metasploit | d8d98aca37ca3d943cc7514a7977c3323eeecceb9e7b12015f2932dba3cd6eab

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-09-2024 18:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f2d8d3ef1d5623bdfa9a0eebd4fc2266_JaffaCakes118.exe
Size

272KB
MD5

f2d8d3ef1d5623bdfa9a0eebd4fc2266
SHA1

1a86274d2db5433939ed092da2aa9061b81f4d70
SHA256

d8d98aca37ca3d943cc7514a7977c3323eeecceb9e7b12015f2932dba3cd6eab
SHA512

189d3760dd2cc2521423bd3c1d7ce80a9160efbf50239a32dde000b6ee5725735f5e8bae581ab800ddd00211c3e13838b3fb40ae2d4fb5805f7126c55528de4a
SSDEEP

6144:d/H+8pmvtzHm48oilMAOSf0XFdkzR9CnPYlt8:dv+Ym1Y0AOSfaeR0nwf8

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 64 IoCs

pid	Process
2100	ldampse.exe
2224	aaimcsf.exe
2692	nydpksl.exe
2920	vdnuclo.exe
2600	fcrrmkv.exe
2636	aevpkju.exe
2908	hmjpegd.exe
1144	uraktpo.exe
2924	zpfagqn.exe
1780	rphkuwt.exe
740	wqpfctz.exe
948	obdfkqa.exe
296	qarvivn.exe
2084	jhtanop.exe
1708	npqvjca.exe
292	aosxrky.exe
860	cnzfphl.exe
1680	agtilxi.exe
788	bfhxjbv.exe
2772	uqvprzd.exe
2832	byiqdof.exe
2596	uthifda.exe
2728	qkedbrl.exe
2836	gdbqdfo.exe
2312	nlwqxux.exe
1736	dbiqemb.exe
2120	namvoki.exe
1920	uhhnjas.exe
2380	fhlltzr.exe
340	rfonczx.exe
2468	zqntzaf.exe
2148	lhivhbl.exe
1952	wciopvl.exe
2440	lwfbyrw.exe
3056	vgvlumc.exe
1624	iabbfzg.exe
3000	vvsqlcf.exe
2056	imnttll.exe
2252	slzrebs.exe
1576	czsocjf.exe
1580	ppvjlrd.exe
2708	copltzj.exe
2768	lrfwgup.exe
784	ypiypcu.exe
2644	jomwhbc.exe
1108	vfhyqjh.exe
2936	gmteaih.exe
1308	sgzmmnt.exe
1372	feuouvr.exe
1688	svorddw.exe
1516	flruudc.exe
1964	pzsrklp.exe
2608	cynustn.exe
540	oohobts.exe
2524	bfkrjby.exe
836	odfusjv.exe
2444	ycjrkid.exe
1728	lephwmh.exe
2420	yvskfvn.exe
2152	ijthvca.exe
2648	vznkdkf.exe
2784	hyimukd.exe
2432	uolpctj.exe
2700	hngklbo.exe

Loads dropped DLL 64 IoCs

pid	Process
2228	f2d8d3ef1d5623bdfa9a0eebd4fc2266_JaffaCakes118.exe
2228	f2d8d3ef1d5623bdfa9a0eebd4fc2266_JaffaCakes118.exe
2100	ldampse.exe
2100	ldampse.exe
2224	aaimcsf.exe
2224	aaimcsf.exe
2692	nydpksl.exe
2692	nydpksl.exe
2920	vdnuclo.exe
2920	vdnuclo.exe
2600	fcrrmkv.exe
2600	fcrrmkv.exe
2636	aevpkju.exe
2636	aevpkju.exe
2908	hmjpegd.exe
2908	hmjpegd.exe
1144	uraktpo.exe
1144	uraktpo.exe
2924	zpfagqn.exe
2924	zpfagqn.exe
1780	rphkuwt.exe
1780	rphkuwt.exe
740	wqpfctz.exe
740	wqpfctz.exe
948	obdfkqa.exe
948	obdfkqa.exe
296	qarvivn.exe
296	qarvivn.exe
2084	jhtanop.exe
2084	jhtanop.exe
1708	npqvjca.exe
1708	npqvjca.exe
292	aosxrky.exe
292	aosxrky.exe
860	cnzfphl.exe
860	cnzfphl.exe
1680	agtilxi.exe
1680	agtilxi.exe
788	bfhxjbv.exe
788	bfhxjbv.exe
2772	uqvprzd.exe
2772	uqvprzd.exe
2832	byiqdof.exe
2832	byiqdof.exe
2596	uthifda.exe
2596	uthifda.exe
2728	qkedbrl.exe
2728	qkedbrl.exe
2836	gdbqdfo.exe
2836	gdbqdfo.exe
2312	nlwqxux.exe
2312	nlwqxux.exe
1736	dbiqemb.exe
1736	dbiqemb.exe
2120	namvoki.exe
2120	namvoki.exe
1920	uhhnjas.exe
1920	uhhnjas.exe
2380	fhlltzr.exe
2380	fhlltzr.exe
340	rfonczx.exe
340	rfonczx.exe
2468	zqntzaf.exe
2468	zqntzaf.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ukowfyo.exe-up.txt	ukowfyo.exe
File created	C:\Windows\SysWOW64\ngmmggv.exe	dsloqhi.exe
File created	C:\Windows\SysWOW64\zaegoig.exe	myyqdvb.exe
File created	C:\Windows\SysWOW64\emwgmop.exe-up.txt	emwgmop.exe
File created	C:\Windows\SysWOW64\lwfbyrw.exe	wciopvl.exe
File created	C:\Windows\SysWOW64\dtmeltt.exe	qcrccso.exe
File created	C:\Windows\SysWOW64\zijiwlo.exe	pjekmmh.exe
File created	C:\Windows\SysWOW64\mjilmnq.exe-up.txt	mjilmnq.exe
File opened for modification	C:\Windows\SysWOW64\imnttll.exe	vvsqlcf.exe
File created	C:\Windows\SysWOW64\xhsdoxp.exe-up.txt	xhsdoxp.exe
File opened for modification	C:\Windows\SysWOW64\nvafcpn.exe	zijiwlo.exe
File created	C:\Windows\SysWOW64\atoqaoi.exe-up.txt	atoqaoi.exe
File created	C:\Windows\SysWOW64\blzlxlc.exe	onwiodf.exe
File created	C:\Windows\SysWOW64\njyedsa.exe-up.txt	njyedsa.exe
File opened for modification	C:\Windows\SysWOW64\blguezq.exe	oyoeywr.exe
File created	C:\Windows\SysWOW64\vdvtvlm.exe	inaqnlg.exe
File created	C:\Windows\SysWOW64\wrskeda.exe	mdsnovn.exe
File created	C:\Windows\SysWOW64\pjekmmh.exe	dhydaad.exe
File opened for modification	C:\Windows\SysWOW64\gpywuac.exe	tqvtlsf.exe
File created	C:\Windows\SysWOW64\xszmdvw.exe	nhkcqsq.exe
File created	C:\Windows\SysWOW64\jomwhbc.exe	ypiypcu.exe
File opened for modification	C:\Windows\SysWOW64\riaqhvm.exe	esgozng.exe
File created	C:\Windows\SysWOW64\ebwcvgi.exe-up.txt	ebwcvgi.exe
File created	C:\Windows\SysWOW64\oecdsii.exe-up.txt	oecdsii.exe
File created	C:\Windows\SysWOW64\iisnexh.exe	uvbqybb.exe
File created	C:\Windows\SysWOW64\ejdsait.exe	rsiyrao.exe
File opened for modification	C:\Windows\SysWOW64\yvjzwdy.exe	iqbespb.exe
File created	C:\Windows\SysWOW64\urhsadc.exe-up.txt	urhsadc.exe
File opened for modification	C:\Windows\SysWOW64\qqwttvg.exe	hcdwvnt.exe
File opened for modification	C:\Windows\SysWOW64\wpeyasx.exe	mnpnnpr.exe
File created	C:\Windows\SysWOW64\uniudon.exe-up.txt	uniudon.exe
File opened for modification	C:\Windows\SysWOW64\pmxajmf.exe	cznkeig.exe
File created	C:\Windows\SysWOW64\bnlnznu.exe-up.txt	bnlnznu.exe
File created	C:\Windows\SysWOW64\yhrhuhn.exe-up.txt	yhrhuhn.exe
File created	C:\Windows\SysWOW64\nykxrhy.exe	alsallz.exe
File created	C:\Windows\SysWOW64\lrlvjlk.exe	ybisadf.exe
File created	C:\Windows\SysWOW64\fzshhwa.exe-up.txt	fzshhwa.exe
File opened for modification	C:\Windows\SysWOW64\qcasfce.exe	dlfpouz.exe
File created	C:\Windows\SysWOW64\pyrxtop.exe-up.txt	pyrxtop.exe
File created	C:\Windows\SysWOW64\icfcexz.exe-up.txt	icfcexz.exe
File created	C:\Windows\SysWOW64\cdhxusm.exe-up.txt	cdhxusm.exe
File created	C:\Windows\SysWOW64\xlrednn.exe	vicuqkz.exe
File created	C:\Windows\SysWOW64\tauuorr.exe	gyondfn.exe
File opened for modification	C:\Windows\SysWOW64\alemoxe.exe	njyedsa.exe
File opened for modification	C:\Windows\SysWOW64\gmadtmo.exe	toxakej.exe
File created	C:\Windows\SysWOW64\ugtliuv.exe-up.txt	ugtliuv.exe
File opened for modification	C:\Windows\SysWOW64\ebtmdea.exe	rdyjuwv.exe
File opened for modification	C:\Windows\SysWOW64\jomwhbc.exe	ypiypcu.exe
File created	C:\Windows\SysWOW64\esbkkiz.exe-up.txt	esbkkiz.exe
File opened for modification	C:\Windows\SysWOW64\tuwrfcn.exe	gebowuh.exe
File opened for modification	C:\Windows\SysWOW64\mdsnovn.exe	zfpkfvh.exe
File opened for modification	C:\Windows\SysWOW64\cyohhwr.exe	swyxmtl.exe
File created	C:\Windows\SysWOW64\aaimcsf.exe	ldampse.exe
File created	C:\Windows\SysWOW64\piafuiv.exe	csfclap.exe
File created	C:\Windows\SysWOW64\tbifbrs.exe	gknctrn.exe
File created	C:\Windows\SysWOW64\xxfcaoa.exe-up.txt	xxfcaoa.exe
File created	C:\Windows\SysWOW64\vwtesgj.exe	ifzbjge.exe
File created	C:\Windows\SysWOW64\sapezwc.exe-up.txt	sapezwc.exe
File created	C:\Windows\SysWOW64\lrpkqsd.exe	bdomzlq.exe
File opened for modification	C:\Windows\SysWOW64\lrpkqsd.exe	bdomzlq.exe
File created	C:\Windows\SysWOW64\nlwqxux.exe-up.txt	nlwqxux.exe
File created	C:\Windows\SysWOW64\ssbntjz.exe-up.txt	ssbntjz.exe
File opened for modification	C:\Windows\SysWOW64\qiqgice.exe	drvdzbh.exe
File created	C:\Windows\SysWOW64\ifzbjge.exe-up.txt	ifzbjge.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gdbqdfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lhivhbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	frfvfax.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ejdsait.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sapezwc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jhtanop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngmmggv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mnpnnpr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fhlltzr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwklgmq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ajgdebb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	osmyrbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hyimukd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	feuouvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bsorotn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nklbwtd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	waeutvo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zaegoig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yikeybj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	suksjqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aevpkju.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kyqwacx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arknmfk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	knkghph.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vdnuclo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uraktpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	flruudc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mjksqtg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ywfoyvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mouhpnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsrrmoy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fcrrmkv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zqntzaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vznkdkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zijiwlo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	inixnpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aaimcsf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kvmtdje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	njyedsa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xszmdvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cynustn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sajcfcw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdhxusm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crsibke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ubldfwu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dtmeltt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kosimav.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yomtfmu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jinnnly.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xpqdygk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qjzkusf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rpormza.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gmadtmo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vfhyqjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bvxgijo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xwupmmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qtimhzl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oaqimud.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qsjutqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cyohhwr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lephwmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dhydaad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yorlwbv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nczoxfk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2100	2228	f2d8d3ef1d5623bdfa9a0eebd4fc2266_JaffaCakes118.exe	31
PID 2228 wrote to memory of 2100	2228	f2d8d3ef1d5623bdfa9a0eebd4fc2266_JaffaCakes118.exe	31
PID 2228 wrote to memory of 2100	2228	f2d8d3ef1d5623bdfa9a0eebd4fc2266_JaffaCakes118.exe	31
PID 2228 wrote to memory of 2100	2228	f2d8d3ef1d5623bdfa9a0eebd4fc2266_JaffaCakes118.exe	31
PID 2100 wrote to memory of 2224	2100	ldampse.exe	32
PID 2100 wrote to memory of 2224	2100	ldampse.exe	32
PID 2100 wrote to memory of 2224	2100	ldampse.exe	32
PID 2100 wrote to memory of 2224	2100	ldampse.exe	32
PID 2224 wrote to memory of 2692	2224	aaimcsf.exe	33
PID 2224 wrote to memory of 2692	2224	aaimcsf.exe	33
PID 2224 wrote to memory of 2692	2224	aaimcsf.exe	33
PID 2224 wrote to memory of 2692	2224	aaimcsf.exe	33
PID 2692 wrote to memory of 2920	2692	nydpksl.exe	34
PID 2692 wrote to memory of 2920	2692	nydpksl.exe	34
PID 2692 wrote to memory of 2920	2692	nydpksl.exe	34
PID 2692 wrote to memory of 2920	2692	nydpksl.exe	34
PID 2920 wrote to memory of 2600	2920	vdnuclo.exe	35
PID 2920 wrote to memory of 2600	2920	vdnuclo.exe	35
PID 2920 wrote to memory of 2600	2920	vdnuclo.exe	35
PID 2920 wrote to memory of 2600	2920	vdnuclo.exe	35
PID 2600 wrote to memory of 2636	2600	fcrrmkv.exe	36
PID 2600 wrote to memory of 2636	2600	fcrrmkv.exe	36
PID 2600 wrote to memory of 2636	2600	fcrrmkv.exe	36
PID 2600 wrote to memory of 2636	2600	fcrrmkv.exe	36
PID 2636 wrote to memory of 2908	2636	aevpkju.exe	37
PID 2636 wrote to memory of 2908	2636	aevpkju.exe	37
PID 2636 wrote to memory of 2908	2636	aevpkju.exe	37
PID 2636 wrote to memory of 2908	2636	aevpkju.exe	37
PID 2908 wrote to memory of 1144	2908	hmjpegd.exe	38
PID 2908 wrote to memory of 1144	2908	hmjpegd.exe	38
PID 2908 wrote to memory of 1144	2908	hmjpegd.exe	38
PID 2908 wrote to memory of 1144	2908	hmjpegd.exe	38
PID 1144 wrote to memory of 2924	1144	uraktpo.exe	39
PID 1144 wrote to memory of 2924	1144	uraktpo.exe	39
PID 1144 wrote to memory of 2924	1144	uraktpo.exe	39
PID 1144 wrote to memory of 2924	1144	uraktpo.exe	39
PID 2924 wrote to memory of 1780	2924	zpfagqn.exe	40
PID 2924 wrote to memory of 1780	2924	zpfagqn.exe	40
PID 2924 wrote to memory of 1780	2924	zpfagqn.exe	40
PID 2924 wrote to memory of 1780	2924	zpfagqn.exe	40
PID 1780 wrote to memory of 740	1780	rphkuwt.exe	41
PID 1780 wrote to memory of 740	1780	rphkuwt.exe	41
PID 1780 wrote to memory of 740	1780	rphkuwt.exe	41
PID 1780 wrote to memory of 740	1780	rphkuwt.exe	41
PID 740 wrote to memory of 948	740	wqpfctz.exe	42
PID 740 wrote to memory of 948	740	wqpfctz.exe	42
PID 740 wrote to memory of 948	740	wqpfctz.exe	42
PID 740 wrote to memory of 948	740	wqpfctz.exe	42
PID 948 wrote to memory of 296	948	obdfkqa.exe	43
PID 948 wrote to memory of 296	948	obdfkqa.exe	43
PID 948 wrote to memory of 296	948	obdfkqa.exe	43
PID 948 wrote to memory of 296	948	obdfkqa.exe	43
PID 296 wrote to memory of 2084	296	qarvivn.exe	44
PID 296 wrote to memory of 2084	296	qarvivn.exe	44
PID 296 wrote to memory of 2084	296	qarvivn.exe	44
PID 296 wrote to memory of 2084	296	qarvivn.exe	44
PID 2084 wrote to memory of 1708	2084	jhtanop.exe	45
PID 2084 wrote to memory of 1708	2084	jhtanop.exe	45
PID 2084 wrote to memory of 1708	2084	jhtanop.exe	45
PID 2084 wrote to memory of 1708	2084	jhtanop.exe	45
PID 1708 wrote to memory of 292	1708	npqvjca.exe	46
PID 1708 wrote to memory of 292	1708	npqvjca.exe	46
PID 1708 wrote to memory of 292	1708	npqvjca.exe	46
PID 1708 wrote to memory of 292	1708	npqvjca.exe	46

C:\Users\Admin\AppData\Local\Temp\f2d8d3ef1d5623bdfa9a0eebd4fc2266_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f2d8d3ef1d5623bdfa9a0eebd4fc2266_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\SysWOW64\ldampse.exe
  C:\Windows\system32\ldampse.exe 544 "C:\Users\Admin\AppData\Local\Temp\f2d8d3ef1d5623bdfa9a0eebd4fc2266_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Windows\SysWOW64\aaimcsf.exe
    C:\Windows\system32\aaimcsf.exe 536 "C:\Windows\SysWOW64\ldampse.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2224
  - - C:\Windows\SysWOW64\nydpksl.exe
      C:\Windows\system32\nydpksl.exe 532 "C:\Windows\SysWOW64\aaimcsf.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Windows\SysWOW64\vdnuclo.exe
        
        C:\Windows\system32\vdnuclo.exe 540 "C:\Windows\SysWOW64\nydpksl.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2920
      - C:\Windows\SysWOW64\fcrrmkv.exe
        
        C:\Windows\system32\fcrrmkv.exe 552 "C:\Windows\SysWOW64\vdnuclo.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\aevpkju.exe
        
        C:\Windows\system32\aevpkju.exe 548 "C:\Windows\SysWOW64\fcrrmkv.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\hmjpegd.exe
        
        C:\Windows\system32\hmjpegd.exe 556 "C:\Windows\SysWOW64\aevpkju.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\uraktpo.exe
        
        C:\Windows\system32\uraktpo.exe 560 "C:\Windows\SysWOW64\hmjpegd.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\SysWOW64\zpfagqn.exe
        
        C:\Windows\system32\zpfagqn.exe 572 "C:\Windows\SysWOW64\uraktpo.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\rphkuwt.exe
        
        C:\Windows\system32\rphkuwt.exe 568 "C:\Windows\SysWOW64\zpfagqn.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\SysWOW64\wqpfctz.exe
        
        C:\Windows\system32\wqpfctz.exe 580 "C:\Windows\SysWOW64\rphkuwt.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:740
        
        C:\Windows\SysWOW64\obdfkqa.exe
        
        C:\Windows\system32\obdfkqa.exe 564 "C:\Windows\SysWOW64\wqpfctz.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\SysWOW64\qarvivn.exe
        
        C:\Windows\system32\qarvivn.exe 576 "C:\Windows\SysWOW64\obdfkqa.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:296
        
        C:\Windows\SysWOW64\jhtanop.exe
        
        C:\Windows\system32\jhtanop.exe 584 "C:\Windows\SysWOW64\qarvivn.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\npqvjca.exe
        
        C:\Windows\system32\npqvjca.exe 588 "C:\Windows\SysWOW64\jhtanop.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\aosxrky.exe
        
        C:\Windows\system32\aosxrky.exe 592 "C:\Windows\SysWOW64\npqvjca.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:292
        
        C:\Windows\SysWOW64\cnzfphl.exe
        
        C:\Windows\system32\cnzfphl.exe 596 "C:\Windows\SysWOW64\aosxrky.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:860
        
        C:\Windows\SysWOW64\agtilxi.exe
        
        C:\Windows\system32\agtilxi.exe 600 "C:\Windows\SysWOW64\cnzfphl.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1680
        
        C:\Windows\SysWOW64\bfhxjbv.exe
        
        C:\Windows\system32\bfhxjbv.exe 624 "C:\Windows\SysWOW64\agtilxi.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:788
        
        C:\Windows\SysWOW64\uqvprzd.exe
        
        C:\Windows\system32\uqvprzd.exe 604 "C:\Windows\SysWOW64\bfhxjbv.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2772
        
        C:\Windows\SysWOW64\byiqdof.exe
        
        C:\Windows\system32\byiqdof.exe 608 "C:\Windows\SysWOW64\uqvprzd.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2832
        
        C:\Windows\SysWOW64\uthifda.exe
        
        C:\Windows\system32\uthifda.exe 616 "C:\Windows\SysWOW64\byiqdof.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2596
        
        C:\Windows\SysWOW64\qkedbrl.exe
        
        C:\Windows\system32\qkedbrl.exe 632 "C:\Windows\SysWOW64\uthifda.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2728
        
        C:\Windows\SysWOW64\gdbqdfo.exe
        
        C:\Windows\system32\gdbqdfo.exe 612 "C:\Windows\SysWOW64\qkedbrl.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Windows\SysWOW64\nlwqxux.exe
        
        C:\Windows\system32\nlwqxux.exe 620 "C:\Windows\SysWOW64\gdbqdfo.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2312
        
        C:\Windows\SysWOW64\dbiqemb.exe
        
        C:\Windows\system32\dbiqemb.exe 628 "C:\Windows\SysWOW64\nlwqxux.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1736
        
        C:\Windows\SysWOW64\namvoki.exe
        
        C:\Windows\system32\namvoki.exe 652 "C:\Windows\SysWOW64\dbiqemb.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2120
        
        C:\Windows\SysWOW64\uhhnjas.exe
        
        C:\Windows\system32\uhhnjas.exe 636 "C:\Windows\SysWOW64\namvoki.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1920
        
        C:\Windows\SysWOW64\fhlltzr.exe
        
        C:\Windows\system32\fhlltzr.exe 656 "C:\Windows\SysWOW64\uhhnjas.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2380
        
        C:\Windows\SysWOW64\rfonczx.exe
        
        C:\Windows\system32\rfonczx.exe 640 "C:\Windows\SysWOW64\fhlltzr.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:340
        
        C:\Windows\SysWOW64\zqntzaf.exe
        
        C:\Windows\system32\zqntzaf.exe 660 "C:\Windows\SysWOW64\rfonczx.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2468
        
        C:\Windows\SysWOW64\lhivhbl.exe
        
        C:\Windows\system32\lhivhbl.exe 648 "C:\Windows\SysWOW64\zqntzaf.exe"
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Windows\SysWOW64\wciopvl.exe
        
        C:\Windows\system32\wciopvl.exe 672 "C:\Windows\SysWOW64\lhivhbl.exe"
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1952
        
        C:\Windows\SysWOW64\lwfbyrw.exe
        
        C:\Windows\system32\lwfbyrw.exe 664 "C:\Windows\SysWOW64\wciopvl.exe"
        35⤵
        Executes dropped EXE
        
        PID:2440
        
        C:\Windows\SysWOW64\vgvlumc.exe
        
        C:\Windows\system32\vgvlumc.exe 680 "C:\Windows\SysWOW64\lwfbyrw.exe"
        36⤵
        Executes dropped EXE
        
        PID:3056
        
        C:\Windows\SysWOW64\iabbfzg.exe
        
        C:\Windows\system32\iabbfzg.exe 668 "C:\Windows\SysWOW64\vgvlumc.exe"
        37⤵
        Executes dropped EXE
        
        PID:1624
        
        C:\Windows\SysWOW64\vvsqlcf.exe
        
        C:\Windows\system32\vvsqlcf.exe 696 "C:\Windows\SysWOW64\iabbfzg.exe"
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3000
        
        C:\Windows\SysWOW64\imnttll.exe
        
        C:\Windows\system32\imnttll.exe 644 "C:\Windows\SysWOW64\vvsqlcf.exe"
        39⤵
        Executes dropped EXE
        
        PID:2056
        
        C:\Windows\SysWOW64\slzrebs.exe
        
        C:\Windows\system32\slzrebs.exe 676 "C:\Windows\SysWOW64\imnttll.exe"
        40⤵
        Executes dropped EXE
        
        PID:2252
        
        C:\Windows\SysWOW64\czsocjf.exe
        
        C:\Windows\system32\czsocjf.exe 688 "C:\Windows\SysWOW64\slzrebs.exe"
        41⤵
        Executes dropped EXE
        
        PID:1576
        
        C:\Windows\SysWOW64\ppvjlrd.exe
        
        C:\Windows\system32\ppvjlrd.exe 704 "C:\Windows\SysWOW64\czsocjf.exe"
        42⤵
        Executes dropped EXE
        
        PID:1580
        
        C:\Windows\SysWOW64\copltzj.exe
        
        C:\Windows\system32\copltzj.exe 692 "C:\Windows\SysWOW64\ppvjlrd.exe"
        43⤵
        Executes dropped EXE
        
        PID:2708
        
        C:\Windows\SysWOW64\lrfwgup.exe
        
        C:\Windows\system32\lrfwgup.exe 708 "C:\Windows\SysWOW64\copltzj.exe"
        44⤵
        Executes dropped EXE
        
        PID:2768
        
        C:\Windows\SysWOW64\ypiypcu.exe
        
        C:\Windows\system32\ypiypcu.exe 700 "C:\Windows\SysWOW64\lrfwgup.exe"
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:784
        
        C:\Windows\SysWOW64\jomwhbc.exe
        
        C:\Windows\system32\jomwhbc.exe 712 "C:\Windows\SysWOW64\ypiypcu.exe"
        46⤵
        Executes dropped EXE
        
        PID:2644
        
        C:\Windows\SysWOW64\vfhyqjh.exe
        
        C:\Windows\system32\vfhyqjh.exe 684 "C:\Windows\SysWOW64\jomwhbc.exe"
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1108
        
        C:\Windows\SysWOW64\gmteaih.exe
        
        C:\Windows\system32\gmteaih.exe 720 "C:\Windows\SysWOW64\vfhyqjh.exe"
        48⤵
        Executes dropped EXE
        
        PID:2936
        
        C:\Windows\SysWOW64\sgzmmnt.exe
        
        C:\Windows\system32\sgzmmnt.exe 716 "C:\Windows\SysWOW64\gmteaih.exe"
        49⤵
        Executes dropped EXE
        
        PID:1308
        
        C:\Windows\SysWOW64\feuouvr.exe
        
        C:\Windows\system32\feuouvr.exe 740 "C:\Windows\SysWOW64\sgzmmnt.exe"
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1372
        
        C:\Windows\SysWOW64\svorddw.exe
        
        C:\Windows\system32\svorddw.exe 728 "C:\Windows\SysWOW64\feuouvr.exe"
        51⤵
        Executes dropped EXE
        
        PID:1688
        
        C:\Windows\SysWOW64\flruudc.exe
        
        C:\Windows\system32\flruudc.exe 736 "C:\Windows\SysWOW64\svorddw.exe"
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1516
        
        C:\Windows\SysWOW64\pzsrklp.exe
        
        C:\Windows\system32\pzsrklp.exe 732 "C:\Windows\SysWOW64\flruudc.exe"
        53⤵
        Executes dropped EXE
        
        PID:1964
        
        C:\Windows\SysWOW64\cynustn.exe
        
        C:\Windows\system32\cynustn.exe 760 "C:\Windows\SysWOW64\pzsrklp.exe"
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        C:\Windows\SysWOW64\oohobts.exe
        
        C:\Windows\system32\oohobts.exe 744 "C:\Windows\SysWOW64\cynustn.exe"
        55⤵
        Executes dropped EXE
        
        PID:540
        
        C:\Windows\SysWOW64\bfkrjby.exe
        
        C:\Windows\system32\bfkrjby.exe 752 "C:\Windows\SysWOW64\oohobts.exe"
        56⤵
        Executes dropped EXE
        
        PID:2524
        
        C:\Windows\SysWOW64\odfusjv.exe
        
        C:\Windows\system32\odfusjv.exe 748 "C:\Windows\SysWOW64\bfkrjby.exe"
        57⤵
        Executes dropped EXE
        
        PID:836
        
        C:\Windows\SysWOW64\ycjrkid.exe
        
        C:\Windows\system32\ycjrkid.exe 776 "C:\Windows\SysWOW64\odfusjv.exe"
        58⤵
        Executes dropped EXE
        
        PID:2444
        
        C:\Windows\SysWOW64\lephwmh.exe
        
        C:\Windows\system32\lephwmh.exe 756 "C:\Windows\SysWOW64\ycjrkid.exe"
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1728
        
        C:\Windows\SysWOW64\yvskfvn.exe
        
        C:\Windows\system32\yvskfvn.exe 768 "C:\Windows\SysWOW64\lephwmh.exe"
        60⤵
        Executes dropped EXE
        
        PID:2420
        
        C:\Windows\SysWOW64\ijthvca.exe
        
        C:\Windows\system32\ijthvca.exe 724 "C:\Windows\SysWOW64\yvskfvn.exe"
        61⤵
        Executes dropped EXE
        
        PID:2152
        
        C:\Windows\SysWOW64\vznkdkf.exe
        
        C:\Windows\system32\vznkdkf.exe 764 "C:\Windows\SysWOW64\ijthvca.exe"
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Windows\SysWOW64\hyimukd.exe
        
        C:\Windows\system32\hyimukd.exe 780 "C:\Windows\SysWOW64\vznkdkf.exe"
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Windows\SysWOW64\uolpctj.exe
        
        C:\Windows\system32\uolpctj.exe 784 "C:\Windows\SysWOW64\hyimukd.exe"
        64⤵
        Executes dropped EXE
        
        PID:2432
        
        C:\Windows\SysWOW64\hngklbo.exe
        
        C:\Windows\system32\hngklbo.exe 772 "C:\Windows\SysWOW64\uolpctj.exe"
        65⤵
        Executes dropped EXE
        
        PID:2700
        
        C:\Windows\SysWOW64\rtghbab.exe
        
        C:\Windows\system32\rtghbab.exe 808 "C:\Windows\SysWOW64\hngklbo.exe"
        66⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\esbkkiz.exe
        
        C:\Windows\system32\esbkkiz.exe 792 "C:\Windows\SysWOW64\rtghbab.exe"
        67⤵
        Drops file in System32 directory
        
        PID:2804
        
        C:\Windows\SysWOW64\riemsqe.exe
        
        C:\Windows\system32\riemsqe.exe 788 "C:\Windows\SysWOW64\esbkkiz.exe"
        68⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\ehzpbrk.exe
        
        C:\Windows\system32\ehzpbrk.exe 796 "C:\Windows\SysWOW64\riemsqe.exe"
        69⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\ojozwuq.exe
        
        C:\Windows\system32\ojozwuq.exe 812 "C:\Windows\SysWOW64\ehzpbrk.exe"
        70⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\sajcfcw.exe
        
        C:\Windows\system32\sajcfcw.exe 800 "C:\Windows\SysWOW64\ojozwuq.exe"
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\fymfnkb.exe
        
        C:\Windows\system32\fymfnkb.exe 828 "C:\Windows\SysWOW64\sajcfcw.exe"
        72⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\sphiwkz.exe
        
        C:\Windows\system32\sphiwkz.exe 804 "C:\Windows\SysWOW64\fymfnkb.exe"
        73⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cdhxusm.exe
        
        C:\Windows\system32\cdhxusm.exe 816 "C:\Windows\SysWOW64\sphiwkz.exe"
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\pqrnawl.exe
        
        C:\Windows\system32\pqrnawl.exe 836 "C:\Windows\SysWOW64\cdhxusm.exe"
        75⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\csfclap.exe
        
        C:\Windows\system32\csfclap.exe 844 "C:\Windows\SysWOW64\pqrnawl.exe"
        76⤵
        Drops file in System32 directory
        
        PID:1072
        
        C:\Windows\SysWOW64\piafuiv.exe
        
        C:\Windows\system32\piafuiv.exe 820 "C:\Windows\SysWOW64\csfclap.exe"
        77⤵
        
        PID:272
        
        C:\Windows\SysWOW64\chvicqa.exe
        
        C:\Windows\system32\chvicqa.exe 840 "C:\Windows\SysWOW64\piafuiv.exe"
        78⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\mjksqtg.exe
        
        C:\Windows\system32\mjksqtg.exe 832 "C:\Windows\SysWOW64\chvicqa.exe"
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\yinvyum.exe
        
        C:\Windows\system32\yinvyum.exe 824 "C:\Windows\SysWOW64\mjksqtg.exe"
        80⤵
        
        PID:944
        
        C:\Windows\SysWOW64\lyixpcs.exe
        
        C:\Windows\system32\lyixpcs.exe 848 "C:\Windows\SysWOW64\yinvyum.exe"
        81⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\vminfjx.exe
        
        C:\Windows\system32\vminfjx.exe 864 "C:\Windows\SysWOW64\lyixpcs.exe"
        82⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\iddpnjc.exe
        
        C:\Windows\system32\iddpnjc.exe 856 "C:\Windows\SysWOW64\vminfjx.exe"
        83⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\vqvftnb.exe
        
        C:\Windows\system32\vqvftnb.exe 860 "C:\Windows\SysWOW64\iddpnjc.exe"
        84⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\fxzlemj.exe
        
        C:\Windows\system32\fxzlemj.exe 852 "C:\Windows\SysWOW64\vqvftnb.exe"
        85⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\pdzactw.exe
        
        C:\Windows\system32\pdzactw.exe 880 "C:\Windows\SysWOW64\fxzlemj.exe"
        86⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\ccudkcb.exe
        
        C:\Windows\system32\ccudkcb.exe 872 "C:\Windows\SysWOW64\pdzactw.exe"
        87⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\psxftcz.exe
        
        C:\Windows\system32\psxftcz.exe 888 "C:\Windows\SysWOW64\ccudkcb.exe"
        88⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\crsibke.exe
        
        C:\Windows\system32\crsibke.exe 876 "C:\Windows\SysWOW64\psxftcz.exe"
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Windows\SysWOW64\phnlksk.exe
        
        C:\Windows\system32\phnlksk.exe 868 "C:\Windows\SysWOW64\crsibke.exe"
        90⤵
        
        PID:976
        
        C:\Windows\SysWOW64\yvniisx.exe
        
        C:\Windows\system32\yvniisx.exe 884 "C:\Windows\SysWOW64\phnlksk.exe"
        91⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\lifyovw.exe
        
        C:\Windows\system32\lifyovw.exe 904 "C:\Windows\SysWOW64\yvniisx.exe"
        92⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\vluibzc.exe
        
        C:\Windows\system32\vluibzc.exe 896 "C:\Windows\SysWOW64\lifyovw.exe"
        93⤵
        
        PID:660
        
        C:\Windows\SysWOW64\inaqnlg.exe
        
        C:\Windows\system32\inaqnlg.exe 916 "C:\Windows\SysWOW64\vluibzc.exe"
        94⤵
        Drops file in System32 directory
        
        PID:1592
        
        C:\Windows\SysWOW64\vdvtvlm.exe
        
        C:\Windows\system32\vdvtvlm.exe 892 "C:\Windows\SysWOW64\inaqnlg.exe"
        95⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\iynqbpl.exe
        
        C:\Windows\system32\iynqbpl.exe 928 "C:\Windows\SysWOW64\vdvtvlm.exe"
        96⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\vstyubx.exe
        
        C:\Windows\system32\vstyubx.exe 908 "C:\Windows\SysWOW64\iynqbpl.exe"
        97⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\frfvfax.exe
        
        C:\Windows\system32\frfvfax.exe 932 "C:\Windows\SysWOW64\vstyubx.exe"
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Windows\SysWOW64\rtllqfj.exe
        
        C:\Windows\system32\rtllqfj.exe 912 "C:\Windows\SysWOW64\frfvfax.exe"
        99⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\esgozng.exe
        
        C:\Windows\system32\esgozng.exe 936 "C:\Windows\SysWOW64\rtllqfj.exe"
        100⤵
        Drops file in System32 directory
        
        PID:1216
        
        C:\Windows\SysWOW64\riaqhvm.exe
        
        C:\Windows\system32\riaqhvm.exe 900 "C:\Windows\SysWOW64\esgozng.exe"
        101⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\bwbofvz.exe
        
        C:\Windows\system32\bwbofvz.exe 920 "C:\Windows\SysWOW64\riaqhvm.exe"
        102⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\onwiodf.exe
        
        C:\Windows\system32\onwiodf.exe 924 "C:\Windows\SysWOW64\bwbofvz.exe"
        103⤵
        Drops file in System32 directory
        
        PID:2764
        
        C:\Windows\SysWOW64\blzlxlc.exe
        
        C:\Windows\system32\blzlxlc.exe 940 "C:\Windows\SysWOW64\onwiodf.exe"
        104⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\octofli.exe
        
        C:\Windows\system32\octofli.exe 948 "C:\Windows\SysWOW64\blzlxlc.exe"
        105⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\bsorotn.exe
        
        C:\Windows\system32\bsorotn.exe 952 "C:\Windows\SysWOW64\octofli.exe"
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Windows\SysWOW64\kgpombs.exe
        
        C:\Windows\system32\kgpombs.exe 944 "C:\Windows\SysWOW64\bsorotn.exe"
        107⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\xtgesez.exe
        
        C:\Windows\system32\xtgesez.exe 964 "C:\Windows\SysWOW64\kgpombs.exe"
        108⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\kvmtdje.exe
        
        C:\Windows\system32\kvmtdje.exe 956 "C:\Windows\SysWOW64\xtgesez.exe"
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:2972
        
        C:\Windows\SysWOW64\uyceqmk.exe
        
        C:\Windows\system32\uyceqmk.exe 968 "C:\Windows\SysWOW64\kvmtdje.exe"
        110⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\hxxgzup.exe
        
        C:\Windows\system32\hxxgzup.exe 972 "C:\Windows\SysWOW64\uyceqmk.exe"
        111⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\ukowfyo.exe
        
        C:\Windows\system32\ukowfyo.exe 960 "C:\Windows\SysWOW64\hxxgzup.exe"
        112⤵
        Drops file in System32 directory
        
        PID:1668
        
        C:\Windows\SysWOW64\eypldyb.exe
        
        C:\Windows\system32\eypldyb.exe 976 "C:\Windows\SysWOW64\ukowfyo.exe"
        113⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\rlgjjba.exe
        
        C:\Windows\system32\rlgjjba.exe 992 "C:\Windows\SysWOW64\eypldyb.exe"
        114⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\ywfoyvi.exe
        
        C:\Windows\system32\ywfoyvi.exe 980 "C:\Windows\SysWOW64\rlgjjba.exe"
        115⤵
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Windows\SysWOW64\ljpedzp.exe
        
        C:\Windows\system32\ljpedzp.exe 984 "C:\Windows\SysWOW64\ywfoyvi.exe"
        116⤵
        
        PID:888
        
        C:\Windows\SysWOW64\yhrhuhn.exe
        
        C:\Windows\system32\yhrhuhn.exe 996 "C:\Windows\SysWOW64\ljpedzp.exe"
        117⤵
        Drops file in System32 directory
        
        PID:372
        
        C:\Windows\SysWOW64\ikhrhkb.exe
        
        C:\Windows\system32\ikhrhkb.exe 1012 "C:\Windows\SysWOW64\yhrhuhn.exe"
        118⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\vicuqkz.exe
        
        C:\Windows\system32\vicuqkz.exe 1000 "C:\Windows\SysWOW64\ikhrhkb.exe"
        119⤵
        Drops file in System32 directory
        
        PID:1548
        
        C:\Windows\SysWOW64\xlrednn.exe
        
        C:\Windows\system32\xlrednn.exe 1020 "C:\Windows\SysWOW64\vicuqkz.exe"
        120⤵
        
        PID:376
        
        C:\Windows\SysWOW64\kyjujrm.exe
        
        C:\Windows\system32\kyjujrm.exe 988 "C:\Windows\SysWOW64\xlrednn.exe"
        121⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\umjjhzz.exe
        
        C:\Windows\system32\umjjhzz.exe 1028 "C:\Windows\SysWOW64\kyjujrm.exe"
        122⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\hzthnvy.exe
        
        C:\Windows\system32\hzthnvy.exe 1008 "C:\Windows\SysWOW64\umjjhzz.exe"
        123⤵
        
        PID:444
        
        C:\Windows\SysWOW64\uywkvdd.exe
        
        C:\Windows\system32\uywkvdd.exe 1040 "C:\Windows\SysWOW64\hzthnvy.exe"
        124⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\dewzlki.exe
        
        C:\Windows\system32\dewzlki.exe 1032 "C:\Windows\SysWOW64\uywkvdd.exe"
        125⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\qcrccso.exe
        
        C:\Windows\system32\qcrccso.exe 1052 "C:\Windows\SysWOW64\dewzlki.exe"
        126⤵
        Drops file in System32 directory
        
        PID:2020
        
        C:\Windows\SysWOW64\dtmeltt.exe
        
        C:\Windows\system32\dtmeltt.exe 1016 "C:\Windows\SysWOW64\qcrccso.exe"
        127⤵
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Windows\SysWOW64\qrphtbz.exe
        
        C:\Windows\system32\qrphtbz.exe 1044 "C:\Windows\SysWOW64\dtmeltt.exe"
        128⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\dijkcjw.exe
        
        C:\Windows\system32\dijkcjw.exe 1004 "C:\Windows\SysWOW64\qrphtbz.exe"
        129⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\nwkhsik.exe
        
        C:\Windows\system32\nwkhsik.exe 1064 "C:\Windows\SysWOW64\dijkcjw.exe"
        130⤵
        
        PID:480
        
        C:\Windows\SysWOW64\ajcxymi.exe
        
        C:\Windows\system32\ajcxymi.exe 1036 "C:\Windows\SysWOW64\nwkhsik.exe"
        131⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\nzwaguo.exe
        
        C:\Windows\system32\nzwaguo.exe 1076 "C:\Windows\SysWOW64\ajcxymi.exe"
        132⤵
        
        PID:772
        
        C:\Windows\SysWOW64\wnxpecb.exe
        
        C:\Windows\system32\wnxpecb.exe 1056 "C:\Windows\SysWOW64\nzwaguo.exe"
        133⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\gmbupbi.exe
        
        C:\Windows\system32\gmbupbi.exe 1060 "C:\Windows\SysWOW64\wnxpecb.exe"
        134⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\tlwpxbg.exe
        
        C:\Windows\system32\tlwpxbg.exe 1048 "C:\Windows\SysWOW64\gmbupbi.exe"
        135⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\gyondfn.exe
        
        C:\Windows\system32\gyondfn.exe 1080 "C:\Windows\SysWOW64\tlwpxbg.exe"
        136⤵
        Drops file in System32 directory
        
        PID:2624
        
        C:\Windows\SysWOW64\tauuorr.exe
        
        C:\Windows\system32\tauuorr.exe 1072 "C:\Windows\SysWOW64\gyondfn.exe"
        137⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\alsallz.exe
        
        C:\Windows\system32\alsallz.exe 1068 "C:\Windows\SysWOW64\tauuorr.exe"
        138⤵
        Drops file in System32 directory
        
        PID:2448
        
        C:\Windows\SysWOW64\nykxrhy.exe
        
        C:\Windows\system32\nykxrhy.exe 1084 "C:\Windows\SysWOW64\alsallz.exe"
        139⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\xjzinkn.exe
        
        C:\Windows\system32\xjzinkn.exe 1104 "C:\Windows\SysWOW64\nykxrhy.exe"
        140⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\kzucvsk.exe
        
        C:\Windows\system32\kzucvsk.exe 1092 "C:\Windows\SysWOW64\xjzinkn.exe"
        141⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\xqxfeaq.exe
        
        C:\Windows\system32\xqxfeaq.exe 1100 "C:\Windows\SysWOW64\kzucvsk.exe"
        142⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\kosimav.exe
        
        C:\Windows\system32\kosimav.exe 1088 "C:\Windows\SysWOW64\xqxfeaq.exe"
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Windows\SysWOW64\urhsadc.exe
        
        C:\Windows\system32\urhsadc.exe 1096 "C:\Windows\SysWOW64\kosimav.exe"
        144⤵
        Drops file in System32 directory
        
        PID:528
        
        C:\Windows\SysWOW64\ebwcvgi.exe
        
        C:\Windows\system32\ebwcvgi.exe 1112 "C:\Windows\SysWOW64\urhsadc.exe"
        145⤵
        Drops file in System32 directory
        
        PID:2552
        
        C:\Windows\SysWOW64\ugfxrun.exe
        
        C:\Windows\system32\ugfxrun.exe 1108 "C:\Windows\SysWOW64\ebwcvgi.exe"
        146⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\equimpt.exe
        
        C:\Windows\system32\equimpt.exe 1120 "C:\Windows\SysWOW64\ugfxrun.exe"
        147⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\rhplvxy.exe
        
        C:\Windows\system32\rhplvxy.exe 1124 "C:\Windows\SysWOW64\equimpt.exe"
        148⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\dxsndfw.exe
        
        C:\Windows\system32\dxsndfw.exe 1140 "C:\Windows\SysWOW64\rhplvxy.exe"
        149⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\nlsdtnj.exe
        
        C:\Windows\system32\nlsdtnj.exe 1128 "C:\Windows\SysWOW64\dxsndfw.exe"
        150⤵
        
        PID:556
        
        C:\Windows\SysWOW64\aknfknp.exe
        
        C:\Windows\system32\aknfknp.exe 1132 "C:\Windows\SysWOW64\nlsdtnj.exe"
        151⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\naiisvm.exe
        
        C:\Windows\system32\naiisvm.exe 1148 "C:\Windows\SysWOW64\aknfknp.exe"
        152⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\arllbds.exe
        
        C:\Windows\system32\arllbds.exe 1136 "C:\Windows\SysWOW64\naiisvm.exe"
        153⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\kcavogg.exe
        
        C:\Windows\system32\kcavogg.exe 1156 "C:\Windows\SysWOW64\arllbds.exe"
        154⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\weglalk.exe
        
        C:\Windows\system32\weglalk.exe 1116 "C:\Windows\SysWOW64\kcavogg.exe"
        155⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\jubniti.exe
        
        C:\Windows\system32\jubniti.exe 1144 "C:\Windows\SysWOW64\weglalk.exe"
        156⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\xhsdoxp.exe
        
        C:\Windows\system32\xhsdoxp.exe 1160 "C:\Windows\SysWOW64\jubniti.exe"
        157⤵
        Drops file in System32 directory
        
        PID:2036
        
        C:\Windows\SysWOW64\jjztibt.exe
        
        C:\Windows\system32\jjztibt.exe 1172 "C:\Windows\SysWOW64\xhsdoxp.exe"
        158⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\watvqjz.exe
        
        C:\Windows\system32\watvqjz.exe 1152 "C:\Windows\SysWOW64\jjztibt.exe"
        159⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\goulgre.exe
        
        C:\Windows\system32\goulgre.exe 1184 "C:\Windows\SysWOW64\watvqjz.exe"
        160⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\tbmbmnl.exe
        
        C:\Windows\system32\tbmbmnl.exe 1164 "C:\Windows\SysWOW64\goulgre.exe"
        161⤵
        
        PID:680
        
        C:\Windows\SysWOW64\gzgdvvi.exe
        
        C:\Windows\system32\gzgdvvi.exe 1168 "C:\Windows\SysWOW64\tbmbmnl.exe"
        162⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\stmtghu.exe
        
        C:\Windows\system32\stmtghu.exe 1176 "C:\Windows\SysWOW64\gzgdvvi.exe"
        163⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\cecdbcb.exe
        
        C:\Windows\system32\cecdbcb.exe 1180 "C:\Windows\SysWOW64\stmtghu.exe"
        164⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\pyitnpf.exe
        
        C:\Windows\system32\pyitnpf.exe 1208 "C:\Windows\SysWOW64\cecdbcb.exe"
        165⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cwlwvxl.exe
        
        C:\Windows\system32\cwlwvxl.exe 1188 "C:\Windows\SysWOW64\pyitnpf.exe"
        166⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\pnfqexq.exe
        
        C:\Windows\system32\pnfqexq.exe 1196 "C:\Windows\SysWOW64\cwlwvxl.exe"
        167⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\ulatmfo.exe
        
        C:\Windows\system32\ulatmfo.exe 1216 "C:\Windows\SysWOW64\pnfqexq.exe"
        168⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\hcdwvnt.exe
        
        C:\Windows\system32\hcdwvnt.exe 1192 "C:\Windows\SysWOW64\ulatmfo.exe"
        169⤵
        Drops file in System32 directory
        
        PID:284
        
        C:\Windows\SysWOW64\qqwttvg.exe
        
        C:\Windows\system32\qqwttvg.exe 1224 "C:\Windows\SysWOW64\hcdwvnt.exe"
        170⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\dgzwcvm.exe
        
        C:\Windows\system32\dgzwcvm.exe 1200 "C:\Windows\SysWOW64\qqwttvg.exe"
        171⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\qtimhzl.exe
        
        C:\Windows\system32\qtimhzl.exe 1228 "C:\Windows\SysWOW64\dgzwcvm.exe"
        172⤵
        System Location Discovery: System Language Discovery
        
        PID:872
        
        C:\Windows\SysWOW64\dsloqhi.exe
        
        C:\Windows\system32\dsloqhi.exe 1204 "C:\Windows\SysWOW64\qtimhzl.exe"
        173⤵
        Drops file in System32 directory
        
        PID:648
        
        C:\Windows\SysWOW64\ngmmggv.exe
        
        C:\Windows\system32\ngmmggv.exe 1248 "C:\Windows\SysWOW64\dsloqhi.exe"
        174⤵
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Windows\SysWOW64\awgoppb.exe
        
        C:\Windows\system32\awgoppb.exe 1220 "C:\Windows\SysWOW64\ngmmggv.exe"
        175⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\njyedsa.exe
        
        C:\Windows\system32\njyedsa.exe 1232 "C:\Windows\SysWOW64\awgoppb.exe"
        176⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:280
        
        C:\Windows\SysWOW64\alemoxe.exe
        
        C:\Windows\system32\alemoxe.exe 1236 "C:\Windows\SysWOW64\njyedsa.exe"
        177⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\nczoxfk.exe
        
        C:\Windows\system32\nczoxfk.exe 1244 "C:\Windows\SysWOW64\alemoxe.exe"
        178⤵
        System Location Discovery: System Language Discovery
        
        PID:1656
        
        C:\Windows\SysWOW64\wqzmnnx.exe
        
        C:\Windows\system32\wqzmnnx.exe 1240 "C:\Windows\SysWOW64\nczoxfk.exe"
        179⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\jguovvc.exe
        
        C:\Windows\system32\jguovvc.exe 1252 "C:\Windows\SysWOW64\wqzmnnx.exe"
        180⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\wfpreva.exe
        
        C:\Windows\system32\wfpreva.exe 1212 "C:\Windows\SysWOW64\jguovvc.exe"
        181⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\gebowuh.exe
        
        C:\Windows\system32\gebowuh.exe 1268 "C:\Windows\SysWOW64\wfpreva.exe"
        182⤵
        Drops file in System32 directory
        
        PID:2612
        
        C:\Windows\SysWOW64\tuwrfcn.exe
        
        C:\Windows\system32\tuwrfcn.exe 1264 "C:\Windows\SysWOW64\gebowuh.exe"
        183⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\dflcsft.exe
        
        C:\Windows\system32\dflcsft.exe 1292 "C:\Windows\SysWOW64\tuwrfcn.exe"
        184⤵
        
        PID:984
        
        C:\Windows\SysWOW64\qhrrdjy.exe
        
        C:\Windows\system32\qhrrdjy.exe 1260 "C:\Windows\SysWOW64\dflcsft.exe"
        185⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\agdpwif.exe
        
        C:\Windows\system32\agdpwif.exe 1272 "C:\Windows\SysWOW64\qhrrdjy.exe"
        186⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\ntnecme.exe
        
        C:\Windows\system32\ntnecme.exe 1256 "C:\Windows\SysWOW64\agdpwif.exe"
        187⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\akqhkuj.exe
        
        C:\Windows\system32\akqhkuj.exe 1288 "C:\Windows\SysWOW64\ntnecme.exe"
        188⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\kyqwacx.exe
        
        C:\Windows\system32\kyqwacx.exe 1284 "C:\Windows\SysWOW64\akqhkuj.exe"
        189⤵
        System Location Discovery: System Language Discovery
        
        PID:2132
        
        C:\Windows\SysWOW64\utjpqwx.exe
        
        C:\Windows\system32\utjpqwx.exe 1276 "C:\Windows\SysWOW64\kyqwacx.exe"
        190⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\hvpfbbc.exe
        
        C:\Windows\system32\hvpfbbc.exe 1280 "C:\Windows\SysWOW64\utjpqwx.exe"
        191⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\umszkjh.exe
        
        C:\Windows\system32\umszkjh.exe 1304 "C:\Windows\SysWOW64\hvpfbbc.exe"
        192⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\gknctrn.exe
        
        C:\Windows\system32\gknctrn.exe 1308 "C:\Windows\SysWOW64\umszkjh.exe"
        193⤵
        Drops file in System32 directory
        
        PID:2588
        
        C:\Windows\SysWOW64\tbifbrs.exe
        
        C:\Windows\system32\tbifbrs.exe 1296 "C:\Windows\SysWOW64\gknctrn.exe"
        194⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\dlfpouz.exe
        
        C:\Windows\system32\dlfpouz.exe 1312 "C:\Windows\SysWOW64\tbifbrs.exe"
        195⤵
        Drops file in System32 directory
        
        PID:2688
        
        C:\Windows\SysWOW64\qcasfce.exe
        
        C:\Windows\system32\qcasfce.exe 1316 "C:\Windows\SysWOW64\dlfpouz.exe"
        196⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\deghqhi.exe
        
        C:\Windows\system32\deghqhi.exe 1320 "C:\Windows\SysWOW64\qcasfce.exe"
        197⤵
        
        PID:752
        
        C:\Windows\SysWOW64\nhvsekp.exe
        
        C:\Windows\system32\nhvsekp.exe 1324 "C:\Windows\SysWOW64\deghqhi.exe"
        198⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\dlenixm.exe
        
        C:\Windows\system32\dlenixm.exe 1328 "C:\Windows\SysWOW64\nhvsekp.exe"
        199⤵
        
        PID:852
        
        C:\Windows\SysWOW64\nwtxvaa.exe
        
        C:\Windows\system32\nwtxvaa.exe 1332 "C:\Windows\SysWOW64\dlenixm.exe"
        200⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\zmoadbx.exe
        
        C:\Windows\system32\zmoadbx.exe 1300 "C:\Windows\SysWOW64\nwtxvaa.exe"
        201⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\mouhpnc.exe
        
        C:\Windows\system32\mouhpnc.exe 1336 "C:\Windows\SysWOW64\zmoadbx.exe"
        202⤵
        System Location Discovery: System Language Discovery
        
        PID:744
        
        C:\Windows\SysWOW64\zfpkfvh.exe
        
        C:\Windows\system32\zfpkfvh.exe 1344 "C:\Windows\SysWOW64\mouhpnc.exe"
        203⤵
        Drops file in System32 directory
        
        PID:2384
        
        C:\Windows\SysWOW64\mdsnovn.exe
        
        C:\Windows\system32\mdsnovn.exe 1356 "C:\Windows\SysWOW64\zfpkfvh.exe"
        204⤵
        Drops file in System32 directory
        
        PID:2204
        
        C:\Windows\SysWOW64\wrskeda.exe
        
        C:\Windows\system32\wrskeda.exe 1340 "C:\Windows\SysWOW64\mdsnovn.exe"
        205⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\jinnnly.exe
        
        C:\Windows\system32\jinnnly.exe 1352 "C:\Windows\SysWOW64\wrskeda.exe"
        206⤵
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Windows\SysWOW64\wvfdshe.exe
        
        C:\Windows\system32\wvfdshe.exe 1360 "C:\Windows\SysWOW64\jinnnly.exe"
        207⤵
        
        PID:624
        
        C:\Windows\SysWOW64\fjxsroj.exe
        
        C:\Windows\system32\fjxsroj.exe 1348 "C:\Windows\SysWOW64\wvfdshe.exe"
        208⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\vnfnnbo.exe
        
        C:\Windows\system32\vnfnnbo.exe 1368 "C:\Windows\SysWOW64\fjxsroj.exe"
        209⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\fbgklbt.exe
        
        C:\Windows\system32\fbgklbt.exe 1380 "C:\Windows\SysWOW64\vnfnnbo.exe"
        210⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\ssbntjz.exe
        
        C:\Windows\system32\ssbntjz.exe 1364 "C:\Windows\SysWOW64\fbgklbt.exe"
        211⤵
        Drops file in System32 directory
        
        PID:564
        
        C:\Windows\SysWOW64\cznkeig.exe
        
        C:\Windows\system32\cznkeig.exe 1388 "C:\Windows\SysWOW64\ssbntjz.exe"
        212⤵
        Drops file in System32 directory
        
        PID:3068
        
        C:\Windows\SysWOW64\pmxajmf.exe
        
        C:\Windows\system32\pmxajmf.exe 1372 "C:\Windows\SysWOW64\cznkeig.exe"
        213⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\zomlfpm.exe
        
        C:\Windows\system32\zomlfpm.exe 1392 "C:\Windows\SysWOW64\pmxajmf.exe"
        214⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\mnpnnpr.exe
        
        C:\Windows\system32\mnpnnpr.exe 1376 "C:\Windows\SysWOW64\zomlfpm.exe"
        215⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2788
        
        C:\Windows\SysWOW64\wpeyasx.exe
        
        C:\Windows\system32\wpeyasx.exe 1404 "C:\Windows\SysWOW64\mnpnnpr.exe"
        216⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\arknmfk.exe
        
        C:\Windows\system32\arknmfk.exe 1384 "C:\Windows\SysWOW64\wpeyasx.exe"
        217⤵
        System Location Discovery: System Language Discovery
        
        PID:2288
        
        C:\Windows\SysWOW64\oecdsii.exe
        
        C:\Windows\system32\oecdsii.exe 1408 "C:\Windows\SysWOW64\arknmfk.exe"
        218⤵
        Drops file in System32 directory
        
        PID:2720
        
        C:\Windows\SysWOW64\bvxgijo.exe
        
        C:\Windows\system32\bvxgijo.exe 1396 "C:\Windows\SysWOW64\oecdsii.exe"
        219⤵
        System Location Discovery: System Language Discovery
        
        PID:1756
        
        C:\Windows\SysWOW64\kjxdyqt.exe
        
        C:\Windows\system32\kjxdyqt.exe 1400 "C:\Windows\SysWOW64\bvxgijo.exe"
        220⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\xisyhyz.exe
        
        C:\Windows\system32\xisyhyz.exe 1412 "C:\Windows\SysWOW64\kjxdyqt.exe"
        221⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\kynapye.exe
        
        C:\Windows\system32\kynapye.exe 1420 "C:\Windows\SysWOW64\xisyhyz.exe"
        222⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\xpqdygk.exe
        
        C:\Windows\system32\xpqdygk.exe 1416 "C:\Windows\SysWOW64\kynapye.exe"
        223⤵
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\knkghph.exe
        
        C:\Windows\system32\knkghph.exe 1424 "C:\Windows\SysWOW64\xpqdygk.exe"
        224⤵
        System Location Discovery: System Language Discovery
        
        PID:2564
        
        C:\Windows\SysWOW64\ubldfwu.exe
        
        C:\Windows\system32\ubldfwu.exe 1432 "C:\Windows\SysWOW64\knkghph.exe"
        225⤵
        System Location Discovery: System Language Discovery
        
        PID:2496
        
        C:\Windows\SysWOW64\gsggnwa.exe
        
        C:\Windows\system32\gsggnwa.exe 1452 "C:\Windows\SysWOW64\ubldfwu.exe"
        226⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\tijjweg.exe
        
        C:\Windows\system32\tijjweg.exe 1428 "C:\Windows\SysWOW64\gsggnwa.exe"
        227⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\ghdlfnd.exe
        
        C:\Windows\system32\ghdlfnd.exe 1436 "C:\Windows\SysWOW64\tijjweg.exe"
        228⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\txyonnj.exe
        
        C:\Windows\system32\txyonnj.exe 1440 "C:\Windows\SysWOW64\ghdlfnd.exe"
        229⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\dwklgmq.exe
        
        C:\Windows\system32\dwklgmq.exe 1460 "C:\Windows\SysWOW64\txyonnj.exe"
        230⤵
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        C:\Windows\SysWOW64\nklbwtd.exe
        
        C:\Windows\system32\nklbwtd.exe 1444 "C:\Windows\SysWOW64\dwklgmq.exe"
        231⤵
        System Location Discovery: System Language Discovery
        
        PID:1488
        
        C:\Windows\SysWOW64\ajgdebb.exe
        
        C:\Windows\system32\ajgdebb.exe 1468 "C:\Windows\SysWOW64\nklbwtd.exe"
        232⤵
        System Location Discovery: System Language Discovery
        
        PID:396
        
        C:\Windows\SysWOW64\nzbgnbg.exe
        
        C:\Windows\system32\nzbgnbg.exe 1448 "C:\Windows\SysWOW64\ajgdebb.exe"
        233⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\xcqrien.exe
        
        C:\Windows\system32\xcqrien.exe 1456 "C:\Windows\SysWOW64\nzbgnbg.exe"
        234⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\kattrns.exe
        
        C:\Windows\system32\kattrns.exe 1464 "C:\Windows\SysWOW64\xcqrien.exe"
        235⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\uzxrbla.exe
        
        C:\Windows\system32\uzxrbla.exe 1472 "C:\Windows\SysWOW64\kattrns.exe"
        236⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\hmoghpz.exe
        
        C:\Windows\system32\hmoghpz.exe 1480 "C:\Windows\SysWOW64\uzxrbla.exe"
        237⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\rbpexpm.exe
        
        C:\Windows\system32\rbpexpm.exe 1476 "C:\Windows\SysWOW64\hmoghpz.exe"
        238⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\drkgnxj.exe
        
        C:\Windows\system32\drkgnxj.exe 1488 "C:\Windows\SysWOW64\rbpexpm.exe"
        239⤵
        
        PID:600
        
        C:\Windows\SysWOW64\oyoeywr.exe
        
        C:\Windows\system32\oyoeywr.exe 1508 "C:\Windows\SysWOW64\drkgnxj.exe"
        240⤵
        Drops file in System32 directory
        
        PID:1972
        
        C:\Windows\SysWOW64\blguezq.exe
        
        C:\Windows\system32\blguezq.exe 1484 "C:\Windows\SysWOW64\oyoeywr.exe"
        241⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\kzgruhd.exe
        
        C:\Windows\system32\kzgruhd.exe 1504 "C:\Windows\SysWOW64\blguezq.exe"
        242⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\vykomgk.exe
        
        C:\Windows\system32\vykomgk.exe 1492 "C:\Windows\SysWOW64\kzgruhd.exe"
        243⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\hpnrvgq.exe
        
        C:\Windows\system32\hpnrvgq.exe 1512 "C:\Windows\SysWOW64\vykomgk.exe"
        244⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\uniudon.exe
        
        C:\Windows\system32\uniudon.exe 1520 "C:\Windows\SysWOW64\hpnrvgq.exe"
        245⤵
        Drops file in System32 directory
        
        PID:2340
        
        C:\Windows\SysWOW64\eqxerrc.exe
        
        C:\Windows\system32\eqxerrc.exe 1516 "C:\Windows\SysWOW64\uniudon.exe"
        246⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\ucgzvwy.exe
        
        C:\Windows\system32\ucgzvwy.exe 1500 "C:\Windows\SysWOW64\eqxerrc.exe"
        247⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\eiywtem.exe
        
        C:\Windows\system32\eiywtem.exe 1524 "C:\Windows\SysWOW64\ucgzvwy.exe"
        248⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\rhbrbmj.exe
        
        C:\Windows\system32\rhbrbmj.exe 1496 "C:\Windows\SysWOW64\eiywtem.exe"
        249⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\eulphqq.exe
        
        C:\Windows\system32\eulphqq.exe 1548 "C:\Windows\SysWOW64\rhbrbmj.exe"
        250⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\rorxsuu.exe
        
        C:\Windows\system32\rorxsuu.exe 1528 "C:\Windows\SysWOW64\eulphqq.exe"
        251⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\ayohgxa.exe
        
        C:\Windows\system32\ayohgxa.exe 1540 "C:\Windows\SysWOW64\rorxsuu.exe"
        252⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\nauxrkf.exe
        
        C:\Windows\system32\nauxrkf.exe 1544 "C:\Windows\SysWOW64\ayohgxa.exe"
        253⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\arpzakk.exe
        
        C:\Windows\system32\arpzakk.exe 1568 "C:\Windows\SysWOW64\nauxrkf.exe"
        254⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\nhkcqsq.exe
        
        C:\Windows\system32\nhkcqsq.exe 1536 "C:\Windows\SysWOW64\arpzakk.exe"
        255⤵
        Drops file in System32 directory
        
        PID:2952
        
        C:\Windows\SysWOW64\xszmdvw.exe
        
        C:\Windows\system32\xszmdvw.exe 1560 "C:\Windows\SysWOW64\nhkcqsq.exe"
        256⤵
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Windows\SysWOW64\nwhhhat.exe
        
        C:\Windows\system32\nwhhhat.exe 1552 "C:\Windows\SysWOW64\xszmdvw.exe"
        257⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\xhxsveh.exe
        
        C:\Windows\system32\xhxsveh.exe 1576 "C:\Windows\SysWOW64\nwhhhat.exe"
        258⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\kysmdmf.exe
        
        C:\Windows\system32\kysmdmf.exe 1564 "C:\Windows\SysWOW64\xhxsveh.exe"
        259⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\xwupmmk.exe
        
        C:\Windows\system32\xwupmmk.exe 1532 "C:\Windows\SysWOW64\kysmdmf.exe"
        260⤵
        System Location Discovery: System Language Discovery
        
        PID:1900
        
        C:\Windows\SysWOW64\gzkzhpr.exe
        
        C:\Windows\system32\gzkzhpr.exe 1556 "C:\Windows\SysWOW64\xwupmmk.exe"
        261⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\qjzkusf.exe
        
        C:\Windows\system32\qjzkusf.exe 1580 "C:\Windows\SysWOW64\gzkzhpr.exe"
        262⤵
        System Location Discovery: System Language Discovery
        
        PID:1792
        
        C:\Windows\SysWOW64\daundad.exe
        
        C:\Windows\system32\daundad.exe 1572 "C:\Windows\SysWOW64\qjzkusf.exe"
        263⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\qqxpmii.exe
        
        C:\Windows\system32\qqxpmii.exe 1592 "C:\Windows\SysWOW64\daundad.exe"
        264⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\sbmahep.exe
        
        C:\Windows\system32\sbmahep.exe 1584 "C:\Windows\SysWOW64\qqxpmii.exe"
        265⤵
        
        PID:568
        
        C:\Windows\SysWOW64\foepnhv.exe
        
        C:\Windows\system32\foepnhv.exe 1600 "C:\Windows\SysWOW64\sbmahep.exe"
        266⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\seysvqt.exe
        
        C:\Windows\system32\seysvqt.exe 1588 "C:\Windows\SysWOW64\foepnhv.exe"
        267⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cpocith.exe
        
        C:\Windows\system32\cpocith.exe 1604 "C:\Windows\SysWOW64\seysvqt.exe"
        268⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\pfjfrtf.exe
        
        C:\Windows\system32\pfjfrtf.exe 1596 "C:\Windows\SysWOW64\cpocith.exe"
        269⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\chpvcfj.exe
        
        C:\Windows\system32\chpvcfj.exe 1608 "C:\Windows\SysWOW64\pfjfrtf.exe"
        270⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\pyrxtop.exe
        
        C:\Windows\system32\pyrxtop.exe 1616 "C:\Windows\SysWOW64\chpvcfj.exe"
        271⤵
        Drops file in System32 directory
        
        PID:1744
        
        C:\Windows\SysWOW64\bwmscou.exe
        
        C:\Windows\system32\bwmscou.exe 1624 "C:\Windows\SysWOW64\pyrxtop.exe"
        272⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\lknqsvh.exe
        
        C:\Windows\system32\lknqsvh.exe 1612 "C:\Windows\SysWOW64\bwmscou.exe"
        273⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\ybisadf.exe
        
        C:\Windows\system32\ybisadf.exe 1636 "C:\Windows\SysWOW64\lknqsvh.exe"
        274⤵
        Drops file in System32 directory
        
        PID:2240
        
        C:\Windows\SysWOW64\lrlvjlk.exe
        
        C:\Windows\system32\lrlvjlk.exe 1620 "C:\Windows\SysWOW64\ybisadf.exe"
        275⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\yqfysmq.exe
        
        C:\Windows\system32\yqfysmq.exe 1632 "C:\Windows\SysWOW64\lrlvjlk.exe"
        276⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\itvinpw.exe
        
        C:\Windows\system32\itvinpw.exe 1628 "C:\Windows\SysWOW64\yqfysmq.exe"
        277⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\uvbqybb.exe
        
        C:\Windows\system32\uvbqybb.exe 1652 "C:\Windows\SysWOW64\itvinpw.exe"
        278⤵
        Drops file in System32 directory
        
        PID:2088
        
        C:\Windows\SysWOW64\iisnexh.exe
        
        C:\Windows\system32\iisnexh.exe 1640 "C:\Windows\SysWOW64\uvbqybb.exe"
        279⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\rsiyrao.exe
        
        C:\Windows\system32\rsiyrao.exe 1644 "C:\Windows\SysWOW64\iisnexh.exe"
        280⤵
        Drops file in System32 directory
        
        PID:2956
        
        C:\Windows\SysWOW64\ejdsait.exe
        
        C:\Windows\system32\ejdsait.exe 1648 "C:\Windows\SysWOW64\rsiyrao.exe"
        281⤵
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Windows\SysWOW64\rhfvqqr.exe
        
        C:\Windows\system32\rhfvqqr.exe 1660 "C:\Windows\SysWOW64\ejdsait.exe"
        282⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\bkvgeuf.exe
        
        C:\Windows\system32\bkvgeuf.exe 1656 "C:\Windows\SysWOW64\rhfvqqr.exe"
        283⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\oaqimud.exe
        
        C:\Windows\system32\oaqimud.exe 1676 "C:\Windows\SysWOW64\bkvgeuf.exe"
        284⤵
        System Location Discovery: System Language Discovery
        
        PID:1468
        
        C:\Windows\SysWOW64\ylftzxr.exe
        
        C:\Windows\system32\ylftzxr.exe 1668 "C:\Windows\SysWOW64\oaqimud.exe"
        285⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\lbivifp.exe
        
        C:\Windows\system32\lbivifp.exe 1672 "C:\Windows\SysWOW64\ylftzxr.exe"
        286⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\yorlwbv.exe
        
        C:\Windows\system32\yorlwbv.exe 1680 "C:\Windows\SysWOW64\lbivifp.exe"
        287⤵
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Windows\SysWOW64\izhvjec.exe
        
        C:\Windows\system32\izhvjec.exe 1688 "C:\Windows\SysWOW64\yorlwbv.exe"
        288⤵
        
        PID:268
        
        C:\Windows\SysWOW64\vpjysmh.exe
        
        C:\Windows\system32\vpjysmh.exe 1664 "C:\Windows\SysWOW64\izhvjec.exe"
        289⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\ioebauf.exe
        
        C:\Windows\system32\ioebauf.exe 1692 "C:\Windows\SysWOW64\vpjysmh.exe"
        290⤵
        
        PID:796
        
        C:\Windows\SysWOW64\rcfyycs.exe
        
        C:\Windows\system32\rcfyycs.exe 1684 "C:\Windows\SysWOW64\ioebauf.exe"
        291⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\fpooeyr.exe
        
        C:\Windows\system32\fpooeyr.exe 1696 "C:\Windows\SysWOW64\rcfyycs.exe"
        292⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\osmyrbf.exe
        
        C:\Windows\system32\osmyrbf.exe 1700 "C:\Windows\SysWOW64\fpooeyr.exe"
        293⤵
        System Location Discovery: System Language Discovery
        
        PID:2780
        
        C:\Windows\SysWOW64\cfvoxfe.exe
        
        C:\Windows\system32\cfvoxfe.exe 1712 "C:\Windows\SysWOW64\osmyrbf.exe"
        294⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\ohbejji.exe
        
        C:\Windows\system32\ohbejji.exe 1708 "C:\Windows\SysWOW64\cfvoxfe.exe"
        295⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\yrroemo.exe
        
        C:\Windows\system32\yrroemo.exe 1704 "C:\Windows\SysWOW64\ohbejji.exe"
        296⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\llxwpzb.exe
        
        C:\Windows\system32\llxwpzb.exe 1720 "C:\Windows\SysWOW64\yrroemo.exe"
        297⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\yyolvcz.exe
        
        C:\Windows\system32\yyolvcz.exe 1724 "C:\Windows\SysWOW64\llxwpzb.exe"
        298⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\laubghe.exe
        
        C:\Windows\system32\laubghe.exe 1716 "C:\Windows\SysWOW64\yyolvcz.exe"
        299⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\yrpeppj.exe
        
        C:\Windows\system32\yrpeppj.exe 1740 "C:\Windows\SysWOW64\laubghe.exe"
        300⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\hbnocsq.exe
        
        C:\Windows\system32\hbnocsq.exe 1744 "C:\Windows\SysWOW64\yrpeppj.exe"
        301⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\ushrlav.exe
        
        C:\Windows\system32\ushrlav.exe 1728 "C:\Windows\SysWOW64\hbnocsq.exe"
        302⤵
        
        PID:576
        
        C:\Windows\SysWOW64\hqcubbt.exe
        
        C:\Windows\system32\hqcubbt.exe 1732 "C:\Windows\SysWOW64\ushrlav.exe"
        303⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\rpormza.exe
        
        C:\Windows\system32\rpormza.exe 1736 "C:\Windows\SysWOW64\hqcubbt.exe"
        304⤵
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Windows\SysWOW64\egjuuig.exe
        
        C:\Windows\system32\egjuuig.exe 1748 "C:\Windows\SysWOW64\rpormza.exe"
        305⤵
        
        PID:316
        
        C:\Windows\SysWOW64\oqzeilm.exe
        
        C:\Windows\system32\oqzeilm.exe 1764 "C:\Windows\SysWOW64\egjuuig.exe"
        306⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\bhthyls.exe
        
        C:\Windows\system32\bhthyls.exe 1752 "C:\Windows\SysWOW64\oqzeilm.exe"
        307⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\lsrrmoy.exe
        
        C:\Windows\system32\lsrrmoy.exe 1756 "C:\Windows\SysWOW64\bhthyls.exe"
        308⤵
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Windows\SysWOW64\yimmuwe.exe
        
        C:\Windows\system32\yimmuwe.exe 1760 "C:\Windows\SysWOW64\lsrrmoy.exe"
        309⤵
        
        PID:856
        
        C:\Windows\SysWOW64\itbwhzk.exe
        
        C:\Windows\system32\itbwhzk.exe 1772 "C:\Windows\SysWOW64\yimmuwe.exe"
        310⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\vjwzqzp.exe
        
        C:\Windows\system32\vjwzqzp.exe 1776 "C:\Windows\SysWOW64\itbwhzk.exe"
        311⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\iizchiv.exe
        
        C:\Windows\system32\iizchiv.exe 1780 "C:\Windows\SysWOW64\vjwzqzp.exe"
        312⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\kkomulb.exe
        
        C:\Windows\system32\kkomulb.exe 1768 "C:\Windows\SysWOW64\iizchiv.exe"
        313⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\xxfcaoa.exe
        
        C:\Windows\system32\xxfcaoa.exe 1792 "C:\Windows\SysWOW64\kkomulb.exe"
        314⤵
        Drops file in System32 directory
        
        PID:1088
        
        C:\Windows\SysWOW64\jzmrlte.exe
        
        C:\Windows\system32\jzmrlte.exe 1784 "C:\Windows\SysWOW64\xxfcaoa.exe"
        315⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\tcbcgwt.exe
        
        C:\Windows\system32\tcbcgwt.exe 1796 "C:\Windows\SysWOW64\jzmrlte.exe"
        316⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\gawepeq.exe
        
        C:\Windows\system32\gawepeq.exe 1788 "C:\Windows\SysWOW64\tcbcgwt.exe"
        317⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\tnnuvix.exe
        
        C:\Windows\system32\tnnuvix.exe 1812 "C:\Windows\SysWOW64\gawepeq.exe"
        318⤵
        
        PID:616
        
        C:\Windows\SysWOW64\dboslic.exe
        
        C:\Windows\system32\dboslic.exe 1800 "C:\Windows\SysWOW64\tnnuvix.exe"
        319⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\qsjutqi.exe
        
        C:\Windows\system32\qsjutqi.exe 1804 "C:\Windows\SysWOW64\dboslic.exe"
        320⤵
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\diexcyn.exe
        
        C:\Windows\system32\diexcyn.exe 1816 "C:\Windows\SysWOW64\qsjutqi.exe"
        321⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\qhgskgt.exe
        
        C:\Windows\system32\qhgskgt.exe 1828 "C:\Windows\SysWOW64\diexcyn.exe"
        322⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\dxbubgq.exe
        
        C:\Windows\system32\dxbubgq.exe 1808 "C:\Windows\SysWOW64\qhgskgt.exe"
        323⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\qwwxkow.exe
        
        C:\Windows\system32\qwwxkow.exe 1832 "C:\Windows\SysWOW64\dxbubgq.exe"
        324⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\zcxuawj.exe
        
        C:\Windows\system32\zcxuawj.exe 1820 "C:\Windows\SysWOW64\qwwxkow.exe"
        325⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\mxokgsi.exe
        
        C:\Windows\system32\mxokgsi.exe 1840 "C:\Windows\SysWOW64\zcxuawj.exe"
        326⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\waeutvo.exe
        
        C:\Windows\system32\waeutvo.exe 1836 "C:\Windows\SysWOW64\mxokgsi.exe"
        327⤵
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Windows\SysWOW64\jnnkhzv.exe
        
        C:\Windows\system32\jnnkhzv.exe 1848 "C:\Windows\SysWOW64\waeutvo.exe"
        328⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\tboixga.exe
        
        C:\Windows\system32\tboixga.exe 1824 "C:\Windows\SysWOW64\jnnkhzv.exe"
        329⤵
        
        PID:264
        
        C:\Windows\SysWOW64\gofxckh.exe
        
        C:\Windows\system32\gofxckh.exe 1844 "C:\Windows\SysWOW64\tboixga.exe"
        330⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\tqlnool.exe
        
        C:\Windows\system32\tqlnool.exe 1852 "C:\Windows\SysWOW64\gofxckh.exe"
        331⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\dsbxjrr.exe
        
        C:\Windows\system32\dsbxjrr.exe 1868 "C:\Windows\SysWOW64\tqlnool.exe"
        332⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\qrwasax.exe
        
        C:\Windows\system32\qrwasax.exe 1860 "C:\Windows\SysWOW64\dsbxjrr.exe"
        333⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\dhydaad.exe
        
        C:\Windows\system32\dhydaad.exe 1876 "C:\Windows\SysWOW64\qrwasax.exe"
        334⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        C:\Windows\SysWOW64\pjekmmh.exe
        
        C:\Windows\system32\pjekmmh.exe 1856 "C:\Windows\SysWOW64\dhydaad.exe"
        335⤵
        Drops file in System32 directory
        
        PID:1484
        
        C:\Windows\SysWOW64\zijiwlo.exe
        
        C:\Windows\system32\zijiwlo.exe 1880 "C:\Windows\SysWOW64\pjekmmh.exe"
        336⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Windows\SysWOW64\nvafcpn.exe
        
        C:\Windows\system32\nvafcpn.exe 1872 "C:\Windows\SysWOW64\zijiwlo.exe"
        337⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\xgpixsu.exe
        
        C:\Windows\system32\xgpixsu.exe 1864 "C:\Windows\SysWOW64\nvafcpn.exe"
        338⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\gifskna.exe
        
        C:\Windows\system32\gifskna.exe 1884 "C:\Windows\SysWOW64\xgpixsu.exe"
        339⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\uvwqqrh.exe
        
        C:\Windows\system32\uvwqqrh.exe 1900 "C:\Windows\SysWOW64\gifskna.exe"
        340⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\gxcycdl.exe
        
        C:\Windows\system32\gxcycdl.exe 1888 "C:\Windows\SysWOW64\uvwqqrh.exe"
        341⤵
        
        PID:972
        
        C:\Windows\SysWOW64\toxakej.exe
        
        C:\Windows\system32\toxakej.exe 1892 "C:\Windows\SysWOW64\gxcycdl.exe"
        342⤵
        Drops file in System32 directory
        
        PID:1264
        
        C:\Windows\SysWOW64\gmadtmo.exe
        
        C:\Windows\system32\gmadtmo.exe 1896 "C:\Windows\SysWOW64\toxakej.exe"
        343⤵
        System Location Discovery: System Language Discovery
        
        PID:2520
        
        C:\Windows\SysWOW64\qbtartb.exe
        
        C:\Windows\system32\qbtartb.exe 1924 "C:\Windows\SysWOW64\gmadtmo.exe"
        344⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\drvdzbh.exe
        
        C:\Windows\system32\drvdzbh.exe 1904 "C:\Windows\SysWOW64\qbtartb.exe"
        345⤵
        Drops file in System32 directory
        
        PID:2360
        
        C:\Windows\SysWOW64\qiqgice.exe
        
        C:\Windows\system32\qiqgice.exe 1908 "C:\Windows\SysWOW64\drvdzbh.exe"
        346⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\cglirkk.exe
        
        C:\Windows\system32\cglirkk.exe 1916 "C:\Windows\SysWOW64\qiqgice.exe"
        347⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\mjilmnq.exe
        
        C:\Windows\system32\mjilmnq.exe 1928 "C:\Windows\SysWOW64\cglirkk.exe"
        348⤵
        Drops file in System32 directory
        
        PID:2212
        
        C:\Windows\SysWOW64\zlpbxrd.exe
        
        C:\Windows\system32\zlpbxrd.exe 1912 "C:\Windows\SysWOW64\mjilmnq.exe"
        349⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\myyqdvb.exe
        
        C:\Windows\system32\myyqdvb.exe 1932 "C:\Windows\SysWOW64\zlpbxrd.exe"
        350⤵
        Drops file in System32 directory
        
        PID:2876
        
        C:\Windows\SysWOW64\zaegoig.exe
        
        C:\Windows\system32\zaegoig.exe 1920 "C:\Windows\SysWOW64\myyqdvb.exe"
        351⤵
        System Location Discovery: System Language Discovery
        
        PID:1904
        
        C:\Windows\SysWOW64\jcuqclm.exe
        
        C:\Windows\system32\jcuqclm.exe 1948 "C:\Windows\SysWOW64\zaegoig.exe"
        352⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\wplghht.exe
        
        C:\Windows\system32\wplghht.exe 1936 "C:\Windows\SysWOW64\jcuqclm.exe"
        353⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\gaaqdkz.exe
        
        C:\Windows\system32\gaaqdkz.exe 1940 "C:\Windows\SysWOW64\wplghht.exe"
        354⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\tqvtlsf.exe
        
        C:\Windows\system32\tqvtlsf.exe 1956 "C:\Windows\SysWOW64\gaaqdkz.exe"
        355⤵
        Drops file in System32 directory
        
        PID:1204
        
        C:\Windows\SysWOW64\gpywuac.exe
        
        C:\Windows\system32\gpywuac.exe 1964 "C:\Windows\SysWOW64\tqvtlsf.exe"
        356⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\qoctezk.exe
        
        C:\Windows\system32\qoctezk.exe 1952 "C:\Windows\SysWOW64\gpywuac.exe"
        357⤵
        
        PID:308
        
        C:\Windows\SysWOW64\ayseauq.exe
        
        C:\Windows\system32\ayseauq.exe 1944 "C:\Windows\SysWOW64\qoctezk.exe"
        358⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\nljtfyx.exe
        
        C:\Windows\system32\nljtfyx.exe 1960 "C:\Windows\SysWOW64\ayseauq.exe"
        359⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\xozetbd.exe
        
        C:\Windows\system32\xozetbd.exe 1976 "C:\Windows\SysWOW64\nljtfyx.exe"
        360⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cntgbjj.exe
        
        C:\Windows\system32\cntgbjj.exe 1968 "C:\Windows\SysWOW64\xozetbd.exe"
        361⤵
        
        PID:828
        
        C:\Windows\SysWOW64\mprrwmp.exe
        
        C:\Windows\system32\mprrwmp.exe 1984 "C:\Windows\SysWOW64\cntgbjj.exe"
        362⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\yomtfmu.exe
        
        C:\Windows\system32\yomtfmu.exe 1980 "C:\Windows\SysWOW64\mprrwmp.exe"
        363⤵
        System Location Discovery: System Language Discovery
        
        PID:1960
        
        C:\Windows\SysWOW64\iqbespb.exe
        
        C:\Windows\system32\iqbespb.exe 1992 "C:\Windows\SysWOW64\yomtfmu.exe"
        364⤵
        Drops file in System32 directory
        
        PID:2368
        
        C:\Windows\SysWOW64\yvjzwdy.exe
        
        C:\Windows\system32\yvjzwdy.exe 1972 "C:\Windows\SysWOW64\iqbespb.exe"
        365⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\ifzbjge.exe
        
        C:\Windows\system32\ifzbjge.exe 2004 "C:\Windows\SysWOW64\yvjzwdy.exe"
        366⤵
        Drops file in System32 directory
        
        PID:2540
        
        C:\Windows\SysWOW64\vwtesgj.exe
        
        C:\Windows\system32\vwtesgj.exe 1996 "C:\Windows\SysWOW64\ifzbjge.exe"
        367⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\iuohbop.exe
        
        C:\Windows\system32\iuohbop.exe 1988 "C:\Windows\SysWOW64\vwtesgj.exe"
        368⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\sapezwc.exe
        
        C:\Windows\system32\sapezwc.exe 2000 "C:\Windows\SysWOW64\iuohbop.exe"
        369⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2328
        
        C:\Windows\SysWOW64\fzshhwa.exe
        
        C:\Windows\system32\fzshhwa.exe 2028 "C:\Windows\SysWOW64\sapezwc.exe"
        370⤵
        Drops file in System32 directory
        
        PID:2604
        
        C:\Windows\SysWOW64\smbwnag.exe
        
        C:\Windows\system32\smbwnag.exe 2012 "C:\Windows\SysWOW64\fzshhwa.exe"
        371⤵
        
        PID:908
        
        C:\Windows\SysWOW64\coqhadn.exe
        
        C:\Windows\system32\coqhadn.exe 2024 "C:\Windows\SysWOW64\smbwnag.exe"
        372⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\oqxwupr.exe
        
        C:\Windows\system32\oqxwupr.exe 2008 "C:\Windows\SysWOW64\coqhadn.exe"
        373⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\bdomzlq.exe
        
        C:\Windows\system32\bdomzlq.exe 2016 "C:\Windows\SysWOW64\oqxwupr.exe"
        374⤵
        Drops file in System32 directory
        
        PID:1128
        
        C:\Windows\SysWOW64\lrpkqsd.exe
        
        C:\Windows\system32\lrpkqsd.exe 2020 "C:\Windows\SysWOW64\bdomzlq.exe"
        375⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\yikeybj.exe
        
        C:\Windows\system32\yikeybj.exe 2032 "C:\Windows\SysWOW64\lrpkqsd.exe"
        376⤵
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\ldbceeh.exe
        
        C:\Windows\system32\ldbceeh.exe 2036 "C:\Windows\SysWOW64\yikeybj.exe"
        377⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\vgqmzao.exe
        
        C:\Windows\system32\vgqmzao.exe 2068 "C:\Windows\SysWOW64\ldbceeh.exe"
        378⤵
        
        PID:864
        
        C:\Windows\SysWOW64\iixulma.exe
        
        C:\Windows\system32\iixulma.exe 2044 "C:\Windows\SysWOW64\vgqmzao.exe"
        379⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\vvokqqz.exe
        
        C:\Windows\system32\vvokqqz.exe 2040 "C:\Windows\SysWOW64\iixulma.exe"
        380⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\ixuzcud.exe
        
        C:\Windows\system32\ixuzcud.exe 2052 "C:\Windows\SysWOW64\vvokqqz.exe"
        381⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\swyxmtl.exe
        
        C:\Windows\system32\swyxmtl.exe 2076 "C:\Windows\SysWOW64\ixuzcud.exe"
        382⤵
        Drops file in System32 directory
        
        PID:2208
        
        C:\Windows\SysWOW64\cyohhwr.exe
        
        C:\Windows\system32\cyohhwr.exe 2060 "C:\Windows\SysWOW64\swyxmtl.exe"
        383⤵
        System Location Discovery: System Language Discovery
        
        PID:1524
        
        C:\Windows\SysWOW64\oxqkqew.exe
        
        C:\Windows\system32\oxqkqew.exe 2056 "C:\Windows\SysWOW64\cyohhwr.exe"
        384⤵
        
        PID:928
        
        C:\Windows\SysWOW64\bnlnznu.exe
        
        C:\Windows\system32\bnlnznu.exe 2064 "C:\Windows\SysWOW64\oxqkqew.exe"
        385⤵
        Drops file in System32 directory
        
        PID:676
        
        C:\Windows\SysWOW64\mmpkjlc.exe
        
        C:\Windows\system32\mmpkjlc.exe 2072 "C:\Windows\SysWOW64\bnlnznu.exe"
        386⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\ylsnsmh.exe
        
        C:\Windows\system32\ylsnsmh.exe 2080 "C:\Windows\SysWOW64\mmpkjlc.exe"
        387⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\inixnpn.exe
        
        C:\Windows\system32\inixnpn.exe 2084 "C:\Windows\SysWOW64\ylsnsmh.exe"
        388⤵
        System Location Discovery: System Language Discovery
        
        PID:3200
        
        C:\Windows\SysWOW64\vponybs.exe
        
        C:\Windows\system32\vponybs.exe 2088 "C:\Windows\SysWOW64\inixnpn.exe"
        389⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\icfcexz.exe
        
        C:\Windows\system32\icfcexz.exe 2108 "C:\Windows\SysWOW64\vponybs.exe"
        390⤵
        Drops file in System32 directory
        
        PID:3324
        
        C:\Windows\SysWOW64\srysuem.exe
        
        C:\Windows\system32\srysuem.exe 2096 "C:\Windows\SysWOW64\icfcexz.exe"
        391⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\feppaik.exe
        
        C:\Windows\system32\feppaik.exe 2104 "C:\Windows\SysWOW64\srysuem.exe"
        392⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\suksjqi.exe
        
        C:\Windows\system32\suksjqi.exe 2100 "C:\Windows\SysWOW64\feppaik.exe"
        393⤵
        System Location Discovery: System Language Discovery
        
        PID:3508
        
        C:\Windows\SysWOW64\cfideuw.exe
        
        C:\Windows\system32\cfideuw.exe 2128 "C:\Windows\SysWOW64\suksjqi.exe"
        394⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\ohokpyb.exe
        
        C:\Windows\system32\ohokpyb.exe 2092 "C:\Windows\SysWOW64\cfideuw.exe"
        395⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\bxinygg.exe
        
        C:\Windows\system32\bxinygg.exe 2124 "C:\Windows\SysWOW64\ohokpyb.exe"
        396⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\liyxljn.exe
        
        C:\Windows\system32\liyxljn.exe 2112 "C:\Windows\SysWOW64\bxinygg.exe"
        397⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\yvpnrfl.exe
        
        C:\Windows\system32\yvpnrfl.exe 2120 "C:\Windows\SysWOW64\liyxljn.exe"
        398⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\ixfxmis.exe
        
        C:\Windows\system32\ixfxmis.exe 2132 "C:\Windows\SysWOW64\yvpnrfl.exe"
        399⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\vkonsmy.exe
        
        C:\Windows\system32\vkonsmy.exe 2116 "C:\Windows\SysWOW64\ixfxmis.exe"
        400⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\fypliud.exe
        
        C:\Windows\system32\fypliud.exe 2136 "C:\Windows\SysWOW64\vkonsmy.exe"
        401⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\spsnqcj.exe
        
        C:\Windows\system32\spsnqcj.exe 2148 "C:\Windows\SysWOW64\fypliud.exe"
        402⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\fnnqhcp.exe
        
        C:\Windows\system32\fnnqhcp.exe 2144 "C:\Windows\SysWOW64\spsnqcj.exe"
        403⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\pqcaufv.exe
        
        C:\Windows\system32\pqcaufv.exe 2156 "C:\Windows\SysWOW64\fnnqhcp.exe"
        404⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\fckvyss.exe
        
        C:\Windows\system32\fckvyss.exe 2140 "C:\Windows\SysWOW64\pqcaufv.exe"
        405⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\oillosf.exe
        
        C:\Windows\system32\oillosf.exe 2152 "C:\Windows\SysWOW64\fckvyss.exe"
        406⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\cduauve.exe
        
        C:\Windows\system32\cduauve.exe 2160 "C:\Windows\SysWOW64\oillosf.exe"
        407⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\pupddej.exe
        
        C:\Windows\system32\pupddej.exe 2164 "C:\Windows\SysWOW64\cduauve.exe"
        408⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\yfnnyhp.exe
        
        C:\Windows\system32\yfnnyhp.exe 2168 "C:\Windows\SysWOW64\pupddej.exe"
        409⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\ahcylke.exe
        
        C:\Windows\system32\ahcylke.exe 2184 "C:\Windows\SysWOW64\yfnnyhp.exe"
        410⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\nyxbukb.exe
        
        C:\Windows\system32\nyxbukb.exe 2180 "C:\Windows\SysWOW64\ahcylke.exe"
        411⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\atoqaoi.exe
        
        C:\Windows\system32\atoqaoi.exe 2172 "C:\Windows\SysWOW64\nyxbukb.exe"
        412⤵
        Drops file in System32 directory
        
        PID:3680
        
        C:\Windows\SysWOW64\kvebvro.exe
        
        C:\Windows\system32\kvebvro.exe 2188 "C:\Windows\SysWOW64\atoqaoi.exe"
        413⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\ugtliuv.exe
        
        C:\Windows\system32\ugtliuv.exe 2176 "C:\Windows\SysWOW64\kvebvro.exe"
        414⤵
        Drops file in System32 directory
        
        PID:3732
        
        C:\Windows\SysWOW64\hwoorua.exe
        
        C:\Windows\system32\hwoorua.exe 2196 "C:\Windows\SysWOW64\ugtliuv.exe"
        415⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\ujfdwyz.exe
        
        C:\Windows\system32\ujfdwyz.exe 2208 "C:\Windows\SysWOW64\hwoorua.exe"
        416⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\exgbugm.exe
        
        C:\Windows\system32\exgbugm.exe 2192 "C:\Windows\SysWOW64\ujfdwyz.exe"
        417⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\rkqqajl.exe
        
        C:\Windows\system32\rkqqajl.exe 2200 "C:\Windows\SysWOW64\exgbugm.exe"
        418⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\emwgmop.exe
        
        C:\Windows\system32\emwgmop.exe 2204 "C:\Windows\SysWOW64\rkqqajl.exe"
        419⤵
        Drops file in System32 directory
        
        PID:1492
        
        C:\Windows\SysWOW64\rdyjuwv.exe
        
        C:\Windows\system32\rdyjuwv.exe 2220 "C:\Windows\SysWOW64\emwgmop.exe"
        420⤵
        Drops file in System32 directory
        
        PID:3148
        
        C:\Windows\SysWOW64\ebtmdea.exe
        
        C:\Windows\system32\ebtmdea.exe 2212 "C:\Windows\SysWOW64\rdyjuwv.exe"
        421⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\nejwqzh.exe
        
        C:\Windows\system32\nejwqzh.exe 2224 "C:\Windows\SysWOW64\ebtmdea.exe"
        422⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\xpyylcn.exe
        
        C:\Windows\system32\xpyylcn.exe 2216 "C:\Windows\SysWOW64\nejwqzh.exe"
        423⤵
        
        PID:3296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\ldampse.exe

Filesize
272KB

MD5
f2d8d3ef1d5623bdfa9a0eebd4fc2266

SHA1
1a86274d2db5433939ed092da2aa9061b81f4d70

SHA256
d8d98aca37ca3d943cc7514a7977c3323eeecceb9e7b12015f2932dba3cd6eab

SHA512
189d3760dd2cc2521423bd3c1d7ce80a9160efbf50239a32dde000b6ee5725735f5e8bae581ab800ddd00211c3e13838b3fb40ae2d4fb5805f7126c55528de4a

Download Submit
memory/292-226-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/292-238-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/292-235-0x00000000029F0000-0x0000000002B1E000-memory.dmp

Filesize
1.2MB

Download
memory/296-196-0x0000000002B00000-0x0000000002C2E000-memory.dmp

Filesize
1.2MB

Download
memory/296-200-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/296-186-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/340-361-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/340-352-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/740-174-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/740-170-0x0000000002AC0000-0x0000000002BEE000-memory.dmp

Filesize
1.2MB

Download
memory/740-160-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/740-159-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/788-264-0x00000000029B0000-0x0000000002ADE000-memory.dmp

Filesize
1.2MB

Download
memory/788-256-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/788-266-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/860-236-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/860-237-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/860-245-0x0000000002C40000-0x0000000002D6E000-memory.dmp

Filesize
1.2MB

Download
memory/860-248-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/948-173-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/948-183-0x0000000002B10000-0x0000000002C3E000-memory.dmp

Filesize
1.2MB

Download
memory/948-187-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1144-126-0x0000000002C10000-0x0000000002D3E000-memory.dmp

Filesize
1.2MB

Download
memory/1144-127-0x0000000002C10000-0x0000000002D3E000-memory.dmp

Filesize
1.2MB

Download
memory/1144-133-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1144-115-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1680-257-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1680-255-0x0000000002B60000-0x0000000002C8E000-memory.dmp

Filesize
1.2MB

Download
memory/1680-246-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1680-247-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1708-223-0x0000000002950000-0x0000000002A7E000-memory.dmp

Filesize
1.2MB

Download
memory/1708-212-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1708-218-0x0000000002950000-0x0000000002A7E000-memory.dmp

Filesize
1.2MB

Download
memory/1708-230-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1736-318-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1736-319-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1736-326-0x00000000029E0000-0x0000000002B0E000-memory.dmp

Filesize
1.2MB

Download
memory/1736-329-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1780-145-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1780-156-0x0000000002B00000-0x0000000002C2E000-memory.dmp

Filesize
1.2MB

Download
memory/1780-161-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1920-345-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1920-336-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2084-199-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2084-215-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2084-209-0x0000000002990000-0x0000000002ABE000-memory.dmp

Filesize
1.2MB

Download
memory/2100-16-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2100-36-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2100-17-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2120-339-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2120-328-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2148-368-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2224-30-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2224-49-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2224-32-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2224-31-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2228-27-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2228-1-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2228-13-0x0000000002B80000-0x0000000002CAE000-memory.dmp

Filesize
1.2MB

Download
memory/2228-2-0x0000000000401000-0x000000000044C000-memory.dmp

Filesize
300KB

Download
memory/2228-12-0x0000000002B80000-0x0000000002CAE000-memory.dmp

Filesize
1.2MB

Download
memory/2312-309-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2312-320-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2380-344-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2380-353-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2468-360-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2596-283-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2596-293-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2596-291-0x0000000002C60000-0x0000000002D8E000-memory.dmp

Filesize
1.2MB

Download
memory/2596-282-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2600-74-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2600-88-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2600-73-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2636-102-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2636-87-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2636-97-0x0000000002960000-0x0000000002A8E000-memory.dmp

Filesize
1.2MB

Download
memory/2692-62-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2692-59-0x0000000002A50000-0x0000000002B7E000-memory.dmp

Filesize
1.2MB

Download
memory/2692-47-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2692-46-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2692-44-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2728-301-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2728-292-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2772-275-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2772-265-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2772-273-0x0000000002AA0000-0x0000000002BCE000-memory.dmp

Filesize
1.2MB

Download
memory/2832-274-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2832-284-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2836-308-0x0000000002BA0000-0x0000000002CCE000-memory.dmp

Filesize
1.2MB

Download
memory/2836-313-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2836-300-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2908-112-0x0000000002AD0000-0x0000000002BFE000-memory.dmp

Filesize
1.2MB

Download
memory/2908-101-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2908-111-0x0000000002AD0000-0x0000000002BFE000-memory.dmp

Filesize
1.2MB

Download
memory/2908-100-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2908-119-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2920-78-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2920-75-0x00000000029F0000-0x0000000002B1E000-memory.dmp

Filesize
1.2MB

Download
memory/2920-61-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2924-149-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2924-131-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2924-130-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2924-143-0x00000000028D0000-0x00000000029FE000-memory.dmp

Filesize
1.2MB

Download