windows\SysWOW64\xgetdne.exe
C:\Windows\system32\xgetdne.exe 1016 "C:\Windows\SysWOW64\nhawtpx.exe"
181⤵
PID:1284

C:\Windows\SysWOW64\ifqrwmm.exe
C:\Windows\system32\ifqrwmm.exe 1028 "C:\Windows\SysWOW64\xgetdne.exe"
182⤵
PID:2236

C:\Windows\SysWOW64\hugwnvp.exe
C:\Windows\system32\hugwnvp.exe 952 "C:\Windows\SysWOW64\ifqrwmm.exe"
183⤵
PID:1928

C:\Windows\SysWOW64\uzxrbla.exe
C:\Windows\system32\uzxrbla.exe 1040 "C:\Windows\SysWOW64\hugwnvp.exe"
184⤵
PID:1496

C:\Windows\SysWOW64\bwiwmjm.exe
C:\Windows\system32\bwiwmjm.exe 1044 "C:\Windows\SysWOW64\uzxrbla.exe"
185⤵
PID:2756

C:\Windows\SysWOW64\ymqhadb.exe
C:\Windows\system32\ymqhadb.exe 1056 "C:\Windows\SysWOW64\bwiwmjm.exe"
186⤵
PID:2364

C:\Windows\SysWOW64\cvvmydx.exe
C:\Windows\system32\cvvmydx.exe 1048 "C:\Windows\SysWOW64\ymqhadb.exe"
187⤵
PID:1808

C:\Windows\SysWOW64\eulphqq.exe
C:\Windows\system32\eulphqq.exe 960 "C:\Windows\SysWOW64\cvvmydx.exe"
188⤵
PID:1536

C:\Windows\SysWOW64\luhzvsb.exe
C:\Windows\system32\luhzvsb.exe 964 "C:\Windows\SysWOW64\eulphqq.exe"
189⤵
PID:1136

C:\Windows\SysWOW64\qhahgco.exe
C:\Windows\system32\qhahgco.exe 1264 "C:\Windows\SysWOW64\luhzvsb.exe"
190⤵
PID:1572

C:\Windows\SysWOW64\ajqkcfu.exe
C:\Windows\system32\ajqkcfu.exe 1212 "C:\Windows\SysWOW64\qhahgco.exe"
191⤵
PID:1956

C:\Windows\SysWOW64\bxbfrsl.exe
C:\Windows\system32\bxbfrsl.exe 1224 "C:\Windows\SysWOW64\ajqkcfu.exe"
192⤵
PID:1796

C:\Windows\SysWOW64\jjbxzlz.exe
C:\Windows\system32\jjbxzlz.exe 1228 "C:\Windows\SysWOW64\bxbfrsl.exe"
193⤵
PID:2700

C:\Windows\SysWOW64\xcuvpju.exe
C:\Windows\system32\xcuvpju.exe 1068 "C:\Windows\SysWOW64\jjbxzlz.exe"
194⤵
PID:1908

C:\Windows\SysWOW64\ecrfdto.exe
C:\Windows\system32\ecrfdto.exe 1236 "C:\Windows\SysWOW64\xcuvpju.exe"
195⤵
PID:2932

C:\Windows\SysWOW64\mvqymmc.exe
C:\Windows\system32\mvqymmc.exe 1248 "C:\Windows\SysWOW64\ecrfdto.exe"
196⤵
PID:1924

C:\Windows\SysWOW64\nnnyeez.exe
C:\Windows\system32\nnnyeez.exe 1240 "C:\Windows\SysWOW64\mvqymmc.exe"
197⤵
PID:2388

C:\Windows\SysWOW64\uvbqybb.exe
C:\Windows\system32\uvbqybb.exe 1084 "C:\Windows\SysWOW64\nnnyeez.exe"
198⤵
PID:2032

C:\Windows\SysWOW64\kkmyfle.exe
C:\Windows\system32\kkmyfle.exe 1252 "C:\Windows\SysWOW64\uvbqybb.exe"
199⤵
PID:884

C:\Windows\SysWOW64\kdvqzxo.exe
C:\Windows\system32\kdvqzxo.exe 972 "C:\Windows\SysWOW64\kkmyfle.exe"
200⤵
PID:1712

C:\Windows\SysWOW64\zwsdjtq.exe
C:\Windows\system32\zwsdjtq.exe 1244 "C:\Windows\SysWOW64\kdvqzxo.exe"
201⤵
PID:2692

C:\Windows\SysWOW64\lywifbq.exe
C:\Windows\system32\lywifbq.exe 1268 "C:\Windows\SysWOW64\zwsdjtq.exe"
202⤵
PID:944

C:\Windows\SysWOW64\mejwwaq.exe
C:\Windows\system32\mejwwaq.exe 1272 "C:\Windows\SysWOW64\lywifbq.exe"
203⤵
PID:2564

C:\Windows\SysWOW64\bjhluwm.exe
C:\Windows\system32\bjhluwm.exe 1052 "C:\Windows\SysWOW64\mejwwaq.exe"
204⤵
PID:2408

C:\Windows\SysWOW64\iybbzor.exe
C:\Windows\system32\iybbzor.exe 1288 "C:\Windows\SysWOW64\bjhluwm.exe"
205⤵
PID:2420

C:\Windows\SysWOW64\fnibavw.exe
C:\Windows\system32\fnibavw.exe 984 "C:\Windows\SysWOW64\iybbzor.exe"
206⤵
PID:2056

C:\Windows\SysWOW64\gunpkvw.exe
C:\Windows\system32\gunpkvw.exe 1284 "C:\Windows\SysWOW64\fnibavw.exe"
207⤵
PID:2936

C:\Windows\SysWOW64\asmugfv.exe
C:\Windows\system32\asmugfv.exe 1292 "C:\Windows\SysWOW64\gunpkvw.exe"
208⤵
PID:596

C:\Windows\SysWOW64\gptkgnb.exe
C:\Windows\system32\gptkgnb.exe 1304 "C:\Windows\SysWOW64\asmugfv.exe"
209⤵
PID:2212

C:\Windows\SysWOW64\umbsyuh.exe
C:\Windows\system32\umbsyuh.exe 1276 "C:\Windows\SysWOW64\gptkgnb.exe"
210⤵
PID:3060

C:\Windows\SysWOW64\epqctyo.exe
C:\Windows\system32\epqctyo.exe 1012 "C:\Windows\SysWOW64\umbsyuh.exe"
211⤵
PID:2192

C:\Windows\SysWOW64\utqxxll.exe
C:\Windows\system32\utqxxll.exe 1260 "C:\Windows\SysWOW64\epqctyo.exe"
212⤵
PID:2008

C:\Windows\SysWOW64\bbnidne.exe
C:\Windows\system32\bbnidne.exe 1312 "C:\Windows\SysWOW64\utqxxll.exe"
213⤵
PID:2044

C:\Windows\SysWOW64\clkideb.exe
C:\Windows\system32\clkideb.exe 1316 "C:\Windows\SysWOW64\bbnidne.exe"
214⤵
PID:2844

C:\Windows\SysWOW64\khvnoko.exe
C:\Windows\system32\khvnoko.exe 1320 "C:\Windows\SysWOW64\clkideb.exe"
215⤵
PID:2352

C:\Windows\SysWOW64\msnnbtg.exe
C:\Windows\system32\msnnbtg.exe 1332 "C:\Windows\SysWOW64\khvnoko.exe"
216⤵
PID:2316

C:\Windows\SysWOW64\nyziqge.exe
C:\Windows\system32\nyziqge.exe 1300 "C:\Windows\SysWOW64\msnnbtg.exe"
217⤵
PID:2676

C:\Windows\SysWOW64\xxdgaee.exe
C:\Windows\system32\xxdgaee.exe 1376 "C:\Windows\SysWOW64\nyziqge.exe"
218⤵
PID:2392

C:\Windows\SysWOW64\fbntsxp.exe
C:\Windows\system32\fbntsxp.exe 1380 "C:\Windows\SysWOW64\xxdgaee.exe"
219⤵
PID:1628

C:\Windows\SysWOW64\pirqcwo.exe
C:\Windows\system32\pirqcwo.exe 1384 "C:\Windows\SysWOW64\fbntsxp.exe"
220⤵
PID:752

C:\Windows\SysWOW64\zlpbxrd.exe
C:\Windows\system32\zlpbxrd.exe 1388 "C:\Windows\SysWOW64\pirqcwo.exe"
221⤵
PID:1100

C:\Windows\SysWOW64\exaiibh.exe
C:\Windows\system32\exaiibh.exe 1392 "C:\Windows\SysWOW64\zlpbxrd.exe"
222⤵
PID:1744

C:\Windows\SysWOW64\otbtyvi.exe
C:\Windows\system32\otbtyvi.exe 1396 "C:\Windows\SysWOW64\exaiibh.exe"
223⤵
PID:2596

C:\Windows\SysWOW64\bjewheo.exe
C:\Windows\system32\bjewheo.exe 1400 "C:\Windows\SysWOW64\otbtyvi.exe"
224⤵
PID:2244

C:\Windows\SysWOW64\ljitrcv.exe
C:\Windows\system32\ljitrcv.exe 1404 "C:\Windows\SysWOW64\bjewheo.exe"
225⤵
PID:1128

C:\Windows\SysWOW64\yhdwadb.exe
C:\Windows\system32\yhdwadb.exe 1408 "C:\Windows\SysWOW64\ljitrcv.exe"
226⤵
PID:2536

C:\Windows\SysWOW64\iksgvgh.exe
C:\Windows\system32\iksgvgh.exe 1412 "C:\Windows\SysWOW64\yhdwadb.exe"
227⤵
PID:2380

C:\Windows\SysWOW64\tftycai.exe
C:\Windows\system32\tftycai.exe 1416 "C:\Windows\SysWOW64\iksgvgh.exe"
228⤵
PID:2548

C:\Windows\SysWOW64\cqijqdo.exe
C:\Windows\system32\cqijqdo.exe 1428 "C:\Windows\SysWOW64\tftycai.exe"
229⤵
PID:2428

C:\Windows\SysWOW64\msytlgc.exe
C:\Windows\system32\msytlgc.exe 1420 "C:\Windows\SysWOW64\cqijqdo.exe"
230⤵
PID:2112

C:\Windows\SysWOW64\zfpjrkb.exe
C:\Windows\system32\zfpjrkb.exe 1424 "C:\Windows\SysWOW64\msytlgc.exe"
231⤵
PID:2648

C:\Windows\SysWOW64\jqftenh.exe
C:\Windows\system32\jqftenh.exe 1432 "C:\Windows\SysWOW64\zfpjrkb.exe"
232⤵
PID:932

C:\Windows\SysWOW64\oslbpsm.exe
C:\Windows\system32\oslbpsm.exe 1436 "C:\Windows\SysWOW64\jqftenh.exe"
233⤵
PID:1240

C:\Windows\SysWOW64\yrxyirt.exe
C:\Windows\system32\yrxyirt.exe 1440 "C:\Windows\SysWOW64\oslbpsm.exe"
234⤵
PID:1996

C:\Windows\SysWOW64\lisbqzz.exe
C:\Windows\system32\lisbqzz.exe 1452 "C:\Windows\SysWOW64\yrxyirt.exe"
235⤵
PID:2444

C:\Windows\SysWOW64\yvjzwdy.exe
C:\Windows\system32\yvjzwdy.exe 1444 "C:\Windows\SysWOW64\lisbqzz.exe"
236⤵
PID:2664

C:\Windows\SysWOW64\icnwhbf.exe
C:\Windows\system32\icnwhbf.exe 1460 "C:\Windows\SysWOW64\yvjzwdy.exe"
237⤵
PID:2500

C:\Windows\SysWOW64\tbruzan.exe
C:\Windows\system32\tbruzan.exe 1448 "C:\Windows\SysWOW64\icnwhbf.exe"
238⤵
PID:1112

C:\Windows\SysWOW64\cpsrpas.exe
C:\Windows\system32\cpsrpas.exe 1456 "C:\Windows\SysWOW64\tbruzan.exe"
239⤵
PID:1280

C:\Windows\SysWOW64\pckhvez.exe
C:\Windows\system32\pckhvez.exe 1464 "C:\Windows\SysWOW64\cpsrpas.exe"
240⤵
PID:2572

C:\Windows\SysWOW64\zfzrihf.exe
C:\Windows\system32\zfzrihf.exe 1468 "C:\Windows\SysWOW64\pckhvez.exe"
241⤵
PID:1156

C:\Windows\SysWOW64\jelpafm.exe
C:\Windows\system32\jelpafm.exe 1472 "C:\Windows\SysWOW64\zfzrihf.exe"
242⤵
PID:1308

C:\Windows\SysWOW64\wcgrjok.exe
C:\Windows\system32\wcgrjok.exe 1484 "C:\Windows\SysWOW64\jelpafm.exe"
243⤵
PID:1512

C:\Windows\SysWOW64\gfvcwry.exe
C:\Windows\system32\gfvcwry.exe 1476 "C:\Windows\SysWOW64\wcgrjok.exe"
244⤵
PID:2336

C:\Windows\SysWOW64\tdqefrw.exe
C:\Windows\system32\tdqefrw.exe 1328 "C:\Windows\SysWOW64\gfvcwry.exe"
245⤵
PID:2688

C:\Windows\SysWOW64\bllwzgf.exe
C:\Windows\system32\bllwzgf.exe 1308 "C:\Windows\SysWOW64\tdqefrw.exe"
246⤵
PID:1708

C:\Windows\SysWOW64\qpmrdtc.exe
C:\Windows\system32\qpmrdtc.exe 1340 "C:\Windows\SysWOW64\bllwzgf.exe"
247⤵
PID:2468

C:\Windows\SysWOW64\kznzbvq.exe
C:\Windows\system32\kznzbvq.exe 1036 "C:\Windows\SysWOW64\qpmrdtc.exe"
248⤵
PID:2644

C:\Windows\SysWOW64\fbrxhuw.exe
C:\Windows\system32\fbrxhuw.exe 1060 "C:\Windows\SysWOW64\kznzbvq.exe"
249⤵
PID:1464

C:\Windows\SysWOW64\ahisksd.exe
C:\Windows\system32\ahisksd.exe 1232 "C:\Windows\SysWOW64\fbrxhuw.exe"
250⤵
PID:2508

C:\Windows\SysWOW64\rzkkpxj.exe
C:\Windows\system32\rzkkpxj.exe 1348 "C:\Windows\SysWOW64\ahisksd.exe"
251⤵
PID:1604

C:\Windows\SysWOW64\euqkcxy.exe
C:\Windows\system32\euqkcxy.exe 1256 "C:\Windows\SysWOW64\rzkkpxj.exe"
252⤵
PID:764

C:\Windows\SysWOW64\uyzfykc.exe
C:\Windows\system32\uyzfykc.exe 1356 "C:\Windows\SysWOW64\euqkcxy.exe"
253⤵
PID:2728

C:\Windows\SysWOW64\gwrspfp.exe
C:\Windows\system32\gwrspfp.exe 1280 "C:\Windows\SysWOW64\uyzfykc.exe"
254⤵
PID:928

C:\Windows\SysWOW64\vmcavxt.exe
C:\Windows\system32\vmcavxt.exe 1364 "C:\Windows\SysWOW64\gwrspfp.exe"
255⤵
PID:2680

C:\Windows\SysWOW64\ivgnysi.exe
C:\Windows\system32\ivgnysi.exe 1296 "C:\Windows\SysWOW64\vmcavxt.exe"
256⤵
PID:2248

C:\Windows\SysWOW64\wwashba.exe
C:\Windows\system32\wwashba.exe 1372 "C:\Windows\SysWOW64\ivgnysi.exe"
257⤵
PID:2580

C:\Windows\SysWOW64\jbtaprj.exe
C:\Windows\system32\jbtaprj.exe 1324 "C:\Windows\SysWOW64\wwashba.exe"
258⤵
PID:2892

C:\Windows\SysWOW64\wsndyzo.exe
C:\Windows\system32\wsndyzo.exe 1488 "C:\Windows\SysWOW64\jbtaprj.exe"
259⤵
PID:2136

C:\Windows\SysWOW64\fvmyfpf.exe
C:\Windows\system32\fvmyfpf.exe 1336 "C:\Windows\SysWOW64\wsndyzo.exe"
260⤵
PID:2400

C:\Windows\SysWOW64\slgaoxk.exe
C:\Windows\system32\slgaoxk.exe 1496 "C:\Windows\SysWOW64\fvmyfpf.exe"
261⤵
PID:1476

C:\Windows\SysWOW64\kagysmt.exe
C:\Windows\system32\kagysmt.exe 1344 "C:\Windows\SysWOW64\slgaoxk.exe"
262⤵
PID:664

C:\Windows\SysWOW64\xrbabmz.exe
C:\Windows\system32\xrbabmz.exe 1504 "C:\Windows\SysWOW64\kagysmt.exe"
263⤵
PID:2636

C:\Windows\SysWOW64\pupddej.exe
C:\Windows\system32\pupddej.exe 1352 "C:\Windows\SysWOW64\xrbabmz.exe"
264⤵
PID:2908

C:\Windows\SysWOW64\yiqablw.exe
C:\Windows\system32\yiqablw.exe 1512 "C:\Windows\SysWOW64\pupddej.exe"
265⤵
PID:1940

C:\Windows\SysWOW64\ldvqtee.exe
C:\Windows\system32\ldvqtee.exe 1360 "C:\Windows\SysWOW64\yiqablw.exe"
266⤵
PID:2836

C:\Windows\SysWOW64\bjcolis.exe
C:\Windows\system32\bjcolis.exe 1520 "C:\Windows\SysWOW64\ldvqtee.exe"
267⤵
PID:1088

C:\Windows\SysWOW64\qvztojf.exe
C:\Windows\system32\qvztojf.exe 1368 "C:\Windows\SysWOW64\bjcolis.exe"
268⤵
PID:2072

C:\Windows\SysWOW64\dxfjavj.exe
C:\Windows\system32\dxfjavj.exe 1528 "C:\Windows\SysWOW64\qvztojf.exe"
269⤵
PID:2164

C:\Windows\SysWOW64\psujnux.exe
C:\Windows\system32\psujnux.exe 1480 "C:\Windows\SysWOW64\dxfjavj.exe"
270⤵
PID:920

C:\Windows\SysWOW64\cipmwud.exe
C:\Windows\system32\cipmwud.exe 1536 "C:\Windows\SysWOW64\psujnux.exe"
271⤵
PID:2064

C:\Windows\SysWOW64\odwmbur.exe
C:\Windows\system32\odwmbur.exe 1492 "C:\Windows\SysWOW64\cipmwud.exe"
272⤵
PID:2280

C:\Windows\SysWOW64\bxcbngd.exe
C:\Windows\system32\bxcbngd.exe 1544 "C:\Windows\SysWOW64\odwmbur.exe"
273⤵
PID:2184

C:\Windows\SysWOW64\txnzmmh.exe
C:\Windows\system32\txnzmmh.exe 1500 "C:\Windows\SysWOW64\bxcbngd.exe"
274⤵
PID:2180

C:\Windows\SysWOW64\fcecacs.exe
C:\Windows\system32\fcecacs.exe 1552 "C:\Windows\SysWOW64\txnzmmh.exe"
275⤵
PID:2512

C:\Windows\SysWOW64\stapkxh.exe
C:\Windows\system32\stapkxh.exe 1508 "C:\Windows\SysWOW64\fcecacs.exe"
276⤵
PID:2632

C:\Windows\SysWOW64\fgseqtg.exe
C:\Windows\system32\fgseqtg.exe 1560 "C:\Windows\SysWOW64\stapkxh.exe"
277⤵
PID:392

C:\Windows\SysWOW64\obqhyjw.exe
C:\Windows\system32\obqhyjw.exe 1516 "C:\Windows\SysWOW64\fgseqtg.exe"
278⤵
PID:1200

C:\Windows\SysWOW64\pptkaus.exe
C:\Windows\system32\pptkaus.exe 1568 "C:\Windows\SysWOW64\obqhyjw.exe"
279⤵
PID:1840

C:\Windows\SysWOW64\wmmilrf.exe
C:\Windows\system32\wmmilrf.exe 1524 "C:\Windows\SysWOW64\pptkaus.exe"
280⤵
PID:972

C:\Windows\SysWOW64\jgsxxej.exe
C:\Windows\system32\jgsxxej.exe 1576 "C:\Windows\SysWOW64\wmmilrf.exe"
281⤵
PID:2264

C:\Windows\SysWOW64\brgayot.exe
C:\Windows\system32\brgayot.exe 1532 "C:\Windows\SysWOW64\jgsxxej.exe"
282⤵
PID:1068

C:\Windows\SysWOW64\nlmqkaf.exe
C:\Windows\system32\nlmqkaf.exe 1540 "C:\Windows\SysWOW64\brgayot.exe"
283⤵
PID:1176

C:\Windows\SysWOW64\xdxsrtv.exe
C:\Windows\system32\xdxsrtv.exe 1548 "C:\Windows\SysWOW64\nlmqkaf.exe"
284⤵
PID:2668

C:\Windows\SysWOW64\utwsssa.exe
C:\Windows\system32\utwsssa.exe 1556 "C:\Windows\SysWOW64\xdxsrtv.exe"
285⤵
PID:1740

C:\Windows\SysWOW64\sprqwty.exe
C:\Windows\system32\sprqwty.exe 1564 "C:\Windows\SysWOW64\utwsssa.exe"
286⤵
PID:3028

C:\Windows\SysWOW64\zubdgeb.exe
C:\Windows\system32\zubdgeb.exe 1572 "C:\Windows\SysWOW64\sprqwty.exe"
287⤵
PID:1472

C:\Windows\SysWOW64\raablss.exe
C:\Windows\system32\raablss.exe 1580 "C:\Windows\SysWOW64\zubdgeb.exe"
288⤵
PID:2540

C:\Windows\SysWOW64\bwblans.exe
C:\Windows\system32\bwblans.exe 1584 "C:\Windows\SysWOW64\raablss.exe"
289⤵
PID:1988

C:\Windows\SysWOW64\vgvtypg.exe
C:\Windows\system32\vgvtypg.exe 1588 "C:\Windows\SysWOW64\bwblans.exe"
290⤵
PID:1964

C:\Windows\SysWOW64\akobryt.exe
C:\Windows\system32\akobryt.exe 1592 "C:\Windows\SysWOW64\vgvtypg.exe"
291⤵
PID:2480

C:\Windows\SysWOW64\ccoqjut.exe
C:\Windows\system32\ccoqjut.exe 1596 "C:\Windows\SysWOW64\akobryt.exe"
292⤵
PID:1072

C:\Windows\SysWOW64\ptjtsuy.exe
C:\Windows\system32\ptjtsuy.exe 1612 "C:\Windows\SysWOW64\ccoqjut.exe"
293⤵
PID:1624

C:\Windows\SysWOW64\fbdttzm.exe
C:\Windows\system32\fbdttzm.exe 1600 "C:\Windows\SysWOW64\ptjtsuy.exe"
294⤵
PID:2600

C:\Windows\SysWOW64\ohwjrgz.exe
C:\Windows\system32\ohwjrgz.exe 1632 "C:\Windows\SysWOW64\fbdttzm.exe"
295⤵
PID:1780

C:\Windows\SysWOW64\tjnwbyh.exe
C:\Windows\system32\tjnwbyh.exe 1604 "C:\Windows\SysWOW64\ohwjrgz.exe"
296⤵
PID:2832

C:\Windows\SysWOW64\arionoq.exe
C:\Windows\system32\arionoq.exe 1608 "C:\Windows\SysWOW64\tjnwbyh.exe"
297⤵
PID:1984

C:\Windows\SysWOW64\kineazi.exe
C:\Windows\system32\kineazi.exe 1616 "C:\Windows\SysWOW64\arionoq.exe"
298⤵
PID:1484

C:\Windows\SysWOW64\zckzjvk.exe
C:\Windows\system32\zckzjvk.exe 1620 "C:\Windows\SysWOW64\kineazi.exe"
299⤵
PID:1832

C:\Windows\SysWOW64\jqmclcv.exe
C:\Windows\system32\jqmclcv.exe 1624 "C:\Windows\SysWOW64\zckzjvk.exe"
300⤵
PID:2800

C:\Windows\SysWOW64\wssjwgh.exe
C:\Windows\system32\wssjwgh.exe 1628 "C:\Windows\SysWOW64\jqmclcv.exe"
301⤵
PID:1676

C:\Windows\SysWOW64\yydetby.exe
C:\Windows\system32\yydetby.exe 1636 "C:\Windows\SysWOW64\wssjwgh.exe"
302⤵
PID:1936

C:\Windows\SysWOW64\lwyhccd.exe
C:\Windows\system32\lwyhccd.exe 1640 "C:\Windows\SysWOW64\yydetby.exe"
303⤵
PID:552

C:\Windows\SysWOW64\fzzpokv.exe
C:\Windows\system32\fzzpokv.exe 1644 "C:\Windows\SysWOW64\lwyhccd.exe"
304⤵
PID:964

C:\Windows\SysWOW64\rbffaxz.exe
C:\Windows\system32\rbffaxz.exe 1672 "C:\Windows\SysWOW64\fzzpokv.exe"
305⤵
PID:2788

C:\Windows\SysWOW64\qiaftvc.exe
C:\Windows\system32\qiaftvc.exe 1648 "C:\Windows\SysWOW64\rbffaxz.exe"
306⤵
PID:1960

C:\Windows\SysWOW64\aaqkxle.exe
C:\Windows\system32\aaqkxle.exe 1652 "C:\Windows\SysWOW64\qiaftvc.exe"
307⤵
PID:2736

C:\Windows\SysWOW64\ufwpaea.exe
C:\Windows\system32\ufwpaea.exe 1656 "C:\Windows\SysWOW64\aaqkxle.exe"
308⤵
PID:2520

C:\Windows\SysWOW64\cmgtrna.exe
C:\Windows\system32\cmgtrna.exe 1688 "C:\Windows\SysWOW64\ufwpaea.exe"
309⤵
PID:692

C:\Windows\SysWOW64\yjkdjqu.exe
C:\Windows\system32\yjkdjqu.exe 1660 "C:\Windows\SysWOW64\cmgtrna.exe"
310⤵
PID:2840

C:\Windows\SysWOW64\llqtvch.exe
C:\Windows\system32\llqtvch.exe 1696 "C:\Windows\SysWOW64\yjkdjqu.exe"
311⤵
PID:1736

C:\Windows\SysWOW64\pyjjbui.exe
C:\Windows\system32\pyjjbui.exe 1664 "C:\Windows\SysWOW64\llqtvch.exe"
312⤵
PID:1016

C:\Windows\SysWOW64\xctolnt.exe
C:\Windows\system32\xctolnt.exe 1668 "C:\Windows\SysWOW64\pyjjbui.exe"
313⤵
PID:1616

C:\Windows\SysWOW64\jlxjvza.exe
C:\Windows\system32\jlxjvza.exe 1676 "C:\Windows\SysWOW64\xctolnt.exe"
314⤵
PID:2188

C:\Windows\SysWOW64\vqodkqm.exe
C:\Windows\system32\vqodkqm.exe 1700 "C:\Windows\SysWOW64\jlxjvza.exe"
315⤵
PID:308

C:\Windows\SysWOW64\vynbvth.exe
C:\Windows\system32\vynbvth.exe 1680 "C:\Windows\SysWOW64\vqodkqm.exe"
316⤵
PID:1608

C:\Windows\SysWOW64\krjoehj.exe
C:\Windows\system32\krjoehj.exe 1708 "C:\Windows\SysWOW64\vynbvth.exe"
317⤵
PID:2556

C:\Windows\SysWOW64\oicupxg.exe
C:\Windows\system32\oicupxg.exe 1684 "C:\Windows\SysWOW64\krjoehj.exe"
318⤵
PID:1148

C:\Windows\SysWOW64\emlptcl.exe
C:\Windows\system32\emlptcl.exe 1728 "C:\Windows\SysWOW64\oicupxg.exe"
319⤵
PID:2856

C:\Windows\SysWOW64\hrcrgup.exe
C:\Windows\system32\hrcrgup.exe 1692 "C:\Windows\SysWOW64\emlptcl.exe"
320⤵
PID:3116

C:\Windows\SysWOW64\xhozmms.exe
C:\Windows\system32\xhozmms.exe 1720 "C:\Windows\SysWOW64\hrcrgup.exe"
321⤵
PID:3176

C:\Windows\SysWOW64\vokhfcv.exe
C:\Windows\system32\vokhfcv.exe 1704 "C:\Windows\SysWOW64\xhozmms.exe"
322⤵
PID:3232

C:\Windows\SysWOW64\lakcjpr.exe
C:\Windows\system32\lakcjpr.exe 1712 "C:\Windows\SysWOW64\vokhfcv.exe"
323⤵
PID:3288

C:\Windows\SysWOW64\hqpxeee.exe
C:\Windows\system32\hqpxeee.exe 1716 "C:\Windows\SysWOW64\lakcjpr.exe"
324⤵
PID:3340

C:\Windows\SysWOW64\usvnpqi.exe
C:\Windows\system32\usvnpqi.exe 1740 "C:\Windows\SysWOW64\hqpxeee.exe"
325⤵
PID:3404

C:\Windows\SysWOW64\fmjkolj.exe
C:\Windows\system32\fmjkolj.exe 1724 "C:\Windows\SysWOW64\usvnpqi.exe"
326⤵
PID:3460

C:\Windows\SysWOW64\vffxqyu.exe
C:\Windows\system32\vffxqyu.exe 1760 "C:\Windows\SysWOW64\fmjkolj.exe"
327⤵
PID:3524

C:\Windows\SysWOW64\tyoyxbb.exe
C:\Windows\system32\tyoyxbb.exe 1732 "C:\Windows\SysWOW64\vffxqyu.exe"
328⤵
PID:3572

C:\Windows\SysWOW64\lmedica.exe
C:\Windows\system32\lmedica.exe 1768 "C:\Windows\SysWOW64\tyoyxbb.exe"
329⤵
PID:3636

C:\Windows\SysWOW64\kmnvpnp.exe
C:\Windows\system32\kmnvpnp.exe 1736 "C:\Windows\SysWOW64\lmedica.exe"
330⤵
PID:3688

C:\Windows\SysWOW64\cblbzgo.exe
C:\Windows\system32\cblbzgo.exe 1776 "C:\Windows\SysWOW64\kmnvpnp.exe"
331⤵
PID:3752

C:\Windows\SysWOW64\htfownk.exe
C:\Windows\system32\htfownk.exe 1744 "C:\Windows\SysWOW64\cblbzgo.exe"
332⤵
PID:3800

C:\Windows\SysWOW64\cwjlumj.exe
C:\Windows\system32\cwjlumj.exe 1784 "C:\Windows\SysWOW64\htfownk.exe"
333⤵
PID:3864

C:\Windows\SysWOW64\vfkbfdu.exe
C:\Windows\system32\vfkbfdu.exe 1748 "C:\Windows\SysWOW64\cwjlumj.exe"
334⤵
PID:3916

C:\Windows\SysWOW64\nfmtsjh.exe
C:\Windows\system32\nfmtsjh.exe 1792 "C:\Windows\SysWOW64\vfkbfdu.exe"
335⤵
PID:3976

C:\Windows\SysWOW64\gdbwawl.exe
C:\Windows\system32\gdbwawl.exe 1752 "C:\Windows\SysWOW64\nfmtsjh.exe"
336⤵
PID:4028

C:\Windows\SysWOW64\bgfugds.exe
C:\Windows\system32\bgfugds.exe 1800 "C:\Windows\SysWOW64\gdbwawl.exe"
337⤵
PID:4092

C:\Windows\SysWOW64\zncmtoe.exe
C:\Windows\system32\zncmtoe.exe 1756 "C:\Windows\SysWOW64\bgfugds.exe"
338⤵
PID:2284

C:\Windows\SysWOW64\upgkrmd.exe
C:\Windows\system32\upgkrmd.exe 1808 "C:\Windows\SysWOW64\zncmtoe.exe"
339⤵
PID:2096

C:\Windows\SysWOW64\klchpzw.exe
C:\Windows\system32\klchpzw.exe 1764 "C:\Windows\SysWOW64\upgkrmd.exe"
340⤵
PID:3280

C:\Windows\SysWOW64\fnyfnfu.exe
C:\Windows\system32\fnyfnfu.exe 1816 "C:\Windows\SysWOW64\klchpzw.exe"
341⤵
PID:2472

C:\Windows\SysWOW64\tcofgak.exe
C:\Windows\system32\tcofgak.exe 1772 "C:\Windows\SysWOW64\fnyfnfu.exe"
342⤵
PID:1520

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\lpdpbus.exe
Filesize
102KB

MD5
fcb5695a58313c7c0341bd5a6a0e8bf7

SHA1
cc791671160e423aa7845566fdfe0e6c792401f5

SHA256
4c16edebd158f250b0fba02dce4f49fa9126e95139016e65b96642f2323930db

SHA512
64c9bf3ff64b15baed32ee60c53cbbadd69a29176176e7cc94eb932c93a8bdc8062f4d6daca95797dfd4cd8861905700439ed077bff01545f0c1e39dafd1c321

Download Submit
memory/324-594-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/380-394-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/440-403-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/528-584-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/640-106-0x0000000002850000-0x0000000002937000-memory.dmp

Filesize
924KB

Download
memory/640-107-0x0000000002850000-0x0000000002937000-memory.dmp

Filesize
924KB

Download
memory/640-109-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/640-93-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/800-340-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/856-516-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/888-240-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/888-248-0x00000000026E0000-0x00000000027C7000-memory.dmp

Filesize
924KB

Download
memory/888-250-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/888-239-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1084-0-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1084-1-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1084-6-0x0000000002620000-0x0000000002707000-memory.dmp

Filesize
924KB

Download
memory/1084-16-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1116-417-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1120-428-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1340-249-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1340-258-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1448-323-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1448-333-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1500-367-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1580-409-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1592-157-0x00000000027F0000-0x00000000028D7000-memory.dmp

Filesize
924KB

Download
memory/1592-146-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1592-162-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1648-561-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1704-150-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1704-133-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1704-132-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1704-145-0x0000000002730000-0x0000000002817000-memory.dmp

Filesize
924KB

Download
memory/1728-472-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1752-621-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1800-611-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1828-351-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1900-552-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1904-213-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1904-200-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1944-535-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1948-570-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1968-120-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/1968-108-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2024-466-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2040-586-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2084-525-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2128-489-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2132-386-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2148-459-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2172-630-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2200-542-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2224-448-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2272-31-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2272-14-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2272-13-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2312-137-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2312-131-0x0000000002750000-0x0000000002837000-memory.dmp

Filesize
924KB

Download
memory/2324-358-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2332-324-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2332-315-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2348-84-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2348-65-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2348-66-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2348-78-0x0000000002710000-0x00000000027F7000-memory.dmp

Filesize
924KB

Download
memory/2348-79-0x0000000002710000-0x00000000027F7000-memory.dmp

Filesize
924KB

Download
memory/2356-63-0x0000000002250000-0x0000000002337000-memory.dmp

Filesize
924KB

Download
memory/2356-69-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2356-52-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2356-51-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2360-305-0x0000000002780000-0x0000000002867000-memory.dmp

Filesize
924KB

Download
memory/2360-296-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2360-307-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2360-306-0x0000000002780000-0x0000000002867000-memory.dmp

Filesize
924KB

Download
memory/2360-295-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2376-497-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2412-316-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2412-314-0x0000000001E30000-0x0000000001F17000-memory.dmp

Filesize
924KB

Download
memory/2412-304-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2576-481-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2584-39-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2584-56-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2588-276-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2588-286-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2588-284-0x00000000027F0000-0x00000000028D7000-memory.dmp

Filesize
924KB

Download
memory/2608-41-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2608-26-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2608-27-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2640-190-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2640-173-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2640-186-0x0000000002590000-0x0000000002677000-memory.dmp

Filesize
924KB

Download
memory/2656-178-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2656-172-0x00000000026D0000-0x00000000027B7000-memory.dmp

Filesize
924KB

Download
memory/2656-160-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2656-174-0x00000000026D0000-0x00000000027B7000-memory.dmp

Filesize
924KB

Download
memory/2656-159-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2708-220-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2708-228-0x00000000028F0000-0x00000000029D7000-memory.dmp

Filesize
924KB

Download
memory/2708-230-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2716-202-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2716-187-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2716-188-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2748-229-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2748-237-0x00000000027D0000-0x00000000028B7000-memory.dmp

Filesize
924KB

Download
memory/2748-241-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2748-238-0x00000000027D0000-0x00000000028B7000-memory.dmp

Filesize
924KB

Download
memory/2768-507-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2816-602-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2828-267-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2828-277-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2828-275-0x0000000002920000-0x0000000002A07000-memory.dmp

Filesize
924KB

Download
memory/2848-285-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2848-293-0x0000000002860000-0x0000000002947000-memory.dmp

Filesize
924KB

Download
memory/2848-294-0x0000000002860000-0x0000000002947000-memory.dmp

Filesize
924KB

Download
memory/2848-297-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2852-435-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2868-221-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2912-266-0x00000000028E0000-0x00000000029C7000-memory.dmp

Filesize
924KB

Download
memory/2912-268-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2912-265-0x00000000028E0000-0x00000000029C7000-memory.dmp

Filesize
924KB

Download
memory/2912-257-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2924-98-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2924-80-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2924-87-0x00000000028D0000-0x00000000029B7000-memory.dmp

Filesize
924KB

Download
memory/2924-94-0x00000000028D0000-0x00000000029B7000-memory.dmp

Filesize
924KB

Download
memory/2972-441-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/3032-376-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads