metasploit | 5edaadd37dd1dd9425dbbbdcd360194fe1f965ae971a5c8165a3effdc25c7e80

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-09-2024 11:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe
Size

222KB
MD5

f38d258532673cf62200ab2d7dd5268a
SHA1

39bf714b2e9ffb5a8cf534977588b71e35952ec6
SHA256

5edaadd37dd1dd9425dbbbdcd360194fe1f965ae971a5c8165a3effdc25c7e80
SHA512

b2c994c3e6575c0463d4278220f79e29867f37049076e28c97feab5af90eec86a472a0f12945df608d73336121c2ff7b9a0c6b30ba82906c67d7f3fdcedc28cf
SSDEEP

6144:ASOrStDEnqmNpMBN+Mcqfbobx4aRrxyre5HfTLGSa:pOrp/N2h4x4aRYixLba

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 64 IoCs

pid	Process
2152	ypivtr.exe
2716	ypivtr.exe
1624	kvkvnc.exe
2772	kvkvnc.exe
2588	jmiqok.exe
2584	jmiqok.exe
1856	qjtwsi.exe
1604	qjtwsi.exe
1824	ycbgaj.exe
2824	ycbgaj.exe
1936	hxrjqz.exe
2876	hxrjqz.exe
704	rutmro.exe
1960	rutmro.exe
2948	jasbwc.exe
2316	jasbwc.exe
2064	qbomke.exe
2060	qbomke.exe
752	zsbcxy.exe
1008	zsbcxy.exe
892	jvswen.exe
1640	jvswen.exe
936	snfmqz.exe
2276	snfmqz.exe
1412	isozoz.exe
2460	isozoz.exe
3000	matfer.exe
2096	matfer.exe
628	ynifkr.exe
1392	ynifkr.exe
2784	leeaul.exe
2800	leeaul.exe
2812	stnsby.exe
2548	stnsby.exe
2576	ecrfdt.exe
2772	ecrfdt.exe
1296	tookhu.exe
2504	tookhu.exe
2396	dobauf.exe
2860	dobauf.exe
2856	uvbqyb.exe
520	uvbqyb.exe
2592	jgydcc.exe
2320	jgydcc.exe
1948	gefdvj.exe
1104	gefdvj.exe
2292	eqbqtl.exe
1952	eqbqtl.exe
1384	ntzlab.exe
1148	ntzlab.exe
2380	xhboki.exe
532	xhboki.exe
2008	ggcdcc.exe
1732	ggcdcc.exe
2424	txgrfx.exe
2052	txgrfx.exe
2444	dotgrj.exe
936	dotgrj.exe
1612	moywvu.exe
2308	moywvu.exe
1556	egjuui.exe
1564	egjuui.exe
2992	thdrer.exe
2096	thdrer.exe

Loads dropped DLL 64 IoCs

pid	Process
3004	f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe
3004	f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe
2152	ypivtr.exe
2716	ypivtr.exe
2716	ypivtr.exe
1624	kvkvnc.exe
2772	kvkvnc.exe
2772	kvkvnc.exe
2584	jmiqok.exe
2584	jmiqok.exe
1604	qjtwsi.exe
1604	qjtwsi.exe
2824	ycbgaj.exe
2824	ycbgaj.exe
2876	hxrjqz.exe
2876	hxrjqz.exe
1960	rutmro.exe
1960	rutmro.exe
2316	jasbwc.exe
2316	jasbwc.exe
2060	qbomke.exe
2060	qbomke.exe
1008	zsbcxy.exe
1008	zsbcxy.exe
1640	jvswen.exe
1640	jvswen.exe
2276	snfmqz.exe
2276	snfmqz.exe
2460	isozoz.exe
2460	isozoz.exe
2096	matfer.exe
2096	matfer.exe
1392	ynifkr.exe
1392	ynifkr.exe
2800	leeaul.exe
2800	leeaul.exe
2548	stnsby.exe
2548	stnsby.exe
2772	ecrfdt.exe
2772	ecrfdt.exe
2504	tookhu.exe
2504	tookhu.exe
2860	dobauf.exe
2860	dobauf.exe
520	uvbqyb.exe
520	uvbqyb.exe
2320	jgydcc.exe
2320	jgydcc.exe
1104	gefdvj.exe
1104	gefdvj.exe
1952	eqbqtl.exe
1952	eqbqtl.exe
1148	ntzlab.exe
1148	ntzlab.exe
532	xhboki.exe
532	xhboki.exe
1732	ggcdcc.exe
1732	ggcdcc.exe
2052	txgrfx.exe
2052	txgrfx.exe
936	dotgrj.exe
936	dotgrj.exe
2308	moywvu.exe
2308	moywvu.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\zrhwbd.exe	ctbwaw.exe
File created	C:\Windows\SysWOW64\sjokqy.exe	mfhnzk.exe
File created	C:\Windows\SysWOW64\fwhsqo.exe	sjokqy.exe
File opened for modification	C:\Windows\SysWOW64\ekmgjh.exe	jphqrn.exe
File opened for modification	C:\Windows\SysWOW64\dvktko.exe	jxuypq.exe
File created	C:\Windows\SysWOW64\kjbxff.exe	acbaaq.exe
File opened for modification	C:\Windows\SysWOW64\dztdjl.exe	tvwtib.exe
File opened for modification	C:\Windows\SysWOW64\osursk.exe	xduboo.exe
File opened for modification	C:\Windows\SysWOW64\zvoxqu.exe	ydbidj.exe
File opened for modification	C:\Windows\SysWOW64\sjokqy.exe	mfhnzk.exe
File opened for modification	C:\Windows\SysWOW64\naqqxx.exe	qcjqeq.exe
File created	C:\Windows\SysWOW64\xylfvd.exe	lstxvm.exe
File created	C:\Windows\SysWOW64\dobauf.exe	tookhu.exe
File created	C:\Windows\SysWOW64\jfcxwa.exe	rycirm.exe
File opened for modification	C:\Windows\SysWOW64\jcrjel.exe	rcgmff.exe
File created	C:\Windows\SysWOW64\eyjeyf.exe	noytqm.exe
File opened for modification	C:\Windows\SysWOW64\zxjrzy.exe	pxyuas.exe
File created	C:\Windows\SysWOW64\zsbcxy.exe	qbomke.exe
File opened for modification	C:\Windows\SysWOW64\leeaul.exe	ynifkr.exe
File created	C:\Windows\SysWOW64\suurtc.exe	igtosv.exe
File created	C:\Windows\SysWOW64\pjiesb.exe	usojvm.exe
File created	C:\Windows\SysWOW64\lnnucb.exe	rwtsfm.exe
File created	C:\Windows\SysWOW64\fmpnah.exe	wrztlr.exe
File opened for modification	C:\Windows\SysWOW64\pjiesb.exe	usojvm.exe
File opened for modification	C:\Windows\SysWOW64\wqdxco.exe	ffsmuw.exe
File opened for modification	C:\Windows\SysWOW64\dbfotc.exe	wbrdns.exe
File created	C:\Windows\SysWOW64\xlnrqx.exe	defwnz.exe
File created	C:\Windows\SysWOW64\jlotsp.exe	rizirf.exe
File opened for modification	C:\Windows\SysWOW64\xrvgjj.exe	naqqxx.exe
File created	C:\Windows\SysWOW64\uyseeq.exe	hhorbv.exe
File created	C:\Windows\SysWOW64\nufvwu.exe	yihqsl.exe
File created	C:\Windows\SysWOW64\zxpluh.exe	fzzqrk.exe
File created	C:\Windows\SysWOW64\rxsrtv.exe	zxpluh.exe
File opened for modification	C:\Windows\SysWOW64\nmsjfl.exe	zxjrzy.exe
File created	C:\Windows\SysWOW64\jvswen.exe	zsbcxy.exe
File opened for modification	C:\Windows\SysWOW64\eohmym.exe	hulrij.exe
File opened for modification	C:\Windows\SysWOW64\ydbidj.exe	glqfwq.exe
File opened for modification	C:\Windows\SysWOW64\igtosv.exe	yogzfj.exe
File opened for modification	C:\Windows\SysWOW64\ccbcmq.exe	nmsjfl.exe
File created	C:\Windows\SysWOW64\cvwqel.exe	ipgnbn.exe
File created	C:\Windows\SysWOW64\biomkc.exe	mwqggu.exe
File created	C:\Windows\SysWOW64\ncdktm.exe	ynvrmz.exe
File created	C:\Windows\SysWOW64\fgnabp.exe	spsnqc.exe
File opened for modification	C:\Windows\SysWOW64\wfsmpc.exe	hfguoy.exe
File created	C:\Windows\SysWOW64\leksyq.exe	bmxcme.exe
File created	C:\Windows\SysWOW64\vgnzvs.exe	ogqphi.exe
File opened for modification	C:\Windows\SysWOW64\fwecqn.exe	tkxcco.exe
File opened for modification	C:\Windows\SysWOW64\ntzlab.exe	eqbqtl.exe
File opened for modification	C:\Windows\SysWOW64\moywvu.exe	dotgrj.exe
File opened for modification	C:\Windows\SysWOW64\gvicuu.exe	osursk.exe
File opened for modification	C:\Windows\SysWOW64\ftassr.exe	nbpplz.exe
File created	C:\Windows\SysWOW64\mewzze.exe	suurtc.exe
File created	C:\Windows\SysWOW64\snfmqz.exe	jvswen.exe
File opened for modification	C:\Windows\SysWOW64\uvbqyb.exe	dobauf.exe
File created	C:\Windows\SysWOW64\fzzqrk.exe	tfsqmt.exe
File created	C:\Windows\SysWOW64\rvalbt.exe	fxiyty.exe
File opened for modification	C:\Windows\SysWOW64\frwnol.exe	ynoyxe.exe
File opened for modification	C:\Windows\SysWOW64\tetzqy.exe	eokhkl.exe
File opened for modification	C:\Windows\SysWOW64\ldimos.exe	rxsrtv.exe
File created	C:\Windows\SysWOW64\matfer.exe	isozoz.exe
File opened for modification	C:\Windows\SysWOW64\wusrys.exe	ckrktq.exe
File opened for modification	C:\Windows\SysWOW64\fknxwv.exe	tbrkla.exe
File opened for modification	C:\Windows\SysWOW64\mdsaer.exe	uwsdad.exe
File created	C:\Windows\SysWOW64\egjuui.exe	moywvu.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 468 set thread context of 3004	468	f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe	30
PID 2152 set thread context of 2716	2152	ypivtr.exe	32
PID 1624 set thread context of 2772	1624	kvkvnc.exe	34
PID 2588 set thread context of 2584	2588	jmiqok.exe	36
PID 1856 set thread context of 1604	1856	qjtwsi.exe	38
PID 1824 set thread context of 2824	1824	ycbgaj.exe	40
PID 1936 set thread context of 2876	1936	hxrjqz.exe	42
PID 704 set thread context of 1960	704	rutmro.exe	44
PID 2948 set thread context of 2316	2948	jasbwc.exe	46
PID 2064 set thread context of 2060	2064	qbomke.exe	48
PID 752 set thread context of 1008	752	zsbcxy.exe	50
PID 892 set thread context of 1640	892	jvswen.exe	52
PID 936 set thread context of 2276	936	snfmqz.exe	54
PID 1412 set thread context of 2460	1412	isozoz.exe	56
PID 3000 set thread context of 2096	3000	matfer.exe	58
PID 628 set thread context of 1392	628	ynifkr.exe	60
PID 2784 set thread context of 2800	2784	leeaul.exe	62
PID 2812 set thread context of 2548	2812	stnsby.exe	64
PID 2576 set thread context of 2772	2576	ecrfdt.exe	66
PID 1296 set thread context of 2504	1296	tookhu.exe	68
PID 2396 set thread context of 2860	2396	dobauf.exe	70
PID 2856 set thread context of 520	2856	uvbqyb.exe	72
PID 2592 set thread context of 2320	2592	jgydcc.exe	74
PID 1948 set thread context of 1104	1948	gefdvj.exe	76
PID 2292 set thread context of 1952	2292	eqbqtl.exe	78
PID 1384 set thread context of 1148	1384	ntzlab.exe	80
PID 2380 set thread context of 532	2380	xhboki.exe	82
PID 2008 set thread context of 1732	2008	ggcdcc.exe	84
PID 2424 set thread context of 2052	2424	txgrfx.exe	86
PID 2444 set thread context of 936	2444	dotgrj.exe	88
PID 1612 set thread context of 2308	1612	moywvu.exe	90
PID 1556 set thread context of 1564	1556	egjuui.exe	92
PID 2992 set thread context of 2096	2992	thdrer.exe	94
PID 2656 set thread context of 2808	2656	dyqhqc.exe	96
PID 2936 set thread context of 2800	2936	hejpqt.exe	98
PID 2748 set thread context of 1656	2748	ckrktq.exe	100
PID 2620 set thread context of 2228	2620	wusrys.exe	102
PID 2384 set thread context of 2404	2384	izlzyj.exe	104
PID 3012 set thread context of 2840	3012	uxdmhm.exe	106
PID 880 set thread context of 2824	880	mxokgs.exe	108
PID 1844 set thread context of 1532	1844	bmxcme.exe	110
PID 2164 set thread context of 1284	2164	leksyq.exe	112
PID 2076 set thread context of 2180	2076	fksnbn.exe	114
PID 1668 set thread context of 1576	1668	pycqdv.exe	116
PID 968 set thread context of 2060	968	bljqiu.exe	118
PID 1616 set thread context of 1348	1616	wrztlr.exe	120
PID 2256 set thread context of 2296	2256	fmpnah.exe	122
PID 2304 set thread context of 2244	2304	sdtidc.exe	124
PID 1560 set thread context of 2472	1560	jktyiq.exe	126
PID 3000 set thread context of 1648	3000	ywqdlz.exe	128
PID 2672 set thread context of 2260	2672	tqvtls.exe	130
PID 2712 set thread context of 2680	2712	defwnz.exe	132
PID 2660 set thread context of 2528	2660	xlnrqx.exe	134
PID 3036 set thread context of 3044	3036	gdybxp.exe	136
PID 316 set thread context of 2028	316	bydjxi.exe	138
PID 1876 set thread context of 2340	1876	vwtesg.exe	140
PID 2864 set thread context of 2832	2864	hulrij.exe	142
PID 2956 set thread context of 1160	2956	eohmym.exe	144
PID 1964 set thread context of 1248	1964	tanrcn.exe	146
PID 2160 set thread context of 2964	2160	nbgzio.exe	148
PID 2044 set thread context of 2316	2044	ffvkky.exe	150
PID 768 set thread context of 2372	768	ucluql.exe	152
PID 1396 set thread context of 1304	1396	eqnfas.exe	154
PID 2408 set thread context of 236	2408	yovauq.exe	156

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rizirf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ufwpae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ovmmcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dvktko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stnsby.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uxdmhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	liyxlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	frwnol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ncdktm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nnsqeq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rcgmff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ojoxrm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zvoxqu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mfhnzk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eldysc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ldimos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fknxwv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dotgrj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gdybxp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lcegwo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hxquyn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jktyiq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dcidai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bfunfu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvwqel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	skqqzo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zjvaxt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qnhfgy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddviti.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	leeaul.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	usojvm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	weiweb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqdxco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hhorbv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jgydcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tqvtls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ugcble.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	suurtc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	flixlc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xhboki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bljqiu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sjokqy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	magqhv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ynifkr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ggcdcc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hfhpvj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spsnqc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jileoz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mxokgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fkhgsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ynzcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hsljas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fwecqn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dyqhqc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tzehsv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lercie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tkxcco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jvswen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	moywvu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jktyiq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ohxyfl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pxyuas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wusrys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bydjxi.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
468	f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe
2152	ypivtr.exe
1624	kvkvnc.exe
2588	jmiqok.exe
1856	qjtwsi.exe
1824	ycbgaj.exe
1936	hxrjqz.exe
704	rutmro.exe
2948	jasbwc.exe
2064	qbomke.exe
752	zsbcxy.exe
892	jvswen.exe
936	snfmqz.exe
1412	isozoz.exe
3000	matfer.exe
628	ynifkr.exe
2784	leeaul.exe
2812	stnsby.exe
2576	ecrfdt.exe
1296	tookhu.exe
2396	dobauf.exe
2856	uvbqyb.exe
2592	jgydcc.exe
1948	gefdvj.exe
2292	eqbqtl.exe
1384	ntzlab.exe
2380	xhboki.exe
2008	ggcdcc.exe
2424	txgrfx.exe
2444	dotgrj.exe
1612	moywvu.exe
1556	egjuui.exe
2992	thdrer.exe
2656	dyqhqc.exe
2936	hejpqt.exe
2748	ckrktq.exe
2620	wusrys.exe
2384	izlzyj.exe
3012	uxdmhm.exe
880	mxokgs.exe
1844	bmxcme.exe
2164	leksyq.exe
2076	fksnbn.exe
1668	pycqdv.exe
968	bljqiu.exe
1616	wrztlr.exe
2256	fmpnah.exe
2304	sdtidc.exe
1560	jktyiq.exe
3000	ywqdlz.exe
2672	tqvtls.exe
2712	defwnz.exe
2660	xlnrqx.exe
3036	gdybxp.exe
316	bydjxi.exe
1876	vwtesg.exe
2864	hulrij.exe
2956	eohmym.exe
1964	tanrcn.exe
2160	nbgzio.exe
2044	ffvkky.exe
768	ucluql.exe
1396	eqnfas.exe
2408	yovauq.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 468 wrote to memory of 3004	468	f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe	30
PID 468 wrote to memory of 3004	468	f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe	30
PID 468 wrote to memory of 3004	468	f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe	30
PID 468 wrote to memory of 3004	468	f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe	30
PID 468 wrote to memory of 3004	468	f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe	30
PID 468 wrote to memory of 3004	468	f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe	30
PID 3004 wrote to memory of 2152	3004	f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe	31
PID 3004 wrote to memory of 2152	3004	f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe	31
PID 3004 wrote to memory of 2152	3004	f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe	31
PID 3004 wrote to memory of 2152	3004	f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe	31
PID 2152 wrote to memory of 2716	2152	ypivtr.exe	32
PID 2152 wrote to memory of 2716	2152	ypivtr.exe	32
PID 2152 wrote to memory of 2716	2152	ypivtr.exe	32
PID 2152 wrote to memory of 2716	2152	ypivtr.exe	32
PID 2152 wrote to memory of 2716	2152	ypivtr.exe	32
PID 2152 wrote to memory of 2716	2152	ypivtr.exe	32
PID 2716 wrote to memory of 1624	2716	ypivtr.exe	33
PID 2716 wrote to memory of 1624	2716	ypivtr.exe	33
PID 2716 wrote to memory of 1624	2716	ypivtr.exe	33
PID 2716 wrote to memory of 1624	2716	ypivtr.exe	33
PID 1624 wrote to memory of 2772	1624	kvkvnc.exe	34
PID 1624 wrote to memory of 2772	1624	kvkvnc.exe	34
PID 1624 wrote to memory of 2772	1624	kvkvnc.exe	34
PID 1624 wrote to memory of 2772	1624	kvkvnc.exe	34
PID 1624 wrote to memory of 2772	1624	kvkvnc.exe	34
PID 1624 wrote to memory of 2772	1624	kvkvnc.exe	34
PID 2772 wrote to memory of 2588	2772	kvkvnc.exe	35
PID 2772 wrote to memory of 2588	2772	kvkvnc.exe	35
PID 2772 wrote to memory of 2588	2772	kvkvnc.exe	35
PID 2772 wrote to memory of 2588	2772	kvkvnc.exe	35
PID 2588 wrote to memory of 2584	2588	jmiqok.exe	36
PID 2588 wrote to memory of 2584	2588	jmiqok.exe	36
PID 2588 wrote to memory of 2584	2588	jmiqok.exe	36
PID 2588 wrote to memory of 2584	2588	jmiqok.exe	36
PID 2588 wrote to memory of 2584	2588	jmiqok.exe	36
PID 2588 wrote to memory of 2584	2588	jmiqok.exe	36
PID 2584 wrote to memory of 1856	2584	jmiqok.exe	37
PID 2584 wrote to memory of 1856	2584	jmiqok.exe	37
PID 2584 wrote to memory of 1856	2584	jmiqok.exe	37
PID 2584 wrote to memory of 1856	2584	jmiqok.exe	37
PID 1856 wrote to memory of 1604	1856	qjtwsi.exe	38
PID 1856 wrote to memory of 1604	1856	qjtwsi.exe	38
PID 1856 wrote to memory of 1604	1856	qjtwsi.exe	38
PID 1856 wrote to memory of 1604	1856	qjtwsi.exe	38
PID 1856 wrote to memory of 1604	1856	qjtwsi.exe	38
PID 1856 wrote to memory of 1604	1856	qjtwsi.exe	38
PID 1604 wrote to memory of 1824	1604	qjtwsi.exe	39
PID 1604 wrote to memory of 1824	1604	qjtwsi.exe	39
PID 1604 wrote to memory of 1824	1604	qjtwsi.exe	39
PID 1604 wrote to memory of 1824	1604	qjtwsi.exe	39
PID 1824 wrote to memory of 2824	1824	ycbgaj.exe	40
PID 1824 wrote to memory of 2824	1824	ycbgaj.exe	40
PID 1824 wrote to memory of 2824	1824	ycbgaj.exe	40
PID 1824 wrote to memory of 2824	1824	ycbgaj.exe	40
PID 1824 wrote to memory of 2824	1824	ycbgaj.exe	40
PID 1824 wrote to memory of 2824	1824	ycbgaj.exe	40
PID 2824 wrote to memory of 1936	2824	ycbgaj.exe	41
PID 2824 wrote to memory of 1936	2824	ycbgaj.exe	41
PID 2824 wrote to memory of 1936	2824	ycbgaj.exe	41
PID 2824 wrote to memory of 1936	2824	ycbgaj.exe	41
PID 1936 wrote to memory of 2876	1936	hxrjqz.exe	42
PID 1936 wrote to memory of 2876	1936	hxrjqz.exe	42
PID 1936 wrote to memory of 2876	1936	hxrjqz.exe	42
PID 1936 wrote to memory of 2876	1936	hxrjqz.exe	42

C:\Users\Admin\AppData\Local\Temp\f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:468
- C:\Users\Admin\AppData\Local\Temp\f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\SysWOW64\ypivtr.exe
    C:\Windows\system32\ypivtr.exe 488 "C:\Users\Admin\AppData\Local\Temp\f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - C:\Windows\SysWOW64\ypivtr.exe
      488 C:\Users\Admin\AppData\Local\Temp\f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2716
    - - C:\Windows\SysWOW64\kvkvnc.exe
        
        C:\Windows\system32\kvkvnc.exe 444 "C:\Windows\SysWOW64\ypivtr.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1624
      - C:\Windows\SysWOW64\kvkvnc.exe
        
        444 C:\Windows\SysWOW64\ypivtr.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\jmiqok.exe
        
        C:\Windows\system32\jmiqok.exe 444 "C:\Windows\SysWOW64\kvkvnc.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\jmiqok.exe
        
        444 C:\Windows\SysWOW64\kvkvnc.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\qjtwsi.exe
        
        C:\Windows\system32\qjtwsi.exe 476 "C:\Windows\SysWOW64\jmiqok.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\SysWOW64\qjtwsi.exe
        
        476 C:\Windows\SysWOW64\jmiqok.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\SysWOW64\ycbgaj.exe
        
        C:\Windows\system32\ycbgaj.exe 448 "C:\Windows\SysWOW64\qjtwsi.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\SysWOW64\ycbgaj.exe
        
        448 C:\Windows\SysWOW64\qjtwsi.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\hxrjqz.exe
        
        C:\Windows\system32\hxrjqz.exe 444 "C:\Windows\SysWOW64\ycbgaj.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\SysWOW64\hxrjqz.exe
        
        444 C:\Windows\SysWOW64\ycbgaj.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2876
        
        C:\Windows\SysWOW64\rutmro.exe
        
        C:\Windows\system32\rutmro.exe 448 "C:\Windows\SysWOW64\hxrjqz.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:704
        
        C:\Windows\SysWOW64\rutmro.exe
        
        448 C:\Windows\SysWOW64\hxrjqz.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1960
        
        C:\Windows\SysWOW64\jasbwc.exe
        
        C:\Windows\system32\jasbwc.exe 472 "C:\Windows\SysWOW64\rutmro.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2948
        
        C:\Windows\SysWOW64\jasbwc.exe
        
        472 C:\Windows\SysWOW64\rutmro.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2316
        
        C:\Windows\SysWOW64\qbomke.exe
        
        C:\Windows\system32\qbomke.exe 444 "C:\Windows\SysWOW64\jasbwc.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2064
        
        C:\Windows\SysWOW64\qbomke.exe
        
        444 C:\Windows\SysWOW64\jasbwc.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2060
        
        C:\Windows\SysWOW64\zsbcxy.exe
        
        C:\Windows\system32\zsbcxy.exe 456 "C:\Windows\SysWOW64\qbomke.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:752
        
        C:\Windows\SysWOW64\zsbcxy.exe
        
        456 C:\Windows\SysWOW64\qbomke.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1008
        
        C:\Windows\SysWOW64\jvswen.exe
        
        C:\Windows\system32\jvswen.exe 448 "C:\Windows\SysWOW64\zsbcxy.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:892
        
        C:\Windows\SysWOW64\jvswen.exe
        
        448 C:\Windows\SysWOW64\zsbcxy.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Windows\SysWOW64\snfmqz.exe
        
        C:\Windows\system32\snfmqz.exe 456 "C:\Windows\SysWOW64\jvswen.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:936
        
        C:\Windows\SysWOW64\snfmqz.exe
        
        456 C:\Windows\SysWOW64\jvswen.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2276
        
        C:\Windows\SysWOW64\isozoz.exe
        
        C:\Windows\system32\isozoz.exe 492 "C:\Windows\SysWOW64\snfmqz.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:1412
        
        C:\Windows\SysWOW64\isozoz.exe
        
        492 C:\Windows\SysWOW64\snfmqz.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2460
        
        C:\Windows\SysWOW64\matfer.exe
        
        C:\Windows\system32\matfer.exe 456 "C:\Windows\SysWOW64\isozoz.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:3000
        
        C:\Windows\SysWOW64\matfer.exe
        
        456 C:\Windows\SysWOW64\isozoz.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2096
        
        C:\Windows\SysWOW64\ynifkr.exe
        
        C:\Windows\system32\ynifkr.exe 472 "C:\Windows\SysWOW64\matfer.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:628
        
        C:\Windows\SysWOW64\ynifkr.exe
        
        472 C:\Windows\SysWOW64\matfer.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1392
        
        C:\Windows\SysWOW64\leeaul.exe
        
        C:\Windows\system32\leeaul.exe 444 "C:\Windows\SysWOW64\ynifkr.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2784
        
        C:\Windows\SysWOW64\leeaul.exe
        
        444 C:\Windows\SysWOW64\ynifkr.exe
        34⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Windows\SysWOW64\stnsby.exe
        
        C:\Windows\system32\stnsby.exe 488 "C:\Windows\SysWOW64\leeaul.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2812
        
        C:\Windows\SysWOW64\stnsby.exe
        
        488 C:\Windows\SysWOW64\leeaul.exe
        36⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2548
        
        C:\Windows\SysWOW64\ecrfdt.exe
        
        C:\Windows\system32\ecrfdt.exe 452 "C:\Windows\SysWOW64\stnsby.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2576
        
        C:\Windows\SysWOW64\ecrfdt.exe
        
        452 C:\Windows\SysWOW64\stnsby.exe
        38⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2772
        
        C:\Windows\SysWOW64\tookhu.exe
        
        C:\Windows\system32\tookhu.exe 452 "C:\Windows\SysWOW64\ecrfdt.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:1296
        
        C:\Windows\SysWOW64\tookhu.exe
        
        452 C:\Windows\SysWOW64\ecrfdt.exe
        40⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2504
        
        C:\Windows\SysWOW64\dobauf.exe
        
        C:\Windows\system32\dobauf.exe 456 "C:\Windows\SysWOW64\tookhu.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2396
        
        C:\Windows\SysWOW64\dobauf.exe
        
        456 C:\Windows\SysWOW64\tookhu.exe
        42⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2860
        
        C:\Windows\SysWOW64\uvbqyb.exe
        
        C:\Windows\system32\uvbqyb.exe 456 "C:\Windows\SysWOW64\dobauf.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2856
        
        C:\Windows\SysWOW64\uvbqyb.exe
        
        456 C:\Windows\SysWOW64\dobauf.exe
        44⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:520
        
        C:\Windows\SysWOW64\jgydcc.exe
        
        C:\Windows\system32\jgydcc.exe 464 "C:\Windows\SysWOW64\uvbqyb.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2592
        
        C:\Windows\SysWOW64\jgydcc.exe
        
        464 C:\Windows\SysWOW64\uvbqyb.exe
        46⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2320
        
        C:\Windows\SysWOW64\gefdvj.exe
        
        C:\Windows\system32\gefdvj.exe 456 "C:\Windows\SysWOW64\jgydcc.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:1948
        
        C:\Windows\SysWOW64\gefdvj.exe
        
        456 C:\Windows\SysWOW64\jgydcc.exe
        48⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1104
        
        C:\Windows\SysWOW64\eqbqtl.exe
        
        C:\Windows\system32\eqbqtl.exe 452 "C:\Windows\SysWOW64\gefdvj.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2292
        
        C:\Windows\SysWOW64\eqbqtl.exe
        
        452 C:\Windows\SysWOW64\gefdvj.exe
        50⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1952
        
        C:\Windows\SysWOW64\ntzlab.exe
        
        C:\Windows\system32\ntzlab.exe 532 "C:\Windows\SysWOW64\eqbqtl.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:1384
        
        C:\Windows\SysWOW64\ntzlab.exe
        
        532 C:\Windows\SysWOW64\eqbqtl.exe
        52⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1148
        
        C:\Windows\SysWOW64\xhboki.exe
        
        C:\Windows\system32\xhboki.exe 492 "C:\Windows\SysWOW64\ntzlab.exe"
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2380
        
        C:\Windows\SysWOW64\xhboki.exe
        
        492 C:\Windows\SysWOW64\ntzlab.exe
        54⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:532
        
        C:\Windows\SysWOW64\ggcdcc.exe
        
        C:\Windows\system32\ggcdcc.exe 472 "C:\Windows\SysWOW64\xhboki.exe"
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2008
        
        C:\Windows\SysWOW64\ggcdcc.exe
        
        472 C:\Windows\SysWOW64\xhboki.exe
        56⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1732
        
        C:\Windows\SysWOW64\txgrfx.exe
        
        C:\Windows\system32\txgrfx.exe 472 "C:\Windows\SysWOW64\ggcdcc.exe"
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2424
        
        C:\Windows\SysWOW64\txgrfx.exe
        
        472 C:\Windows\SysWOW64\ggcdcc.exe
        58⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2052
        
        C:\Windows\SysWOW64\dotgrj.exe
        
        C:\Windows\system32\dotgrj.exe 448 "C:\Windows\SysWOW64\txgrfx.exe"
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2444
        
        C:\Windows\SysWOW64\dotgrj.exe
        
        448 C:\Windows\SysWOW64\txgrfx.exe
        60⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:936
        
        C:\Windows\SysWOW64\moywvu.exe
        
        C:\Windows\system32\moywvu.exe 456 "C:\Windows\SysWOW64\dotgrj.exe"
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1612
        
        C:\Windows\SysWOW64\moywvu.exe
        
        456 C:\Windows\SysWOW64\dotgrj.exe
        62⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2308
        
        C:\Windows\SysWOW64\egjuui.exe
        
        C:\Windows\system32\egjuui.exe 460 "C:\Windows\SysWOW64\moywvu.exe"
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:1556
        
        C:\Windows\SysWOW64\egjuui.exe
        
        460 C:\Windows\SysWOW64\moywvu.exe
        64⤵
        Executes dropped EXE
        
        PID:1564
        
        C:\Windows\SysWOW64\thdrer.exe
        
        C:\Windows\system32\thdrer.exe 472 "C:\Windows\SysWOW64\egjuui.exe"
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2992
        
        C:\Windows\SysWOW64\thdrer.exe
        
        472 C:\Windows\SysWOW64\egjuui.exe
        66⤵
        Executes dropped EXE
        
        PID:2096
        
        C:\Windows\SysWOW64\dyqhqc.exe
        
        C:\Windows\system32\dyqhqc.exe 464 "C:\Windows\SysWOW64\thdrer.exe"
        67⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2656
        
        C:\Windows\SysWOW64\dyqhqc.exe
        
        464 C:\Windows\SysWOW64\thdrer.exe
        68⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\hejpqt.exe
        
        C:\Windows\system32\hejpqt.exe 444 "C:\Windows\SysWOW64\dyqhqc.exe"
        69⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2936
        
        C:\Windows\SysWOW64\hejpqt.exe
        
        444 C:\Windows\SysWOW64\dyqhqc.exe
        70⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\ckrktq.exe
        
        C:\Windows\system32\ckrktq.exe 444 "C:\Windows\SysWOW64\hejpqt.exe"
        71⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2748
        
        C:\Windows\SysWOW64\ckrktq.exe
        
        444 C:\Windows\SysWOW64\hejpqt.exe
        72⤵
        Drops file in System32 directory
        
        PID:1656
        
        C:\Windows\SysWOW64\wusrys.exe
        
        C:\Windows\system32\wusrys.exe 468 "C:\Windows\SysWOW64\ckrktq.exe"
        73⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2620
        
        C:\Windows\SysWOW64\wusrys.exe
        
        468 C:\Windows\SysWOW64\ckrktq.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Windows\SysWOW64\izlzyj.exe
        
        C:\Windows\system32\izlzyj.exe 492 "C:\Windows\SysWOW64\wusrys.exe"
        75⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2384
        
        C:\Windows\SysWOW64\izlzyj.exe
        
        492 C:\Windows\SysWOW64\wusrys.exe
        76⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\uxdmhm.exe
        
        C:\Windows\system32\uxdmhm.exe 476 "C:\Windows\SysWOW64\izlzyj.exe"
        77⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:3012
        
        C:\Windows\SysWOW64\uxdmhm.exe
        
        476 C:\Windows\SysWOW64\izlzyj.exe
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Windows\SysWOW64\mxokgs.exe
        
        C:\Windows\system32\mxokgs.exe 448 "C:\Windows\SysWOW64\uxdmhm.exe"
        79⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:880
        
        C:\Windows\SysWOW64\mxokgs.exe
        
        448 C:\Windows\SysWOW64\uxdmhm.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Windows\SysWOW64\bmxcme.exe
        
        C:\Windows\system32\bmxcme.exe 456 "C:\Windows\SysWOW64\mxokgs.exe"
        81⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:1844
        
        C:\Windows\SysWOW64\bmxcme.exe
        
        456 C:\Windows\SysWOW64\mxokgs.exe
        82⤵
        Drops file in System32 directory
        
        PID:1532
        
        C:\Windows\SysWOW64\leksyq.exe
        
        C:\Windows\system32\leksyq.exe 444 "C:\Windows\SysWOW64\bmxcme.exe"
        83⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2164
        
        C:\Windows\SysWOW64\leksyq.exe
        
        444 C:\Windows\SysWOW64\bmxcme.exe
        84⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\fksnbn.exe
        
        C:\Windows\system32\fksnbn.exe 480 "C:\Windows\SysWOW64\leksyq.exe"
        85⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2076
        
        C:\Windows\SysWOW64\fksnbn.exe
        
        480 C:\Windows\SysWOW64\leksyq.exe
        86⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\pycqdv.exe
        
        C:\Windows\system32\pycqdv.exe 524 "C:\Windows\SysWOW64\fksnbn.exe"
        87⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:1668
        
        C:\Windows\SysWOW64\pycqdv.exe
        
        524 C:\Windows\SysWOW64\fksnbn.exe
        88⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\bljqiu.exe
        
        C:\Windows\system32\bljqiu.exe 448 "C:\Windows\SysWOW64\pycqdv.exe"
        89⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:968
        
        C:\Windows\SysWOW64\bljqiu.exe
        
        448 C:\Windows\SysWOW64\pycqdv.exe
        90⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\wrztlr.exe
        
        C:\Windows\system32\wrztlr.exe 448 "C:\Windows\SysWOW64\bljqiu.exe"
        91⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:1616
        
        C:\Windows\SysWOW64\wrztlr.exe
        
        448 C:\Windows\SysWOW64\bljqiu.exe
        92⤵
        Drops file in System32 directory
        
        PID:1348
        
        C:\Windows\SysWOW64\fmpnah.exe
        
        C:\Windows\system32\fmpnah.exe 456 "C:\Windows\SysWOW64\wrztlr.exe"
        93⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2256
        
        C:\Windows\SysWOW64\fmpnah.exe
        
        456 C:\Windows\SysWOW64\wrztlr.exe
        94⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\sdtidc.exe
        
        C:\Windows\system32\sdtidc.exe 452 "C:\Windows\SysWOW64\fmpnah.exe"
        95⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2304
        
        C:\Windows\SysWOW64\sdtidc.exe
        
        452 C:\Windows\SysWOW64\fmpnah.exe
        96⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\jktyiq.exe
        
        C:\Windows\system32\jktyiq.exe 456 "C:\Windows\SysWOW64\sdtidc.exe"
        97⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1560
        
        C:\Windows\SysWOW64\jktyiq.exe
        
        456 C:\Windows\SysWOW64\sdtidc.exe
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Windows\SysWOW64\ywqdlz.exe
        
        C:\Windows\system32\ywqdlz.exe 464 "C:\Windows\SysWOW64\jktyiq.exe"
        99⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:3000
        
        C:\Windows\SysWOW64\ywqdlz.exe
        
        464 C:\Windows\SysWOW64\jktyiq.exe
        100⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\tqvtls.exe
        
        C:\Windows\system32\tqvtls.exe 440 "C:\Windows\SysWOW64\ywqdlz.exe"
        101⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2672
        
        C:\Windows\SysWOW64\tqvtls.exe
        
        440 C:\Windows\SysWOW64\ywqdlz.exe
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        C:\Windows\SysWOW64\defwnz.exe
        
        C:\Windows\system32\defwnz.exe 452 "C:\Windows\SysWOW64\tqvtls.exe"
        103⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2712
        
        C:\Windows\SysWOW64\defwnz.exe
        
        452 C:\Windows\SysWOW64\tqvtls.exe
        104⤵
        Drops file in System32 directory
        
        PID:2680
        
        C:\Windows\SysWOW64\xlnrqx.exe
        
        C:\Windows\system32\xlnrqx.exe 444 "C:\Windows\SysWOW64\defwnz.exe"
        105⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2660
        
        C:\Windows\SysWOW64\xlnrqx.exe
        
        444 C:\Windows\SysWOW64\defwnz.exe
        106⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\gdybxp.exe
        
        C:\Windows\system32\gdybxp.exe 448 "C:\Windows\SysWOW64\xlnrqx.exe"
        107⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:3036
        
        C:\Windows\SysWOW64\gdybxp.exe
        
        448 C:\Windows\SysWOW64\xlnrqx.exe
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Windows\SysWOW64\bydjxi.exe
        
        C:\Windows\system32\bydjxi.exe 472 "C:\Windows\SysWOW64\gdybxp.exe"
        109⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:316
        
        C:\Windows\SysWOW64\bydjxi.exe
        
        472 C:\Windows\SysWOW64\gdybxp.exe
        110⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\vwtesg.exe
        
        C:\Windows\system32\vwtesg.exe 456 "C:\Windows\SysWOW64\bydjxi.exe"
        111⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:1876
        
        C:\Windows\SysWOW64\vwtesg.exe
        
        456 C:\Windows\SysWOW64\bydjxi.exe
        112⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\hulrij.exe
        
        C:\Windows\system32\hulrij.exe 452 "C:\Windows\SysWOW64\vwtesg.exe"
        113⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2864
        
        C:\Windows\SysWOW64\hulrij.exe
        
        452 C:\Windows\SysWOW64\vwtesg.exe
        114⤵
        Drops file in System32 directory
        
        PID:2832
        
        C:\Windows\SysWOW64\eohmym.exe
        
        C:\Windows\system32\eohmym.exe 444 "C:\Windows\SysWOW64\hulrij.exe"
        115⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2956
        
        C:\Windows\SysWOW64\eohmym.exe
        
        444 C:\Windows\SysWOW64\hulrij.exe
        116⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\tanrcn.exe
        
        C:\Windows\system32\tanrcn.exe 452 "C:\Windows\SysWOW64\eohmym.exe"
        117⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:1964
        
        C:\Windows\SysWOW64\tanrcn.exe
        
        452 C:\Windows\SysWOW64\eohmym.exe
        118⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\nbgzio.exe
        
        C:\Windows\system32\nbgzio.exe 448 "C:\Windows\SysWOW64\tanrcn.exe"
        119⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2160
        
        C:\Windows\SysWOW64\nbgzio.exe
        
        448 C:\Windows\SysWOW64\tanrcn.exe
        120⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\ffvkky.exe
        
        C:\Windows\system32\ffvkky.exe 448 "C:\Windows\SysWOW64\nbgzio.exe"
        121⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2044
        
        C:\Windows\SysWOW64\ffvkky.exe
        
        448 C:\Windows\SysWOW64\nbgzio.exe
        122⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\ucluql.exe
        
        C:\Windows\system32\ucluql.exe 452 "C:\Windows\SysWOW64\ffvkky.exe"
        123⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:768
        
        C:\Windows\SysWOW64\ucluql.exe
        
        452 C:\Windows\SysWOW64\ffvkky.exe
        124⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\eqnfas.exe
        
        C:\Windows\system32\eqnfas.exe 452 "C:\Windows\SysWOW64\ucluql.exe"
        125⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:1396
        
        C:\Windows\SysWOW64\eqnfas.exe
        
        452 C:\Windows\SysWOW64\ucluql.exe
        126⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\yovauq.exe
        
        C:\Windows\system32\yovauq.exe 456 "C:\Windows\SysWOW64\eqnfas.exe"
        127⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2408
        
        C:\Windows\SysWOW64\yovauq.exe
        
        456 C:\Windows\SysWOW64\eqnfas.exe
        128⤵
        
        PID:236
        
        C:\Windows\SysWOW64\tjihuj.exe
        
        C:\Windows\system32\tjihuj.exe 448 "C:\Windows\SysWOW64\yovauq.exe"
        129⤵
        
        PID:868
        
        C:\Windows\SysWOW64\tjihuj.exe
        
        448 C:\Windows\SysWOW64\yovauq.exe
        130⤵
        
        PID:960
        
        C:\Windows\SysWOW64\kyifzx.exe
        
        C:\Windows\system32\kyifzx.exe 472 "C:\Windows\SysWOW64\tjihuj.exe"
        131⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\kyifzx.exe
        
        472 C:\Windows\SysWOW64\tjihuj.exe
        132⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\rbidqm.exe
        
        C:\Windows\system32\rbidqm.exe 444 "C:\Windows\SysWOW64\kyifzx.exe"
        133⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\rbidqm.exe
        
        444 C:\Windows\SysWOW64\kyifzx.exe
        134⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\liyxlj.exe
        
        C:\Windows\system32\liyxlj.exe 464 "C:\Windows\SysWOW64\rbidqm.exe"
        135⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\liyxlj.exe
        
        464 C:\Windows\SysWOW64\rbidqm.exe
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:2780
        
        C:\Windows\SysWOW64\gzsaiy.exe
        
        C:\Windows\system32\gzsaiy.exe 452 "C:\Windows\SysWOW64\liyxlj.exe"
        137⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\gzsaiy.exe
        
        452 C:\Windows\SysWOW64\liyxlj.exe
        138⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\spsnqc.exe
        
        C:\Windows\system32\spsnqc.exe 492 "C:\Windows\SysWOW64\gzsaiy.exe"
        139⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\spsnqc.exe
        
        492 C:\Windows\SysWOW64\gzsaiy.exe
        140⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Windows\SysWOW64\fgnabp.exe
        
        C:\Windows\system32\fgnabp.exe 460 "C:\Windows\SysWOW64\spsnqc.exe"
        141⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\fgnabp.exe
        
        460 C:\Windows\SysWOW64\spsnqc.exe
        142⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\tvwtib.exe
        
        C:\Windows\system32\tvwtib.exe 496 "C:\Windows\SysWOW64\fgnabp.exe"
        143⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\tvwtib.exe
        
        496 C:\Windows\SysWOW64\fgnabp.exe
        144⤵
        Drops file in System32 directory
        
        PID:1404
        
        C:\Windows\SysWOW64\dztdjl.exe
        
        C:\Windows\system32\dztdjl.exe 456 "C:\Windows\SysWOW64\tvwtib.exe"
        145⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\dztdjl.exe
        
        456 C:\Windows\SysWOW64\tvwtib.exe
        146⤵
        
        PID:576
        
        C:\Windows\SysWOW64\fxiyty.exe
        
        C:\Windows\system32\fxiyty.exe 456 "C:\Windows\SysWOW64\dztdjl.exe"
        147⤵
        
        PID:944
        
        C:\Windows\SysWOW64\fxiyty.exe
        
        456 C:\Windows\SysWOW64\dztdjl.exe
        148⤵
        Drops file in System32 directory
        
        PID:2084
        
        C:\Windows\SysWOW64\rvalbt.exe
        
        C:\Windows\system32\rvalbt.exe 456 "C:\Windows\SysWOW64\fxiyty.exe"
        149⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\rvalbt.exe
        
        456 C:\Windows\SysWOW64\fxiyty.exe
        150⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\jkajgp.exe
        
        C:\Windows\system32\jkajgp.exe 452 "C:\Windows\SysWOW64\rvalbt.exe"
        151⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\jkajgp.exe
        
        452 C:\Windows\SysWOW64\rvalbt.exe
        152⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\gwvwek.exe
        
        C:\Windows\system32\gwvwek.exe 448 "C:\Windows\SysWOW64\jkajgp.exe"
        153⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\gwvwek.exe
        
        448 C:\Windows\SysWOW64\jkajgp.exe
        154⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\vmeokx.exe
        
        C:\Windows\system32\vmeokx.exe 472 "C:\Windows\SysWOW64\gwvwek.exe"
        155⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\vmeokx.exe
        
        472 C:\Windows\SysWOW64\gwvwek.exe
        156⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\kyctox.exe
        
        C:\Windows\system32\kyctox.exe 452 "C:\Windows\SysWOW64\vmeokx.exe"
        157⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\kyctox.exe
        
        452 C:\Windows\SysWOW64\vmeokx.exe
        158⤵
        
        PID:748
        
        C:\Windows\SysWOW64\xduboo.exe
        
        C:\Windows\system32\xduboo.exe 440 "C:\Windows\SysWOW64\kyctox.exe"
        159⤵
        
        PID:968
        
        C:\Windows\SysWOW64\xduboo.exe
        
        440 C:\Windows\SysWOW64\kyctox.exe
        160⤵
        Drops file in System32 directory
        
        PID:1752
        
        C:\Windows\SysWOW64\osursk.exe
        
        C:\Windows\system32\osursk.exe 452 "C:\Windows\SysWOW64\xduboo.exe"
        161⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\osursk.exe
        
        452 C:\Windows\SysWOW64\xduboo.exe
        162⤵
        Drops file in System32 directory
        
        PID:1012
        
        C:\Windows\SysWOW64\gvicuu.exe
        
        C:\Windows\system32\gvicuu.exe 452 "C:\Windows\SysWOW64\osursk.exe"
        163⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\gvicuu.exe
        
        452 C:\Windows\SysWOW64\osursk.exe
        164⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\pqgejk.exe
        
        C:\Windows\system32\pqgejk.exe 448 "C:\Windows\SysWOW64\gvicuu.exe"
        165⤵
        
        PID:952
        
        C:\Windows\SysWOW64\pqgejk.exe
        
        448 C:\Windows\SysWOW64\gvicuu.exe
        166⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\hfguoy.exe
        
        C:\Windows\system32\hfguoy.exe 472 "C:\Windows\SysWOW64\pqgejk.exe"
        167⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\hfguoy.exe
        
        472 C:\Windows\SysWOW64\pqgejk.exe
        168⤵
        Drops file in System32 directory
        
        PID:2216
        
        C:\Windows\SysWOW64\wfsmpc.exe
        
        C:\Windows\system32\wfsmpc.exe 476 "C:\Windows\SysWOW64\hfguoy.exe"
        169⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\wfsmpc.exe
        
        476 C:\Windows\SysWOW64\hfguoy.exe
        170⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\ojoxrm.exe
        
        C:\Windows\system32\ojoxrm.exe 452 "C:\Windows\SysWOW64\wfsmpc.exe"
        171⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\ojoxrm.exe
        
        452 C:\Windows\SysWOW64\wfsmpc.exe
        172⤵
        System Location Discovery: System Language Discovery
        
        PID:2560
        
        C:\Windows\SysWOW64\nbpplz.exe
        
        C:\Windows\system32\nbpplz.exe 456 "C:\Windows\SysWOW64\ojoxrm.exe"
        173⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\nbpplz.exe
        
        456 C:\Windows\SysWOW64\ojoxrm.exe
        174⤵
        Drops file in System32 directory
        
        PID:2636
        
        C:\Windows\SysWOW64\ftassr.exe
        
        C:\Windows\system32\ftassr.exe 460 "C:\Windows\SysWOW64\nbpplz.exe"
        175⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\ftassr.exe
        
        460 C:\Windows\SysWOW64\nbpplz.exe
        176⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\olnhxk.exe
        
        C:\Windows\system32\olnhxk.exe 444 "C:\Windows\SysWOW64\ftassr.exe"
        177⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\olnhxk.exe
        
        444 C:\Windows\SysWOW64\ftassr.exe
        178⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\glqfwq.exe
        
        C:\Windows\system32\glqfwq.exe 460 "C:\Windows\SysWOW64\olnhxk.exe"
        179⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\glqfwq.exe
        
        460 C:\Windows\SysWOW64\olnhxk.exe
        180⤵
        Drops file in System32 directory
        
        PID:2844
        
        C:\Windows\SysWOW64\ydbidj.exe
        
        C:\Windows\system32\ydbidj.exe 448 "C:\Windows\SysWOW64\glqfwq.exe"
        181⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\ydbidj.exe
        
        448 C:\Windows\SysWOW64\glqfwq.exe
        182⤵
        Drops file in System32 directory
        
        PID:1512
        
        C:\Windows\SysWOW64\zvoxqu.exe
        
        C:\Windows\system32\zvoxqu.exe 444 "C:\Windows\SysWOW64\ydbidj.exe"
        183⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\zvoxqu.exe
        
        444 C:\Windows\SysWOW64\ydbidj.exe
        184⤵
        System Location Discovery: System Language Discovery
        
        PID:1316
        
        C:\Windows\SysWOW64\rycirm.exe
        
        C:\Windows\system32\rycirm.exe 452 "C:\Windows\SysWOW64\zvoxqu.exe"
        185⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\rycirm.exe
        
        452 C:\Windows\SysWOW64\zvoxqu.exe
        186⤵
        Drops file in System32 directory
        
        PID:1948
        
        C:\Windows\SysWOW64\jfcxwa.exe
        
        C:\Windows\system32\jfcxwa.exe 452 "C:\Windows\SysWOW64\rycirm.exe"
        187⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\jfcxwa.exe
        
        452 C:\Windows\SysWOW64\rycirm.exe
        188⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\ynoyxe.exe
        
        C:\Windows\system32\ynoyxe.exe 456 "C:\Windows\SysWOW64\jfcxwa.exe"
        189⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\ynoyxe.exe
        
        456 C:\Windows\SysWOW64\jfcxwa.exe
        190⤵
        Drops file in System32 directory
        
        PID:1952
        
        C:\Windows\SysWOW64\frwnol.exe
        
        C:\Windows\system32\frwnol.exe 508 "C:\Windows\SysWOW64\ynoyxe.exe"
        191⤵
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Windows\SysWOW64\frwnol.exe
        
        508 C:\Windows\SysWOW64\ynoyxe.exe
        192⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\rizirf.exe
        
        C:\Windows\system32\rizirf.exe 444 "C:\Windows\SysWOW64\frwnol.exe"
        193⤵
        System Location Discovery: System Language Discovery
        
        PID:1148
        
        C:\Windows\SysWOW64\rizirf.exe
        
        444 C:\Windows\SysWOW64\frwnol.exe
        194⤵
        Drops file in System32 directory
        
        PID:1504
        
        C:\Windows\SysWOW64\jlotsp.exe
        
        C:\Windows\system32\jlotsp.exe 444 "C:\Windows\SysWOW64\rizirf.exe"
        195⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\jlotsp.exe
        
        444 C:\Windows\SysWOW64\rizirf.exe
        196⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\qlkdhz.exe
        
        C:\Windows\system32\qlkdhz.exe 448 "C:\Windows\SysWOW64\jlotsp.exe"
        197⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\qlkdhz.exe
        
        448 C:\Windows\SysWOW64\jlotsp.exe
        198⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\lcegwo.exe
        
        C:\Windows\system32\lcegwo.exe 444 "C:\Windows\SysWOW64\qlkdhz.exe"
        199⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\lcegwo.exe
        
        444 C:\Windows\SysWOW64\qlkdhz.exe
        200⤵
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Windows\SysWOW64\ugcble.exe
        
        C:\Windows\system32\ugcble.exe 448 "C:\Windows\SysWOW64\lcegwo.exe"
        201⤵
        System Location Discovery: System Language Discovery
        
        PID:1260
        
        C:\Windows\SysWOW64\ugcble.exe
        
        448 C:\Windows\SysWOW64\lcegwo.exe
        202⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\jgotmi.exe
        
        C:\Windows\system32\jgotmi.exe 448 "C:\Windows\SysWOW64\ugcble.exe"
        203⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\jgotmi.exe
        
        448 C:\Windows\SysWOW64\ugcble.exe
        204⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\wadbrz.exe
        
        C:\Windows\system32\wadbrz.exe 448 "C:\Windows\SysWOW64\jgotmi.exe"
        205⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\wadbrz.exe
        
        448 C:\Windows\SysWOW64\jgotmi.exe
        206⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\ivkbfz.exe
        
        C:\Windows\system32\ivkbfz.exe 444 "C:\Windows\SysWOW64\wadbrz.exe"
        207⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\ivkbfz.exe
        
        444 C:\Windows\SysWOW64\wadbrz.exe
        208⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\ctbwaw.exe
        
        C:\Windows\system32\ctbwaw.exe 444 "C:\Windows\SysWOW64\ivkbfz.exe"
        209⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\ctbwaw.exe
        
        444 C:\Windows\SysWOW64\ivkbfz.exe
        210⤵
        Drops file in System32 directory
        
        PID:2636
        
        C:\Windows\SysWOW64\zrhwbd.exe
        
        C:\Windows\system32\zrhwbd.exe 444 "C:\Windows\SysWOW64\ctbwaw.exe"
        211⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\zrhwbd.exe
        
        444 C:\Windows\SysWOW64\ctbwaw.exe
        212⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\ogqphi.exe
        
        C:\Windows\system32\ogqphi.exe 452 "C:\Windows\SysWOW64\zrhwbd.exe"
        213⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\ogqphi.exe
        
        452 C:\Windows\SysWOW64\zrhwbd.exe
        214⤵
        Drops file in System32 directory
        
        PID:1868
        
        C:\Windows\SysWOW64\vgnzvs.exe
        
        C:\Windows\system32\vgnzvs.exe 448 "C:\Windows\SysWOW64\ogqphi.exe"
        215⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\vgnzvs.exe
        
        448 C:\Windows\SysWOW64\ogqphi.exe
        216⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\hxquyn.exe
        
        C:\Windows\system32\hxquyn.exe 492 "C:\Windows\SysWOW64\vgnzvs.exe"
        217⤵
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Windows\SysWOW64\hxquyn.exe
        
        492 C:\Windows\SysWOW64\vgnzvs.exe
        218⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\ojozcn.exe
        
        C:\Windows\system32\ojozcn.exe 472 "C:\Windows\SysWOW64\hxquyn.exe"
        219⤵
        
        PID:540
        
        C:\Windows\SysWOW64\ojozcn.exe
        
        472 C:\Windows\SysWOW64\hxquyn.exe
        220⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\gqnpgk.exe
        
        C:\Windows\system32\gqnpgk.exe 452 "C:\Windows\SysWOW64\ojozcn.exe"
        221⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\gqnpgk.exe
        
        452 C:\Windows\SysWOW64\ojozcn.exe
        222⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\bhhsdz.exe
        
        C:\Windows\system32\bhhsdz.exe 456 "C:\Windows\SysWOW64\gqnpgk.exe"
        223⤵
        
        PID:972
        
        C:\Windows\SysWOW64\bhhsdz.exe
        
        456 C:\Windows\SysWOW64\gqnpgk.exe
        224⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\kkfvto.exe
        
        C:\Windows\system32\kkfvto.exe 460 "C:\Windows\SysWOW64\bhhsdz.exe"
        225⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\kkfvto.exe
        
        460 C:\Windows\SysWOW64\bhhsdz.exe
        226⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\ufwpae.exe
        
        C:\Windows\system32\ufwpae.exe 456 "C:\Windows\SysWOW64\kkfvto.exe"
        227⤵
        System Location Discovery: System Language Discovery
        
        PID:2436
        
        C:\Windows\SysWOW64\ufwpae.exe
        
        456 C:\Windows\SysWOW64\kkfvto.exe
        228⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\mfhnzk.exe
        
        C:\Windows\system32\mfhnzk.exe 444 "C:\Windows\SysWOW64\ufwpae.exe"
        229⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\mfhnzk.exe
        
        444 C:\Windows\SysWOW64\ufwpae.exe
        230⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1504
        
        C:\Windows\SysWOW64\sjokqy.exe
        
        C:\Windows\system32\sjokqy.exe 476 "C:\Windows\SysWOW64\mfhnzk.exe"
        231⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\sjokqy.exe
        
        476 C:\Windows\SysWOW64\mfhnzk.exe
        232⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Windows\SysWOW64\fwhsqo.exe
        
        C:\Windows\system32\fwhsqo.exe 460 "C:\Windows\SysWOW64\sjokqy.exe"
        233⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\fwhsqo.exe
        
        460 C:\Windows\SysWOW64\sjokqy.exe
        234⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\magqhv.exe
        
        C:\Windows\system32\magqhv.exe 456 "C:\Windows\SysWOW64\fwhsqo.exe"
        235⤵
        System Location Discovery: System Language Discovery
        
        PID:2244
        
        C:\Windows\SysWOW64\magqhv.exe
        
        456 C:\Windows\SysWOW64\fwhsqo.exe
        236⤵
        
        PID:916
        
        C:\Windows\SysWOW64\bibiiz.exe
        
        C:\Windows\system32\bibiiz.exe 472 "C:\Windows\SysWOW64\magqhv.exe"
        237⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\bibiiz.exe
        
        472 C:\Windows\SysWOW64\magqhv.exe
        238⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\ijxtwb.exe
        
        C:\Windows\system32\ijxtwb.exe 472 "C:\Windows\SysWOW64\bibiiz.exe"
        239⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\ijxtwb.exe
        
        472 C:\Windows\SysWOW64\bibiiz.exe
        240⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\fkhgsm.exe
        
        C:\Windows\system32\fkhgsm.exe 440 "C:\Windows\SysWOW64\ijxtwb.exe"
        241⤵
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Windows\SysWOW64\fkhgsm.exe
        
        440 C:\Windows\SysWOW64\ijxtwb.exe
        242⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\uvnldn.exe
        
        C:\Windows\system32\uvnldn.exe 476 "C:\Windows\SysWOW64\fkhgsm.exe"
        243⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\uvnldn.exe
        
        476 C:\Windows\SysWOW64\fkhgsm.exe
        244⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\jwzder.exe
        
        C:\Windows\system32\jwzder.exe 452 "C:\Windows\SysWOW64\uvnldn.exe"
        245⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\jwzder.exe
        
        452 C:\Windows\SysWOW64\uvnldn.exe
        246⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\tvmtjd.exe
        
        C:\Windows\system32\tvmtjd.exe 444 "C:\Windows\SysWOW64\jwzder.exe"
        247⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\tvmtjd.exe
        
        444 C:\Windows\SysWOW64\jwzder.exe
        248⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\izkzml.exe
        
        C:\Windows\system32\izkzml.exe 456 "C:\Windows\SysWOW64\tvmtjd.exe"
        249⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\izkzml.exe
        
        456 C:\Windows\SysWOW64\tvmtjd.exe
        250⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\pigjan.exe
        
        C:\Windows\system32\pigjan.exe 452 "C:\Windows\SysWOW64\izkzml.exe"
        251⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\pigjan.exe
        
        452 C:\Windows\SysWOW64\izkzml.exe
        252⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\yogzfj.exe
        
        C:\Windows\system32\yogzfj.exe 448 "C:\Windows\SysWOW64\pigjan.exe"
        253⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\yogzfj.exe
        
        448 C:\Windows\SysWOW64\pigjan.exe
        254⤵
        Drops file in System32 directory
        
        PID:540
        
        C:\Windows\SysWOW64\igtosv.exe
        
        C:\Windows\system32\igtosv.exe 492 "C:\Windows\SysWOW64\yogzfj.exe"
        255⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\igtosv.exe
        
        492 C:\Windows\SysWOW64\yogzfj.exe
        256⤵
        Drops file in System32 directory
        
        PID:1932
        
        C:\Windows\SysWOW64\suurtc.exe
        
        C:\Windows\system32\suurtc.exe 464 "C:\Windows\SysWOW64\igtosv.exe"
        257⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\suurtc.exe
        
        464 C:\Windows\SysWOW64\igtosv.exe
        258⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:972
        
        C:\Windows\SysWOW64\mewzze.exe
        
        C:\Windows\system32\mewzze.exe 444 "C:\Windows\SysWOW64\suurtc.exe"
        259⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\mewzze.exe
        
        444 C:\Windows\SysWOW64\suurtc.exe
        260⤵
        
        PID:896
        
        C:\Windows\SysWOW64\edzxyj.exe
        
        C:\Windows\system32\edzxyj.exe 464 "C:\Windows\SysWOW64\mewzze.exe"
        261⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\edzxyj.exe
        
        464 C:\Windows\SysWOW64\mewzze.exe
        262⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\ovmmcd.exe
        
        C:\Windows\system32\ovmmcd.exe 456 "C:\Windows\SysWOW64\edzxyj.exe"
        263⤵
        
        PID:968
        
        C:\Windows\SysWOW64\ovmmcd.exe
        
        456 C:\Windows\SysWOW64\edzxyj.exe
        264⤵
        System Location Discovery: System Language Discovery
        
        PID:1396
        
        C:\Windows\SysWOW64\ynzcpo.exe
        
        C:\Windows\system32\ynzcpo.exe 476 "C:\Windows\SysWOW64\ovmmcd.exe"
        265⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\ynzcpo.exe
        
        476 C:\Windows\SysWOW64\ovmmcd.exe
        266⤵
        System Location Discovery: System Language Discovery
        
        PID:1304
        
        C:\Windows\SysWOW64\hmmsba.exe
        
        C:\Windows\system32\hmmsba.exe 444 "C:\Windows\SysWOW64\ynzcpo.exe"
        267⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\hmmsba.exe
        
        444 C:\Windows\SysWOW64\ynzcpo.exe
        268⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\rhcnip.exe
        
        C:\Windows\system32\rhcnip.exe 444 "C:\Windows\SysWOW64\hmmsba.exe"
        269⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\rhcnip.exe
        
        444 C:\Windows\SysWOW64\hmmsba.exe
        270⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\bhpcvb.exe
        
        C:\Windows\system32\bhpcvb.exe 452 "C:\Windows\SysWOW64\rhcnip.exe"
        271⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\bhpcvb.exe
        
        452 C:\Windows\SysWOW64\rhcnip.exe
        272⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\awnimr.exe
        
        C:\Windows\system32\awnimr.exe 520 "C:\Windows\SysWOW64\bhpcvb.exe"
        273⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\awnimr.exe
        
        520 C:\Windows\SysWOW64\bhpcvb.exe
        274⤵
        
        PID:876
        
        C:\Windows\SysWOW64\niuirq.exe
        
        C:\Windows\system32\niuirq.exe 456 "C:\Windows\SysWOW64\awnimr.exe"
        275⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\niuirq.exe
        
        456 C:\Windows\SysWOW64\awnimr.exe
        276⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\croasn.exe
        
        C:\Windows\system32\croasn.exe 444 "C:\Windows\SysWOW64\niuirq.exe"
        277⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\croasn.exe
        
        444 C:\Windows\SysWOW64\niuirq.exe
        278⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\waiiyo.exe
        
        C:\Windows\system32\waiiyo.exe 448 "C:\Windows\SysWOW64\croasn.exe"
        279⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\waiiyo.exe
        
        448 C:\Windows\SysWOW64\croasn.exe
        280⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\qcjqeq.exe
        
        C:\Windows\system32\qcjqeq.exe 448 "C:\Windows\SysWOW64\waiiyo.exe"
        281⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\qcjqeq.exe
        
        448 C:\Windows\SysWOW64\waiiyo.exe
        282⤵
        Drops file in System32 directory
        
        PID:2792
        
        C:\Windows\SysWOW64\naqqxx.exe
        
        C:\Windows\system32\naqqxx.exe 452 "C:\Windows\SysWOW64\qcjqeq.exe"
        283⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\naqqxx.exe
        
        452 C:\Windows\SysWOW64\qcjqeq.exe
        284⤵
        Drops file in System32 directory
        
        PID:2220
        
        C:\Windows\SysWOW64\xrvgjj.exe
        
        C:\Windows\system32\xrvgjj.exe 440 "C:\Windows\SysWOW64\naqqxx.exe"
        285⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\xrvgjj.exe
        
        440 C:\Windows\SysWOW64\naqqxx.exe
        286⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\eldysc.exe
        
        C:\Windows\system32\eldysc.exe 464 "C:\Windows\SysWOW64\xrvgjj.exe"
        287⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\eldysc.exe
        
        464 C:\Windows\SysWOW64\xrvgjj.exe
        288⤵
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Windows\SysWOW64\quwgpe.exe
        
        C:\Windows\system32\quwgpe.exe 472 "C:\Windows\SysWOW64\eldysc.exe"
        289⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\quwgpe.exe
        
        472 C:\Windows\SysWOW64\eldysc.exe
        290⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\amjwcq.exe
        
        C:\Windows\system32\amjwcq.exe 448 "C:\Windows\SysWOW64\quwgpe.exe"
        291⤵
        
        PID:540
        
        C:\Windows\SysWOW64\amjwcq.exe
        
        448 C:\Windows\SysWOW64\quwgpe.exe
        292⤵
        
        PID:560
        
        C:\Windows\SysWOW64\jphqrn.exe
        
        C:\Windows\system32\jphqrn.exe 464 "C:\Windows\SysWOW64\amjwcq.exe"
        293⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\jphqrn.exe
        
        464 C:\Windows\SysWOW64\amjwcq.exe
        294⤵
        Drops file in System32 directory
        
        PID:1772
        
        C:\Windows\SysWOW64\ekmgjh.exe
        
        C:\Windows\system32\ekmgjh.exe 464 "C:\Windows\SysWOW64\jphqrn.exe"
        295⤵
        
        PID:580
        
        C:\Windows\SysWOW64\ekmgjh.exe
        
        464 C:\Windows\SysWOW64\jphqrn.exe
        296⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\wnbjlq.exe
        
        C:\Windows\system32\wnbjlq.exe 456 "C:\Windows\SysWOW64\ekmgjh.exe"
        297⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\wnbjlq.exe
        
        456 C:\Windows\SysWOW64\ekmgjh.exe
        298⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\lzgwor.exe
        
        C:\Windows\system32\lzgwor.exe 456 "C:\Windows\SysWOW64\wnbjlq.exe"
        299⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\lzgwor.exe
        
        456 C:\Windows\SysWOW64\wnbjlq.exe
        300⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\rcgmff.exe
        
        C:\Windows\system32\rcgmff.exe 472 "C:\Windows\SysWOW64\lzgwor.exe"
        301⤵
        System Location Discovery: System Language Discovery
        
        PID:1396
        
        C:\Windows\SysWOW64\rcgmff.exe
        
        472 C:\Windows\SysWOW64\lzgwor.exe
        302⤵
        Drops file in System32 directory
        
        PID:888
        
        C:\Windows\SysWOW64\jcrjel.exe
        
        C:\Windows\system32\jcrjel.exe 456 "C:\Windows\SysWOW64\rcgmff.exe"
        303⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\jcrjel.exe
        
        456 C:\Windows\SysWOW64\rcgmff.exe
        304⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\yoppit.exe
        
        C:\Windows\system32\yoppit.exe 472 "C:\Windows\SysWOW64\jcrjel.exe"
        305⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\yoppit.exe
        
        472 C:\Windows\SysWOW64\jcrjel.exe
        306⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\igcevf.exe
        
        C:\Windows\system32\igcevf.exe 448 "C:\Windows\SysWOW64\yoppit.exe"
        307⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\igcevf.exe
        
        448 C:\Windows\SysWOW64\yoppit.exe
        308⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\pgypbp.exe
        
        C:\Windows\system32\pgypbp.exe 492 "C:\Windows\SysWOW64\igcevf.exe"
        309⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\pgypbp.exe
        
        492 C:\Windows\SysWOW64\igcevf.exe
        310⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\eokhkl.exe
        
        C:\Windows\system32\eokhkl.exe 472 "C:\Windows\SysWOW64\pgypbp.exe"
        311⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\eokhkl.exe
        
        472 C:\Windows\SysWOW64\pgypbp.exe
        312⤵
        Drops file in System32 directory
        
        PID:2760
        
        C:\Windows\SysWOW64\tetzqy.exe
        
        C:\Windows\system32\tetzqy.exe 448 "C:\Windows\SysWOW64\eokhkl.exe"
        313⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\tetzqy.exe
        
        448 C:\Windows\SysWOW64\eokhkl.exe
        314⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\lstxvm.exe
        
        C:\Windows\system32\lstxvm.exe 452 "C:\Windows\SysWOW64\tetzqy.exe"
        315⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\lstxvm.exe
        
        452 C:\Windows\SysWOW64\tetzqy.exe
        316⤵
        Drops file in System32 directory
        
        PID:3036
        
        C:\Windows\SysWOW64\xylfvd.exe
        
        C:\Windows\system32\xylfvd.exe 528 "C:\Windows\SysWOW64\lstxvm.exe"
        317⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\xylfvd.exe
        
        528 C:\Windows\SysWOW64\lstxvm.exe
        318⤵
        
        PID:316
        
        C:\Windows\SysWOW64\hqynho.exe
        
        C:\Windows\system32\hqynho.exe 456 "C:\Windows\SysWOW64\xylfvd.exe"
        319⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\hqynho.exe
        
        456 C:\Windows\SysWOW64\xylfvd.exe
        320⤵
        
        PID:924
        
        C:\Windows\SysWOW64\bwoqcm.exe
        
        C:\Windows\system32\bwoqcm.exe 444 "C:\Windows\SysWOW64\hqynho.exe"
        321⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\bwoqcm.exe
        
        444 C:\Windows\SysWOW64\hqynho.exe
        322⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\vxqxho.exe
        
        C:\Windows\system32\vxqxho.exe 448 "C:\Windows\SysWOW64\bwoqcm.exe"
        323⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\vxqxho.exe
        
        448 C:\Windows\SysWOW64\bwoqcm.exe
        324⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\fmpnmc.exe
        
        C:\Windows\system32\fmpnmc.exe 464 "C:\Windows\SysWOW64\vxqxho.exe"
        325⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\fmpnmc.exe
        
        464 C:\Windows\SysWOW64\vxqxho.exe
        326⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\rvlipx.exe
        
        C:\Windows\system32\rvlipx.exe 444 "C:\Windows\SysWOW64\fmpnmc.exe"
        327⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\rvlipx.exe
        
        444 C:\Windows\SysWOW64\fmpnmc.exe
        328⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\pphvnz.exe
        
        C:\Windows\system32\pphvnz.exe 444 "C:\Windows\SysWOW64\rvlipx.exe"
        329⤵
        
        PID:560
        
        C:\Windows\SysWOW64\pphvnz.exe
        
        444 C:\Windows\SysWOW64\rvlipx.exe
        330⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\bcwvsy.exe
        
        C:\Windows\system32\bcwvsy.exe 456 "C:\Windows\SysWOW64\pphvnz.exe"
        331⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\bcwvsy.exe
        
        456 C:\Windows\SysWOW64\pphvnz.exe
        332⤵
        
        PID:756
        
        C:\Windows\SysWOW64\vimyvw.exe
        
        C:\Windows\system32\vimyvw.exe 456 "C:\Windows\SysWOW64\bcwvsy.exe"
        333⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\vimyvw.exe
        
        456 C:\Windows\SysWOW64\bcwvsy.exe
        334⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\ictybn.exe
        
        C:\Windows\system32\ictybn.exe 444 "C:\Windows\SysWOW64\vimyvw.exe"
        335⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\ictybn.exe
        
        444 C:\Windows\SysWOW64\vimyvw.exe
        336⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\zghjcf.exe
        
        C:\Windows\system32\zghjcf.exe 460 "C:\Windows\SysWOW64\ictybn.exe"
        337⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\zghjcf.exe
        
        460 C:\Windows\SysWOW64\ictybn.exe
        338⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\jxuypq.exe
        
        C:\Windows\system32\jxuypq.exe 456 "C:\Windows\SysWOW64\zghjcf.exe"
        339⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\jxuypq.exe
        
        456 C:\Windows\SysWOW64\zghjcf.exe
        340⤵
        Drops file in System32 directory
        
        PID:2604
        
        C:\Windows\SysWOW64\dvktko.exe
        
        C:\Windows\system32\dvktko.exe 448 "C:\Windows\SysWOW64\jxuypq.exe"
        341⤵
        System Location Discovery: System Language Discovery
        
        PID:1784
        
        C:\Windows\SysWOW64\dvktko.exe
        
        448 C:\Windows\SysWOW64\jxuypq.exe
        342⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\vkkjoc.exe
        
        C:\Windows\system32\vkkjoc.exe 444 "C:\Windows\SysWOW64\dvktko.exe"
        343⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\vkkjoc.exe
        
        444 C:\Windows\SysWOW64\dvktko.exe
        344⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\noytqm.exe
        
        C:\Windows\system32\noytqm.exe 456 "C:\Windows\SysWOW64\vkkjoc.exe"
        345⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\noytqm.exe
        
        456 C:\Windows\SysWOW64\vkkjoc.exe
        346⤵
        Drops file in System32 directory
        
        PID:628
        
        C:\Windows\SysWOW64\eyjeyf.exe
        
        C:\Windows\system32\eyjeyf.exe 448 "C:\Windows\SysWOW64\noytqm.exe"
        347⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\eyjeyf.exe
        
        448 C:\Windows\SysWOW64\noytqm.exe
        348⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\zpdzvc.exe
        
        C:\Windows\system32\zpdzvc.exe 444 "C:\Windows\SysWOW64\eyjeyf.exe"
        349⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\zpdzvc.exe
        
        444 C:\Windows\SysWOW64\eyjeyf.exe
        350⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\tzehsv.exe
        
        C:\Windows\system32\tzehsv.exe 456 "C:\Windows\SysWOW64\zpdzvc.exe"
        351⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\tzehsv.exe
        
        456 C:\Windows\SysWOW64\zpdzvc.exe
        352⤵
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Windows\SysWOW64\nfvjvt.exe
        
        C:\Windows\system32\nfvjvt.exe 444 "C:\Windows\SysWOW64\tzehsv.exe"
        353⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\nfvjvt.exe
        
        444 C:\Windows\SysWOW64\tzehsv.exe
        354⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\hhorbv.exe
        
        C:\Windows\system32\hhorbv.exe 452 "C:\Windows\SysWOW64\nfvjvt.exe"
        355⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\hhorbv.exe
        
        452 C:\Windows\SysWOW64\nfvjvt.exe
        356⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Windows\SysWOW64\uyseeq.exe
        
        C:\Windows\system32\uyseeq.exe 472 "C:\Windows\SysWOW64\hhorbv.exe"
        357⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\uyseeq.exe
        
        472 C:\Windows\SysWOW64\hhorbv.exe
        358⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\lercie.exe
        
        C:\Windows\system32\lercie.exe 448 "C:\Windows\SysWOW64\uyseeq.exe"
        359⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\lercie.exe
        
        448 C:\Windows\SysWOW64\uyseeq.exe
        360⤵
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Windows\SysWOW64\flixlc.exe
        
        C:\Windows\system32\flixlc.exe 448 "C:\Windows\SysWOW64\lercie.exe"
        361⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\flixlc.exe
        
        448 C:\Windows\SysWOW64\lercie.exe
        362⤵
        System Location Discovery: System Language Discovery
        
        PID:1972
        
        C:\Windows\SysWOW64\acbaaq.exe
        
        C:\Windows\system32\acbaaq.exe 444 "C:\Windows\SysWOW64\flixlc.exe"
        363⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\acbaaq.exe
        
        444 C:\Windows\SysWOW64\flixlc.exe
        364⤵
        Drops file in System32 directory
        
        PID:2132
        
        C:\Windows\SysWOW64\kjbxff.exe
        
        C:\Windows\system32\kjbxff.exe 460 "C:\Windows\SysWOW64\acbaaq.exe"
        365⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\kjbxff.exe
        
        460 C:\Windows\SysWOW64\acbaaq.exe
        366⤵
        
        PID:824
        
        C:\Windows\SysWOW64\wdqxse.exe
        
        C:\Windows\system32\wdqxse.exe 488 "C:\Windows\SysWOW64\kjbxff.exe"
        367⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\wdqxse.exe
        
        488 C:\Windows\SysWOW64\kjbxff.exe
        368⤵
        
        PID:752
        
        C:\Windows\SysWOW64\iqxxyd.exe
        
        C:\Windows\system32\iqxxyd.exe 452 "C:\Windows\SysWOW64\wdqxse.exe"
        369⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\iqxxyd.exe
        
        452 C:\Windows\SysWOW64\wdqxse.exe
        370⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\fnexrk.exe
        
        C:\Windows\system32\fnexrk.exe 440 "C:\Windows\SysWOW64\iqxxyd.exe"
        371⤵
        
        PID:532
        
        C:\Windows\SysWOW64\fnexrk.exe
        
        440 C:\Windows\SysWOW64\iqxxyd.exe
        372⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\pfrndv.exe
        
        C:\Windows\system32\pfrndv.exe 452 "C:\Windows\SysWOW64\fnexrk.exe"
        373⤵
        
        PID:616
        
        C:\Windows\SysWOW64\pfrndv.exe
        
        452 C:\Windows\SysWOW64\fnexrk.exe
        374⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\yihqsl.exe
        
        C:\Windows\system32\yihqsl.exe 444 "C:\Windows\SysWOW64\pfrndv.exe"
        375⤵
        
        PID:888
        
        C:\Windows\SysWOW64\yihqsl.exe
        
        444 C:\Windows\SysWOW64\pfrndv.exe
        376⤵
        Drops file in System32 directory
        
        PID:2280
        
        C:\Windows\SysWOW64\nufvwu.exe
        
        C:\Windows\system32\nufvwu.exe 472 "C:\Windows\SysWOW64\yihqsl.exe"
        377⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\nufvwu.exe
        
        472 C:\Windows\SysWOW64\yihqsl.exe
        378⤵
        
        PID:948
        
        C:\Windows\SysWOW64\azxvwk.exe
        
        C:\Windows\system32\azxvwk.exe 448 "C:\Windows\SysWOW64\nufvwu.exe"
        379⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\azxvwk.exe
        
        448 C:\Windows\SysWOW64\nufvwu.exe
        380⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\sctgyu.exe
        
        C:\Windows\system32\sctgyu.exe 468 "C:\Windows\SysWOW64\azxvwk.exe"
        381⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\sctgyu.exe
        
        468 C:\Windows\SysWOW64\azxvwk.exe
        382⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\jvwifn.exe
        
        C:\Windows\system32\jvwifn.exe 464 "C:\Windows\SysWOW64\sctgyu.exe"
        383⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\jvwifn.exe
        
        464 C:\Windows\SysWOW64\sctgyu.exe
        384⤵
        
        PID:628
        
        C:\Windows\SysWOW64\bvhoea.exe
        
        C:\Windows\system32\bvhoea.exe 472 "C:\Windows\SysWOW64\jvwifn.exe"
        385⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\bvhoea.exe
        
        472 C:\Windows\SysWOW64\jvwifn.exe
        386⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\tfsqmt.exe
        
        C:\Windows\system32\tfsqmt.exe 460 "C:\Windows\SysWOW64\bvhoea.exe"
        387⤵
        
        PID:512
        
        C:\Windows\SysWOW64\tfsqmt.exe
        
        460 C:\Windows\SysWOW64\bvhoea.exe
        388⤵
        Drops file in System32 directory
        
        PID:2636
        
        C:\Windows\SysWOW64\fzzqrk.exe
        
        C:\Windows\system32\fzzqrk.exe 444 "C:\Windows\SysWOW64\tfsqmt.exe"
        389⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\fzzqrk.exe
        
        444 C:\Windows\SysWOW64\tfsqmt.exe
        390⤵
        Drops file in System32 directory
        
        PID:2400
        
        C:\Windows\SysWOW64\zxpluh.exe
        
        C:\Windows\system32\zxpluh.exe 484 "C:\Windows\SysWOW64\fzzqrk.exe"
        391⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\zxpluh.exe
        
        484 C:\Windows\SysWOW64\fzzqrk.exe
        392⤵
        Drops file in System32 directory
        
        PID:1352
        
        C:\Windows\SysWOW64\rxsrtv.exe
        
        C:\Windows\system32\rxsrtv.exe 452 "C:\Windows\SysWOW64\zxpluh.exe"
        393⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\rxsrtv.exe
        
        452 C:\Windows\SysWOW64\zxpluh.exe
        394⤵
        Drops file in System32 directory
        
        PID:924
        
        C:\Windows\SysWOW64\ldimos.exe
        
        C:\Windows\system32\ldimos.exe 456 "C:\Windows\SysWOW64\rxsrtv.exe"
        395⤵
        System Location Discovery: System Language Discovery
        
        PID:2496
        
        C:\Windows\SysWOW64\ldimos.exe
        
        456 C:\Windows\SysWOW64\rxsrtv.exe
        396⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\yqxmbs.exe
        
        C:\Windows\system32\yqxmbs.exe 444 "C:\Windows\SysWOW64\ldimos.exe"
        397⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\yqxmbs.exe
        
        444 C:\Windows\SysWOW64\ldimos.exe
        398⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\xfnrsa.exe
        
        C:\Windows\system32\xfnrsa.exe 444 "C:\Windows\SysWOW64\yqxmbs.exe"
        399⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\xfnrsa.exe
        
        444 C:\Windows\SysWOW64\yqxmbs.exe
        400⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\pxyuas.exe
        
        C:\Windows\system32\pxyuas.exe 448 "C:\Windows\SysWOW64\xfnrsa.exe"
        401⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\pxyuas.exe
        
        448 C:\Windows\SysWOW64\xfnrsa.exe
        402⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\zxjrzy.exe
        
        C:\Windows\system32\zxjrzy.exe 448 "C:\Windows\SysWOW64\pxyuas.exe"
        403⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\zxjrzy.exe
        
        448 C:\Windows\SysWOW64\pxyuas.exe
        404⤵
        Drops file in System32 directory
        
        PID:2188
        
        C:\Windows\SysWOW64\nmsjfl.exe
        
        C:\Windows\system32\nmsjfl.exe 456 "C:\Windows\SysWOW64\zxjrzy.exe"
        405⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\nmsjfl.exe
        
        456 C:\Windows\SysWOW64\zxjrzy.exe
        406⤵
        Drops file in System32 directory
        
        PID:748
        
        C:\Windows\SysWOW64\ccbcmq.exe
        
        C:\Windows\system32\ccbcmq.exe 452 "C:\Windows\SysWOW64\nmsjfl.exe"
        407⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\ccbcmq.exe
        
        452 C:\Windows\SysWOW64\nmsjfl.exe
        408⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\royhpy.exe
        
        C:\Windows\system32\royhpy.exe 456 "C:\Windows\SysWOW64\ccbcmq.exe"
        409⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\royhpy.exe
        
        456 C:\Windows\SysWOW64\ccbcmq.exe
        410⤵
        
        PID:616
        
        C:\Windows\SysWOW64\jrnsri.exe
        
        C:\Windows\system32\jrnsri.exe 460 "C:\Windows\SysWOW64\royhpy.exe"
        411⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\jrnsri.exe
        
        460 C:\Windows\SysWOW64\royhpy.exe
        412⤵
        
        PID:888
        
        C:\Windows\SysWOW64\dpdmug.exe
        
        C:\Windows\system32\dpdmug.exe 456 "C:\Windows\SysWOW64\jrnsri.exe"
        413⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\dpdmug.exe
        
        456 C:\Windows\SysWOW64\jrnsri.exe
        414⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\veckzu.exe
        
        C:\Windows\system32\veckzu.exe 460 "C:\Windows\SysWOW64\dpdmug.exe"
        415⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\veckzu.exe
        
        460 C:\Windows\SysWOW64\dpdmug.exe
        416⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\pzhsrn.exe
        
        C:\Windows\system32\pzhsrn.exe 448 "C:\Windows\SysWOW64\veckzu.exe"
        417⤵
        
        PID:876
        
        C:\Windows\SysWOW64\pzhsrn.exe
        
        448 C:\Windows\SysWOW64\veckzu.exe
        418⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\hfhpvj.exe
        
        C:\Windows\system32\hfhpvj.exe 452 "C:\Windows\SysWOW64\pzhsrn.exe"
        419⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\hfhpvj.exe
        
        452 C:\Windows\SysWOW64\pzhsrn.exe
        420⤵
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Windows\SysWOW64\zjvaxt.exe
        
        C:\Windows\system32\zjvaxt.exe 456 "C:\Windows\SysWOW64\hfhpvj.exe"
        421⤵
        System Location Discovery: System Language Discovery
        
        PID:1560
        
        C:\Windows\SysWOW64\zjvaxt.exe
        
        456 C:\Windows\SysWOW64\hfhpvj.exe
        422⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\rigywz.exe
        
        C:\Windows\system32\rigywz.exe 456 "C:\Windows\SysWOW64\zjvaxt.exe"
        423⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\rigywz.exe
        
        456 C:\Windows\SysWOW64\zjvaxt.exe
        424⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\ipgnbn.exe
        
        C:\Windows\system32\ipgnbn.exe 472 "C:\Windows\SysWOW64\rigywz.exe"
        425⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\ipgnbn.exe
        
        472 C:\Windows\SysWOW64\rigywz.exe
        426⤵
        Drops file in System32 directory
        
        PID:3036
        
        C:\Windows\SysWOW64\cvwqel.exe
        
        C:\Windows\system32\cvwqel.exe 532 "C:\Windows\SysWOW64\ipgnbn.exe"
        427⤵
        System Location Discovery: System Language Discovery
        
        PID:316
        
        C:\Windows\SysWOW64\cvwqel.exe
        
        532 C:\Windows\SysWOW64\ipgnbn.exe
        428⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\jwsakv.exe
        
        C:\Windows\system32\jwsakv.exe 452 "C:\Windows\SysWOW64\cvwqel.exe"
        429⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\jwsakv.exe
        
        452 C:\Windows\SysWOW64\cvwqel.exe
        430⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\bzhdmf.exe
        
        C:\Windows\system32\bzhdmf.exe 488 "C:\Windows\SysWOW64\jwsakv.exe"
        431⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\bzhdmf.exe
        
        488 C:\Windows\SysWOW64\jwsakv.exe
        432⤵
        
        PID:924
        
        C:\Windows\SysWOW64\lcxgbu.exe
        
        C:\Windows\system32\lcxgbu.exe 456 "C:\Windows\SysWOW64\bzhdmf.exe"
        433⤵
        
        PID:704
        
        C:\Windows\SysWOW64\lcxgbu.exe
        
        456 C:\Windows\SysWOW64\bzhdmf.exe
        434⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\dcidai.exe
        
        C:\Windows\system32\dcidai.exe 456 "C:\Windows\SysWOW64\lcxgbu.exe"
        435⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\dcidai.exe
        
        456 C:\Windows\SysWOW64\lcxgbu.exe
        436⤵
        System Location Discovery: System Language Discovery
        
        PID:944
        
        C:\Windows\SysWOW64\ujhtfw.exe
        
        C:\Windows\system32\ujhtfw.exe 456 "C:\Windows\SysWOW64\dcidai.exe"
        437⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\ujhtfw.exe
        
        456 C:\Windows\SysWOW64\dcidai.exe
        438⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\mphqjk.exe
        
        C:\Windows\system32\mphqjk.exe 464 "C:\Windows\SysWOW64\ujhtfw.exe"
        439⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\mphqjk.exe
        
        464 C:\Windows\SysWOW64\ujhtfw.exe
        440⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\tfqjqx.exe
        
        C:\Windows\system32\tfqjqx.exe 448 "C:\Windows\SysWOW64\mphqjk.exe"
        441⤵
        
        PID:840
        
        C:\Windows\SysWOW64\tfqjqx.exe
        
        448 C:\Windows\SysWOW64\mphqjk.exe
        442⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\fwuwsk.exe
        
        C:\Windows\system32\fwuwsk.exe 456 "C:\Windows\SysWOW64\tfqjqx.exe"
        443⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\fwuwsk.exe
        
        456 C:\Windows\SysWOW64\tfqjqx.exe
        444⤵
        
        PID:748
        
        C:\Windows\SysWOW64\mwqggu.exe
        
        C:\Windows\system32\mwqggu.exe 472 "C:\Windows\SysWOW64\fwuwsk.exe"
        445⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\mwqggu.exe
        
        472 C:\Windows\SysWOW64\fwuwsk.exe
        446⤵
        Drops file in System32 directory
        
        PID:532
        
        C:\Windows\SysWOW64\biomkc.exe
        
        C:\Windows\system32\biomkc.exe 476 "C:\Windows\SysWOW64\mwqggu.exe"
        447⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\biomkc.exe
        
        476 C:\Windows\SysWOW64\mwqggu.exe
        448⤵
        
        PID:616
        
        C:\Windows\SysWOW64\qqamlz.exe
        
        C:\Windows\system32\qqamlz.exe 460 "C:\Windows\SysWOW64\biomkc.exe"
        449⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\qqamlz.exe
        
        460 C:\Windows\SysWOW64\biomkc.exe
        450⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\ainuxk.exe
        
        C:\Windows\system32\ainuxk.exe 472 "C:\Windows\SysWOW64\qqamlz.exe"
        451⤵
        
        PID:556
        
        C:\Windows\SysWOW64\ainuxk.exe
        
        472 C:\Windows\SysWOW64\qqamlz.exe
        452⤵
        
        PID:916
        
        C:\Windows\SysWOW64\usojvm.exe
        
        C:\Windows\system32\usojvm.exe 456 "C:\Windows\SysWOW64\ainuxk.exe"
        453⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\usojvm.exe
        
        456 C:\Windows\SysWOW64\ainuxk.exe
        454⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Windows\SysWOW64\pjiesb.exe
        
        C:\Windows\system32\pjiesb.exe 480 "C:\Windows\SysWOW64\usojvm.exe"
        455⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\pjiesb.exe
        
        480 C:\Windows\SysWOW64\usojvm.exe
        456⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\dcckbs.exe
        
        C:\Windows\system32\dcckbs.exe 448 "C:\Windows\SysWOW64\pjiesb.exe"
        457⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\dcckbs.exe
        
        448 C:\Windows\SysWOW64\pjiesb.exe
        458⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\tkxcco.exe
        
        C:\Windows\system32\tkxcco.exe 456 "C:\Windows\SysWOW64\dcckbs.exe"
        459⤵
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\tkxcco.exe
        
        456 C:\Windows\SysWOW64\dcckbs.exe
        460⤵
        Drops file in System32 directory
        
        PID:2192
        
        C:\Windows\SysWOW64\fwecqn.exe
        
        C:\Windows\system32\fwecqn.exe 448 "C:\Windows\SysWOW64\tkxcco.exe"
        461⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\fwecqn.exe
        
        448 C:\Windows\SysWOW64\tkxcco.exe
        462⤵
        System Location Discovery: System Language Discovery
        
        PID:2556
        
        C:\Windows\SysWOW64\skwkqe.exe
        
        C:\Windows\system32\skwkqe.exe 476 "C:\Windows\SysWOW64\fwecqn.exe"
        463⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\skwkqe.exe
        
        476 C:\Windows\SysWOW64\fwecqn.exe
        464⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\bfunfu.exe
        
        C:\Windows\system32\bfunfu.exe 464 "C:\Windows\SysWOW64\skwkqe.exe"
        465⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\bfunfu.exe
        
        464 C:\Windows\SysWOW64\skwkqe.exe
        466⤵
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\qnhfgy.exe
        
        C:\Windows\system32\qnhfgy.exe 452 "C:\Windows\SysWOW64\bfunfu.exe"
        467⤵
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        C:\Windows\SysWOW64\qnhfgy.exe
        
        452 C:\Windows\SysWOW64\bfunfu.exe
        468⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\lmxaav.exe
        
        C:\Windows\system32\lmxaav.exe 456 "C:\Windows\SysWOW64\qnhfgy.exe"
        469⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\lmxaav.exe
        
        456 C:\Windows\SysWOW64\qnhfgy.exe
        470⤵
        
        PID:924
        
        C:\Windows\SysWOW64\cawxfk.exe
        
        C:\Windows\system32\cawxfk.exe 444 "C:\Windows\SysWOW64\lmxaav.exe"
        471⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cawxfk.exe
        
        444 C:\Windows\SysWOW64\lmxaav.exe
        472⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\uhwnky.exe
        
        C:\Windows\system32\uhwnky.exe 456 "C:\Windows\SysWOW64\cawxfk.exe"
        473⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\uhwnky.exe
        
        456 C:\Windows\SysWOW64\cawxfk.exe
        474⤵
        
        PID:944
        
        C:\Windows\SysWOW64\ocbdkr.exe
        
        C:\Windows\system32\ocbdkr.exe 448 "C:\Windows\SysWOW64\uhwnky.exe"
        475⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\ocbdkr.exe
        
        448 C:\Windows\SysWOW64\uhwnky.exe
        476⤵
        
        PID:824
        
        C:\Windows\SysWOW64\ddviti.exe
        
        C:\Windows\system32\ddviti.exe 456 "C:\Windows\SysWOW64\ocbdkr.exe"
        477⤵
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\ddviti.exe
        
        456 C:\Windows\SysWOW64\ocbdkr.exe
        478⤵
        
        PID:752
        
        C:\Windows\SysWOW64\kdpaue.exe
        
        C:\Windows\system32\kdpaue.exe 444 "C:\Windows\SysWOW64\ddviti.exe"
        479⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\kdpaue.exe
        
        444 C:\Windows\SysWOW64\ddviti.exe
        480⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\ejyvxc.exe
        
        C:\Windows\system32\ejyvxc.exe 472 "C:\Windows\SysWOW64\kdpaue.exe"
        481⤵
        
        PID:552
        
        C:\Windows\SysWOW64\ejyvxc.exe
        
        472 C:\Windows\SysWOW64\kdpaue.exe
        482⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\oewyms.exe
        
        C:\Windows\system32\oewyms.exe 456 "C:\Windows\SysWOW64\ejyvxc.exe"
        483⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\oewyms.exe
        
        456 C:\Windows\SysWOW64\ejyvxc.exe
        484⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\skqqzo.exe
        
        C:\Windows\system32\skqqzo.exe 472 "C:\Windows\SysWOW64\oewyms.exe"
        485⤵
        System Location Discovery: System Language Discovery
        
        PID:1804
        
        C:\Windows\SysWOW64\skqqzo.exe
        
        472 C:\Windows\SysWOW64\oewyms.exe
        486⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\hsljas.exe
        
        C:\Windows\system32\hsljas.exe 480 "C:\Windows\SysWOW64\skqqzo.exe"
        487⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\hsljas.exe
        
        480 C:\Windows\SysWOW64\skqqzo.exe
        488⤵
        System Location Discovery: System Language Discovery
        
        PID:556
        
        C:\Windows\SysWOW64\weiweb.exe
        
        C:\Windows\system32\weiweb.exe 452 "C:\Windows\SysWOW64\hsljas.exe"
        489⤵
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Windows\SysWOW64\weiweb.exe
        
        452 C:\Windows\SysWOW64\hsljas.exe
        490⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\ohxyfl.exe
        
        C:\Windows\system32\ohxyfl.exe 472 "C:\Windows\SysWOW64\weiweb.exe"
        491⤵
        System Location Discovery: System Language Discovery
        
        PID:2652
        
        C:\Windows\SysWOW64\ohxyfl.exe
        
        472 C:\Windows\SysWOW64\weiweb.exe
        492⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\dxnrmq.exe
        
        C:\Windows\system32\dxnrmq.exe 456 "C:\Windows\SysWOW64\ohxyfl.exe"
        493⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\dxnrmq.exe
        
        456 C:\Windows\SysWOW64\ohxyfl.exe
        494⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\xrshmj.exe
        
        C:\Windows\system32\xrshmj.exe 444 "C:\Windows\SysWOW64\dxnrmq.exe"
        495⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\xrshmj.exe
        
        444 C:\Windows\SysWOW64\dxnrmq.exe
        496⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\pkvjlb.exe
        
        C:\Windows\system32\pkvjlb.exe 448 "C:\Windows\SysWOW64\xrshmj.exe"
        497⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\pkvjlb.exe
        
        448 C:\Windows\SysWOW64\xrshmj.exe
        498⤵
        
        PID:928
        
        C:\Windows\SysWOW64\jileoz.exe
        
        C:\Windows\system32\jileoz.exe 452 "C:\Windows\SysWOW64\pkvjlb.exe"
        499⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\jileoz.exe
        
        452 C:\Windows\SysWOW64\pkvjlb.exe
        500⤵
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        C:\Windows\SysWOW64\ynvrmz.exe
        
        C:\Windows\system32\ynvrmz.exe 452 "C:\Windows\SysWOW64\jileoz.exe"
        501⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\ynvrmz.exe
        
        452 C:\Windows\SysWOW64\jileoz.exe
        502⤵
        Drops file in System32 directory
        
        PID:2816
        
        C:\Windows\SysWOW64\ncdktm.exe
        
        C:\Windows\system32\ncdktm.exe 456 "C:\Windows\SysWOW64\ynvrmz.exe"
        503⤵
        System Location Discovery: System Language Discovery
        
        PID:1404
        
        C:\Windows\SysWOW64\ncdktm.exe
        
        456 C:\Windows\SysWOW64\ynvrmz.exe
        504⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\ffsmuw.exe
        
        C:\Windows\system32\ffsmuw.exe 444 "C:\Windows\SysWOW64\ncdktm.exe"
        505⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\ffsmuw.exe
        
        444 C:\Windows\SysWOW64\ncdktm.exe
        506⤵
        Drops file in System32 directory
        
        PID:2796
        
        C:\Windows\SysWOW64\wqdxco.exe
        
        C:\Windows\system32\wqdxco.exe 464 "C:\Windows\SysWOW64\ffsmuw.exe"
        507⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\wqdxco.exe
        
        464 C:\Windows\SysWOW64\ffsmuw.exe
        508⤵
        System Location Discovery: System Language Discovery
        
        PID:540
        
        C:\Windows\SysWOW64\rwtsfm.exe
        
        C:\Windows\system32\rwtsfm.exe 456 "C:\Windows\SysWOW64\wqdxco.exe"
        509⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\rwtsfm.exe
        
        456 C:\Windows\SysWOW64\wqdxco.exe
        510⤵
        Drops file in System32 directory
        
        PID:1844
        
        C:\Windows\SysWOW64\lnnucb.exe
        
        C:\Windows\system32\lnnucb.exe 452 "C:\Windows\SysWOW64\rwtsfm.exe"
        511⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\lnnucb.exe
        
        452 C:\Windows\SysWOW64\rwtsfm.exe
        512⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\aghslk.exe
        
        C:\Windows\system32\aghslk.exe 456 "C:\Windows\SysWOW64\lnnucb.exe"
        513⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\aghslk.exe
        
        456 C:\Windows\SysWOW64\lnnucb.exe
        514⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\sgsxkx.exe
        
        C:\Windows\system32\sgsxkx.exe 444 "C:\Windows\SysWOW64\aghslk.exe"
        515⤵
        
        PID:892
        
        C:\Windows\SysWOW64\sgsxkx.exe
        
        444 C:\Windows\SysWOW64\aghslk.exe
        516⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cjgamh.exe
        
        C:\Windows\system32\cjgamh.exe 444 "C:\Windows\SysWOW64\sgsxkx.exe"
        517⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\cjgamh.exe
        
        444 C:\Windows\SysWOW64\sgsxkx.exe
        518⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\tbrkla.exe
        
        C:\Windows\system32\tbrkla.exe 456 "C:\Windows\SysWOW64\cjgamh.exe"
        519⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\tbrkla.exe
        
        456 C:\Windows\SysWOW64\cjgamh.exe
        520⤵
        Drops file in System32 directory
        
        PID:1864
        
        C:\Windows\SysWOW64\fknxwv.exe
        
        C:\Windows\system32\fknxwv.exe 452 "C:\Windows\SysWOW64\tbrkla.exe"
        521⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\fknxwv.exe
        
        452 C:\Windows\SysWOW64\tbrkla.exe
        522⤵
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Windows\SysWOW64\uwsdad.exe
        
        C:\Windows\system32\uwsdad.exe 448 "C:\Windows\SysWOW64\fknxwv.exe"
        523⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\uwsdad.exe
        
        448 C:\Windows\SysWOW64\fknxwv.exe
        524⤵
        Drops file in System32 directory
        
        PID:3000
        
        C:\Windows\SysWOW64\mdsaer.exe
        
        C:\Windows\system32\mdsaer.exe 444 "C:\Windows\SysWOW64\uwsdad.exe"
        525⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\mdsaer.exe
        
        444 C:\Windows\SysWOW64\uwsdad.exe
        526⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\jecnav.exe
        
        C:\Windows\system32\jecnav.exe 484 "C:\Windows\SysWOW64\mdsaer.exe"
        527⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\jecnav.exe
        
        484 C:\Windows\SysWOW64\mdsaer.exe
        528⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\dksids.exe
        
        C:\Windows\system32\dksids.exe 448 "C:\Windows\SysWOW64\jecnav.exe"
        529⤵
        
        PID:628
        
        C:\Windows\SysWOW64\dksids.exe
        
        448 C:\Windows\SysWOW64\jecnav.exe
        530⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\vogtfk.exe
        
        C:\Windows\system32\vogtfk.exe 452 "C:\Windows\SysWOW64\dksids.exe"
        531⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\vogtfk.exe
        
        452 C:\Windows\SysWOW64\dksids.exe
        532⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\nnsqeq.exe
        
        C:\Windows\system32\nnsqeq.exe 448 "C:\Windows\SysWOW64\vogtfk.exe"
        533⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\nnsqeq.exe
        
        448 C:\Windows\SysWOW64\vogtfk.exe
        534⤵
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Windows\SysWOW64\hplyjr.exe
        
        C:\Windows\system32\hplyjr.exe 452 "C:\Windows\SysWOW64\nnsqeq.exe"
        535⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\hplyjr.exe
        
        452 C:\Windows\SysWOW64\nnsqeq.exe
        536⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\wbrdns.exe
        
        C:\Windows\system32\wbrdns.exe 496 "C:\Windows\SysWOW64\hplyjr.exe"
        537⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\wbrdns.exe
        
        496 C:\Windows\SysWOW64\hplyjr.exe
        538⤵
        Drops file in System32 directory
        
        PID:2556
        
        C:\Windows\SysWOW64\dbfotc.exe
        
        C:\Windows\system32\dbfotc.exe 448 "C:\Windows\SysWOW64\wbrdns.exe"
        539⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\dbfotc.exe
        
        448 C:\Windows\SysWOW64\wbrdns.exe
        540⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\sjzgcg.exe
        
        C:\Windows\system32\sjzgcg.exe 444 "C:\Windows\SysWOW64\dbfotc.exe"
        541⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\sjzgcg.exe
        
        444 C:\Windows\SysWOW64\dbfotc.exe
        542⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\mqqjxe.exe
        
        C:\Windows\system32\mqqjxe.exe 444 "C:\Windows\SysWOW64\sjzgcg.exe"
        543⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\mqqjxe.exe
        
        444 C:\Windows\SysWOW64\sjzgcg.exe
        544⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\hogeat.exe
        
        C:\Windows\system32\hogeat.exe 472 "C:\Windows\SysWOW64\mqqjxe.exe"
        545⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\hogeat.exe
        
        472 C:\Windows\SysWOW64\mqqjxe.exe
        546⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\tineft.exe
        
        C:\Windows\system32\tineft.exe 444 "C:\Windows\SysWOW64\hogeat.exe"
        547⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\tineft.exe
        
        444 C:\Windows\SysWOW64\hogeat.exe
        548⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\nhdziq.exe
        
        C:\Windows\system32\nhdziq.exe 456 "C:\Windows\SysWOW64\tineft.exe"
        549⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\nhdziq.exe
        
        456 C:\Windows\SysWOW64\tineft.exe
        550⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\fkrjki.exe
        
        C:\Windows\system32\fkrjki.exe 444 "C:\Windows\SysWOW64\nhdziq.exe"
        551⤵
        
        PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\ypivtr.exe

Filesize
222KB

MD5
f38d258532673cf62200ab2d7dd5268a

SHA1
39bf714b2e9ffb5a8cf534977588b71e35952ec6

SHA256
5edaadd37dd1dd9425dbbbdcd360194fe1f965ae971a5c8165a3effdc25c7e80

SHA512
b2c994c3e6575c0463d4278220f79e29867f37049076e28c97feab5af90eec86a472a0f12945df608d73336121c2ff7b9a0c6b30ba82906c67d7f3fdcedc28cf

Download Submit
memory/468-5-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/704-133-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1624-48-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1824-99-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1856-82-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1936-116-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2064-167-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2152-28-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2588-65-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2716-31-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2716-41-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2716-30-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2948-150-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3004-0-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/3004-19-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/3004-2-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3004-4-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/3004-7-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/3004-8-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download