metasploit | 5edaadd37dd1dd9425dbbbdcd360194fe1f965ae971a5c8165a3effdc25c7e80

Analysis

max time kernel
150s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-09-2024 11:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe
Size

222KB
MD5

f38d258532673cf62200ab2d7dd5268a
SHA1

39bf714b2e9ffb5a8cf534977588b71e35952ec6
SHA256

5edaadd37dd1dd9425dbbbdcd360194fe1f965ae971a5c8165a3effdc25c7e80
SHA512

b2c994c3e6575c0463d4278220f79e29867f37049076e28c97feab5af90eec86a472a0f12945df608d73336121c2ff7b9a0c6b30ba82906c67d7f3fdcedc28cf
SSDEEP

6144:ASOrStDEnqmNpMBN+Mcqfbobx4aRrxyre5HfTLGSa:pOrp/N2h4x4aRYixLba

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 64 IoCs

pid	Process
3980	lconcf.exe
3356	lconcf.exe
2388	dqoyyo.exe
1648	dqoyyo.exe
3776	yewwsz.exe
860	yewwsz.exe
1988	bowlkv.exe
3984	bowlkv.exe
1036	bziezz.exe
996	bziezz.exe
8	bzjjkh.exe
3108	bzjjkh.exe
1384	vfzmne.exe
4692	vfzmne.exe
3204	tokmbd.exe
3900	tokmbd.exe
980	wuqxqu.exe
4180	wuqxqu.exe
3988	ojqhmv.exe
3012	ojqhmv.exe
3016	lgxhfc.exe
4808	lgxhfc.exe
4488	ojafsq.exe
3268	ojafsq.exe
5092	iefvsj.exe
3064	iefvsj.exe
3260	jegaer.exe
3360	jegaer.exe
2184	guyjrh.exe
4676	guyjrh.exe
4640	ashduf.exe
1092	ashduf.exe
3788	vgxtgp.exe
3228	vgxtgp.exe
4444	tphbco.exe
2104	tphbco.exe
3044	imobvu.exe
5068	imobvu.exe
3300	gvzcqt.exe
4300	gvzcqt.exe
2480	aqmrim.exe
4868	aqmrim.exe
5072	aqnxum.exe
2564	aqnxum.exe
3008	dtqvgz.exe
2536	dtqvgz.exe
4464	aqpvhg.exe
2828	aqpvhg.exe
3460	bqyitg.exe
1868	bqyitg.exe
2164	yrinpr.exe
1944	yrinpr.exe
3620	ydvglv.exe
2916	ydvglv.exe
224	vpqbby.exe
4880	vpqbby.exe
708	vadtqk.exe
3640	vadtqk.exe
4296	vaezbj.exe
3108	vaezbj.exe
4968	vmqrqn.exe
2360	vmqrqn.exe
2128	sbxrru.exe
3612	sbxrru.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\lgxhfc.exe	ojqhmv.exe
File opened for modification	C:\Windows\SysWOW64\ekdoil.exe	bparwy.exe
File opened for modification	C:\Windows\SysWOW64\iyqtdi.exe	iuebpw.exe
File opened for modification	C:\Windows\SysWOW64\fejhwz.exe	iochva.exe
File created	C:\Windows\SysWOW64\ucevgc.exe	ursdsq.exe
File created	C:\Windows\SysWOW64\sixppg.exe	pfurcs.exe
File created	C:\Windows\SysWOW64\upvqlf.exe	usxqck.exe
File created	C:\Windows\SysWOW64\bodphm.exe	bdrwsi.exe
File opened for modification	C:\Windows\SysWOW64\rvtqqj.exe	rjhxcf.exe
File opened for modification	C:\Windows\SysWOW64\lpydug.exe	imdfit.exe
File created	C:\Windows\SysWOW64\gsiity.exe	govpfu.exe
File created	C:\Windows\SysWOW64\nqmkvj.exe	qsfjuc.exe
File opened for modification	C:\Windows\SysWOW64\szzaov.exe	ujsano.exe
File created	C:\Windows\SysWOW64\fkxriw.exe	eglytk.exe
File opened for modification	C:\Windows\SysWOW64\msfkan.exe	mlhfjf.exe
File opened for modification	C:\Windows\SysWOW64\chosgp.exe	bhfmuh.exe
File created	C:\Windows\SysWOW64\eqqqui.exe	eneyfw.exe
File opened for modification	C:\Windows\SysWOW64\dxvcxu.exe	dtikiq.exe
File opened for modification	C:\Windows\SysWOW64\ccdrwi.exe	crrqze.exe
File opened for modification	C:\Windows\SysWOW64\qehbni.exe	qpkwwa.exe
File opened for modification	C:\Windows\SysWOW64\tmnlet.exe	xtvyjh.exe
File opened for modification	C:\Windows\SysWOW64\uxajme.exe	txrdtx.exe
File created	C:\Windows\SysWOW64\gvzcqt.exe	imobvu.exe
File opened for modification	C:\Windows\SysWOW64\adrvha.exe	aotyqk.exe
File created	C:\Windows\SysWOW64\pblnvy.exe	pxzvhu.exe
File created	C:\Windows\SysWOW64\mxdyig.exe	juabvt.exe
File created	C:\Windows\SysWOW64\dmirpi.exe	gamwzg.exe
File created	C:\Windows\SysWOW64\bzjjkh.exe	bziezz.exe
File created	C:\Windows\SysWOW64\ckoxsn.exe	cvyrbw.exe
File created	C:\Windows\SysWOW64\uxajme.exe	txrdtx.exe
File opened for modification	C:\Windows\SysWOW64\yfsnig.exe	yfrhwh.exe
File created	C:\Windows\SysWOW64\vinzmg.exe	vtquuy.exe
File opened for modification	C:\Windows\SysWOW64\dmtuoc.exe	dbgcay.exe
File opened for modification	C:\Windows\SysWOW64\hjdlhe.exe	hjtfve.exe
File opened for modification	C:\Windows\SysWOW64\twpdsg.exe	ttckdc.exe
File opened for modification	C:\Windows\SysWOW64\fpicko.exe	fphwrp.exe
File opened for modification	C:\Windows\SysWOW64\lskvjs.exe	lpydug.exe
File created	C:\Windows\SysWOW64\txrdtx.exe	tmnlet.exe
File created	C:\Windows\SysWOW64\olruye.exe	rwkuff.exe
File created	C:\Windows\SysWOW64\vpcxmh.exe	vlqeyv.exe
File created	C:\Windows\SysWOW64\ujcbxl.exe	ucevgc.exe
File opened for modification	C:\Windows\SysWOW64\ujnjbi.exe	uxajme.exe
File opened for modification	C:\Windows\SysWOW64\ozpnjr.exe	nzoiyj.exe
File opened for modification	C:\Windows\SysWOW64\isawyi.exe	fxfylu.exe
File opened for modification	C:\Windows\SysWOW64\bzjjkh.exe	bziezz.exe
File opened for modification	C:\Windows\SysWOW64\ftvbay.exe	cxsyey.exe
File opened for modification	C:\Windows\SysWOW64\qyusut.exe	uxjnyi.exe
File opened for modification	C:\Windows\SysWOW64\ydvglv.exe	yrinpr.exe
File created	C:\Windows\SysWOW64\bopqvh.exe	eqqqui.exe
File created	C:\Windows\SysWOW64\qsfjuc.exe	pseeid.exe
File opened for modification	C:\Windows\SysWOW64\urdgjk.exe	ujcbxl.exe
File opened for modification	C:\Windows\SysWOW64\dtikiq.exe	gznpkn.exe
File created	C:\Windows\SysWOW64\pnsjlb.exe	pgveuk.exe
File created	C:\Windows\SysWOW64\ckbtiv.exe	cypauj.exe
File created	C:\Windows\SysWOW64\qeprjz.exe	nfygzq.exe
File created	C:\Windows\SysWOW64\kyjtwu.exe	niktvv.exe
File created	C:\Windows\SysWOW64\vnqppv.exe	xbucza.exe
File opened for modification	C:\Windows\SysWOW64\adlknj.exe	cuscal.exe
File created	C:\Windows\SysWOW64\mauhjt.exe	pgyulr.exe
File created	C:\Windows\SysWOW64\errtpf.exe	bazifv.exe
File created	C:\Windows\SysWOW64\oxxohs.exe	oizjpk.exe
File created	C:\Windows\SysWOW64\fpicko.exe	fphwrp.exe
File created	C:\Windows\SysWOW64\bpqtqm.exe	errtpf.exe
File created	C:\Windows\SysWOW64\okaqjq.exe	rvtqqj.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 516 set thread context of 2436	516	f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe	89
PID 3980 set thread context of 3356	3980	lconcf.exe	91
PID 2388 set thread context of 1648	2388	dqoyyo.exe	93
PID 3776 set thread context of 860	3776	yewwsz.exe	95
PID 1988 set thread context of 3984	1988	bowlkv.exe	97
PID 1036 set thread context of 996	1036	bziezz.exe	99
PID 8 set thread context of 3108	8	bzjjkh.exe	101
PID 1384 set thread context of 4692	1384	vfzmne.exe	103
PID 3204 set thread context of 3900	3204	tokmbd.exe	105
PID 980 set thread context of 4180	980	wuqxqu.exe	107
PID 3988 set thread context of 3012	3988	ojqhmv.exe	109
PID 3016 set thread context of 4808	3016	lgxhfc.exe	112
PID 4488 set thread context of 3268	4488	ojafsq.exe	114
PID 5092 set thread context of 3064	5092	iefvsj.exe	118
PID 3260 set thread context of 3360	3260	jegaer.exe	120
PID 2184 set thread context of 4676	2184	guyjrh.exe	124
PID 4640 set thread context of 1092	4640	ashduf.exe	126
PID 3788 set thread context of 3228	3788	vgxtgp.exe	128
PID 4444 set thread context of 2104	4444	tphbco.exe	130
PID 3044 set thread context of 5068	3044	imobvu.exe	132
PID 3300 set thread context of 4300	3300	gvzcqt.exe	134
PID 2480 set thread context of 4868	2480	aqmrim.exe	136
PID 5072 set thread context of 2564	5072	aqnxum.exe	139
PID 3008 set thread context of 2536	3008	dtqvgz.exe	141
PID 4464 set thread context of 2828	4464	aqpvhg.exe	143
PID 3460 set thread context of 1868	3460	bqyitg.exe	145
PID 2164 set thread context of 1944	2164	yrinpr.exe	147
PID 3620 set thread context of 2916	3620	ydvglv.exe	149
PID 224 set thread context of 4880	224	vpqbby.exe	151
PID 708 set thread context of 3640	708	vadtqk.exe	155
PID 4296 set thread context of 3108	4296	vaezbj.exe	157
PID 4968 set thread context of 2360	4968	vmqrqn.exe	159
PID 2128 set thread context of 3612	2128	sbxrru.exe	161
PID 3900 set thread context of 4628	3900	ywrubr.exe	163
PID 3988 set thread context of 60	3988	vtquuy.exe	165
PID 2852 set thread context of 4616	2852	vinzmg.exe	167
PID 3008 set thread context of 4560	3008	viofxg.exe	169
PID 5092 set thread context of 956	5092	trhnte.exe	171
PID 3064 set thread context of 3260	3064	vbydla.exe	173
PID 4408 set thread context of 3360	4408	akhytg.exe	175
PID 228 set thread context of 4528	228	aotyqk.exe	177
PID 1004 set thread context of 448	1004	adrvha.exe	179
PID 3540 set thread context of 4784	3540	xxmqxv.exe	181
PID 3424 set thread context of 3760	3424	sspokq.exe	183
PID 1172 set thread context of 1212	1172	shflby.exe	185
PID 2872 set thread context of 2928	2872	shgzny.exe	187
PID 3012 set thread context of 2568	3012	tssrjk.exe	189
PID 1972 set thread context of 4908	1972	ptkefn.exe	191
PID 2308 set thread context of 672	2308	pxxxtz.exe	193
PID 4208 set thread context of 3016	4208	twphdj.exe	195
PID 1096 set thread context of 4552	1096	pxzvhu.exe	197
PID 996 set thread context of 412	996	pblnvy.exe	199
PID 4600 set thread context of 2856	4600	sadyfh.exe	201
PID 1236 set thread context of 208	1236	nrfauw.exe	203
PID 1232 set thread context of 2540	1232	ngcglm.exe	205
PID 2312 set thread context of 708	2312	nvsllu.exe	207
PID 2956 set thread context of 4296	2956	ncqjcd.exe	209
PID 3140 set thread context of 3204	3140	nkrwnk.exe	211
PID 5068 set thread context of 2552	5068	nodoco.exe	213
PID 4124 set thread context of 3612	4124	pgveuk.exe	215
PID 764 set thread context of 3848	764	pnsjlb.exe	217
PID 532 set thread context of 5072	532	pyfcif.exe	219
PID 2308 set thread context of 3968	2308	pkruwr.exe	221
PID 4808 set thread context of 2268	4808	qndnkv.exe	223

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mtgdua.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bpqtqm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nmojuw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ujnjbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wymtdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yewwsz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pkruwr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ckbtiv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gokmga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eglytk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wzxuez.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ybwwgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	viofxg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vadtqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vadtqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pxzvhu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lotsmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	veacdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vpqbby.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wfmwil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcjprp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eqqqui.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	scmbqc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xrurzs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imobvu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bpqtqm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dtikiq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	errtpf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xxmqxv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zdwjdt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mauhjt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tlwhye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	imdfit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ggmktu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dweyif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sbxrru.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dmsaok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hfbzow.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bnmnvn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ggmktu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmnlet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lexqts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cfdfbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mtrjqf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bzcqjt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfdcyz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	trhnte.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ngcglm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jcermz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eqqqui.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nyabia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adrvha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wvvkkv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hjdlhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	usxqck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qpircs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ujnjbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rfkoez.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ikattf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fpicko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nwytln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pgveuk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rqgjsq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rjhxcf.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
516	f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe
516	f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe
3980	lconcf.exe
3980	lconcf.exe
2388	dqoyyo.exe
2388	dqoyyo.exe
3776	yewwsz.exe
3776	yewwsz.exe
1988	bowlkv.exe
1988	bowlkv.exe
1036	bziezz.exe
1036	bziezz.exe
8	bzjjkh.exe
8	bzjjkh.exe
1384	vfzmne.exe
1384	vfzmne.exe
3204	tokmbd.exe
3204	tokmbd.exe
980	wuqxqu.exe
980	wuqxqu.exe
3988	ojqhmv.exe
3988	ojqhmv.exe
3016	lgxhfc.exe
3016	lgxhfc.exe
4488	ojafsq.exe
4488	ojafsq.exe
5092	iefvsj.exe
5092	iefvsj.exe
3260	jegaer.exe
3260	jegaer.exe
2184	guyjrh.exe
2184	guyjrh.exe
4640	ashduf.exe
4640	ashduf.exe
3788	vgxtgp.exe
3788	vgxtgp.exe
4444	tphbco.exe
4444	tphbco.exe
3044	imobvu.exe
3044	imobvu.exe
3300	gvzcqt.exe
3300	gvzcqt.exe
2480	aqmrim.exe
2480	aqmrim.exe
5072	aqnxum.exe
5072	aqnxum.exe
3008	dtqvgz.exe
3008	dtqvgz.exe
4464	aqpvhg.exe
4464	aqpvhg.exe
3460	bqyitg.exe
3460	bqyitg.exe
2164	yrinpr.exe
2164	yrinpr.exe
3620	ydvglv.exe
3620	ydvglv.exe
224	vpqbby.exe
224	vpqbby.exe
708	vadtqk.exe
708	vadtqk.exe
4296	vaezbj.exe
4296	vaezbj.exe
4968	vmqrqn.exe
4968	vmqrqn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 516 wrote to memory of 2436	516	f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe	89
PID 516 wrote to memory of 2436	516	f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe	89
PID 516 wrote to memory of 2436	516	f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe	89
PID 516 wrote to memory of 2436	516	f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe	89
PID 516 wrote to memory of 2436	516	f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe	89
PID 2436 wrote to memory of 3980	2436	f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe	90
PID 2436 wrote to memory of 3980	2436	f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe	90
PID 2436 wrote to memory of 3980	2436	f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe	90
PID 3980 wrote to memory of 3356	3980	lconcf.exe	91
PID 3980 wrote to memory of 3356	3980	lconcf.exe	91
PID 3980 wrote to memory of 3356	3980	lconcf.exe	91
PID 3980 wrote to memory of 3356	3980	lconcf.exe	91
PID 3980 wrote to memory of 3356	3980	lconcf.exe	91
PID 3356 wrote to memory of 2388	3356	lconcf.exe	92
PID 3356 wrote to memory of 2388	3356	lconcf.exe	92
PID 3356 wrote to memory of 2388	3356	lconcf.exe	92
PID 2388 wrote to memory of 1648	2388	dqoyyo.exe	93
PID 2388 wrote to memory of 1648	2388	dqoyyo.exe	93
PID 2388 wrote to memory of 1648	2388	dqoyyo.exe	93
PID 2388 wrote to memory of 1648	2388	dqoyyo.exe	93
PID 2388 wrote to memory of 1648	2388	dqoyyo.exe	93
PID 1648 wrote to memory of 3776	1648	dqoyyo.exe	94
PID 1648 wrote to memory of 3776	1648	dqoyyo.exe	94
PID 1648 wrote to memory of 3776	1648	dqoyyo.exe	94
PID 3776 wrote to memory of 860	3776	yewwsz.exe	95
PID 3776 wrote to memory of 860	3776	yewwsz.exe	95
PID 3776 wrote to memory of 860	3776	yewwsz.exe	95
PID 3776 wrote to memory of 860	3776	yewwsz.exe	95
PID 3776 wrote to memory of 860	3776	yewwsz.exe	95
PID 860 wrote to memory of 1988	860	yewwsz.exe	96
PID 860 wrote to memory of 1988	860	yewwsz.exe	96
PID 860 wrote to memory of 1988	860	yewwsz.exe	96
PID 1988 wrote to memory of 3984	1988	bowlkv.exe	97
PID 1988 wrote to memory of 3984	1988	bowlkv.exe	97
PID 1988 wrote to memory of 3984	1988	bowlkv.exe	97
PID 1988 wrote to memory of 3984	1988	bowlkv.exe	97
PID 1988 wrote to memory of 3984	1988	bowlkv.exe	97
PID 3984 wrote to memory of 1036	3984	bowlkv.exe	98
PID 3984 wrote to memory of 1036	3984	bowlkv.exe	98
PID 3984 wrote to memory of 1036	3984	bowlkv.exe	98
PID 1036 wrote to memory of 996	1036	bziezz.exe	99
PID 1036 wrote to memory of 996	1036	bziezz.exe	99
PID 1036 wrote to memory of 996	1036	bziezz.exe	99
PID 1036 wrote to memory of 996	1036	bziezz.exe	99
PID 1036 wrote to memory of 996	1036	bziezz.exe	99
PID 996 wrote to memory of 8	996	bziezz.exe	100
PID 996 wrote to memory of 8	996	bziezz.exe	100
PID 996 wrote to memory of 8	996	bziezz.exe	100
PID 8 wrote to memory of 3108	8	bzjjkh.exe	101
PID 8 wrote to memory of 3108	8	bzjjkh.exe	101
PID 8 wrote to memory of 3108	8	bzjjkh.exe	101
PID 8 wrote to memory of 3108	8	bzjjkh.exe	101
PID 8 wrote to memory of 3108	8	bzjjkh.exe	101
PID 3108 wrote to memory of 1384	3108	bzjjkh.exe	102
PID 3108 wrote to memory of 1384	3108	bzjjkh.exe	102
PID 3108 wrote to memory of 1384	3108	bzjjkh.exe	102
PID 1384 wrote to memory of 4692	1384	vfzmne.exe	103
PID 1384 wrote to memory of 4692	1384	vfzmne.exe	103
PID 1384 wrote to memory of 4692	1384	vfzmne.exe	103
PID 1384 wrote to memory of 4692	1384	vfzmne.exe	103
PID 1384 wrote to memory of 4692	1384	vfzmne.exe	103
PID 4692 wrote to memory of 3204	4692	vfzmne.exe	104
PID 4692 wrote to memory of 3204	4692	vfzmne.exe	104
PID 4692 wrote to memory of 3204	4692	vfzmne.exe	104

C:\Users\Admin\AppData\Local\Temp\f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:516
- C:\Users\Admin\AppData\Local\Temp\f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\SysWOW64\lconcf.exe
    C:\Windows\system32\lconcf.exe 984 "C:\Users\Admin\AppData\Local\Temp\f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3980
  - - C:\Windows\SysWOW64\lconcf.exe
      984 C:\Users\Admin\AppData\Local\Temp\f38d258532673cf62200ab2d7dd5268a_JaffaCakes118.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3356
    - - C:\Windows\SysWOW64\dqoyyo.exe
        
        C:\Windows\system32\dqoyyo.exe 1032 "C:\Windows\SysWOW64\lconcf.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2388
      - C:\Windows\SysWOW64\dqoyyo.exe
        
        1032 C:\Windows\SysWOW64\lconcf.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1648
        
        C:\Windows\SysWOW64\yewwsz.exe
        
        C:\Windows\system32\yewwsz.exe 1140 "C:\Windows\SysWOW64\dqoyyo.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3776
        
        C:\Windows\SysWOW64\yewwsz.exe
        
        1140 C:\Windows\SysWOW64\dqoyyo.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Windows\SysWOW64\bowlkv.exe
        
        C:\Windows\system32\bowlkv.exe 1028 "C:\Windows\SysWOW64\yewwsz.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\bowlkv.exe
        
        1028 C:\Windows\SysWOW64\yewwsz.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\SysWOW64\bziezz.exe
        
        C:\Windows\system32\bziezz.exe 1048 "C:\Windows\SysWOW64\bowlkv.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\bziezz.exe
        
        1048 C:\Windows\SysWOW64\bowlkv.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:996
        
        C:\Windows\SysWOW64\bzjjkh.exe
        
        C:\Windows\system32\bzjjkh.exe 1144 "C:\Windows\SysWOW64\bziezz.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\SysWOW64\bzjjkh.exe
        
        1144 C:\Windows\SysWOW64\bziezz.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3108
        
        C:\Windows\SysWOW64\vfzmne.exe
        
        C:\Windows\system32\vfzmne.exe 1032 "C:\Windows\SysWOW64\bzjjkh.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\SysWOW64\vfzmne.exe
        
        1032 C:\Windows\SysWOW64\bzjjkh.exe
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\SysWOW64\tokmbd.exe
        
        C:\Windows\system32\tokmbd.exe 1008 "C:\Windows\SysWOW64\vfzmne.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:3204
        
        C:\Windows\SysWOW64\tokmbd.exe
        
        1008 C:\Windows\SysWOW64\vfzmne.exe
        18⤵
        Executes dropped EXE
        
        PID:3900
        
        C:\Windows\SysWOW64\wuqxqu.exe
        
        C:\Windows\system32\wuqxqu.exe 1032 "C:\Windows\SysWOW64\tokmbd.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:980
        
        C:\Windows\SysWOW64\wuqxqu.exe
        
        1032 C:\Windows\SysWOW64\tokmbd.exe
        20⤵
        Executes dropped EXE
        
        PID:4180
        
        C:\Windows\SysWOW64\ojqhmv.exe
        
        C:\Windows\system32\ojqhmv.exe 1048 "C:\Windows\SysWOW64\wuqxqu.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:3988
        
        C:\Windows\SysWOW64\ojqhmv.exe
        
        1048 C:\Windows\SysWOW64\wuqxqu.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3012
        
        C:\Windows\SysWOW64\lgxhfc.exe
        
        C:\Windows\system32\lgxhfc.exe 1012 "C:\Windows\SysWOW64\ojqhmv.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:3016
        
        C:\Windows\SysWOW64\lgxhfc.exe
        
        1012 C:\Windows\SysWOW64\ojqhmv.exe
        24⤵
        Executes dropped EXE
        
        PID:4808
        
        C:\Windows\SysWOW64\ojafsq.exe
        
        C:\Windows\system32\ojafsq.exe 1140 "C:\Windows\SysWOW64\lgxhfc.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:4488
        
        C:\Windows\SysWOW64\ojafsq.exe
        
        1140 C:\Windows\SysWOW64\lgxhfc.exe
        26⤵
        Executes dropped EXE
        
        PID:3268
        
        C:\Windows\SysWOW64\iefvsj.exe
        
        C:\Windows\system32\iefvsj.exe 1028 "C:\Windows\SysWOW64\ojafsq.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:5092
        
        C:\Windows\SysWOW64\iefvsj.exe
        
        1028 C:\Windows\SysWOW64\ojafsq.exe
        28⤵
        Executes dropped EXE
        
        PID:3064
        
        C:\Windows\SysWOW64\jegaer.exe
        
        C:\Windows\system32\jegaer.exe 1016 "C:\Windows\SysWOW64\iefvsj.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:3260
        
        C:\Windows\SysWOW64\jegaer.exe
        
        1016 C:\Windows\SysWOW64\iefvsj.exe
        30⤵
        Executes dropped EXE
        
        PID:3360
        
        C:\Windows\SysWOW64\guyjrh.exe
        
        C:\Windows\system32\guyjrh.exe 1152 "C:\Windows\SysWOW64\jegaer.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2184
        
        C:\Windows\SysWOW64\guyjrh.exe
        
        1152 C:\Windows\SysWOW64\jegaer.exe
        32⤵
        Executes dropped EXE
        
        PID:4676
        
        C:\Windows\SysWOW64\ashduf.exe
        
        C:\Windows\system32\ashduf.exe 1036 "C:\Windows\SysWOW64\guyjrh.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:4640
        
        C:\Windows\SysWOW64\ashduf.exe
        
        1036 C:\Windows\SysWOW64\guyjrh.exe
        34⤵
        Executes dropped EXE
        
        PID:1092
        
        C:\Windows\SysWOW64\vgxtgp.exe
        
        C:\Windows\system32\vgxtgp.exe 1032 "C:\Windows\SysWOW64\ashduf.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:3788
        
        C:\Windows\SysWOW64\vgxtgp.exe
        
        1032 C:\Windows\SysWOW64\ashduf.exe
        36⤵
        Executes dropped EXE
        
        PID:3228
        
        C:\Windows\SysWOW64\tphbco.exe
        
        C:\Windows\system32\tphbco.exe 1028 "C:\Windows\SysWOW64\vgxtgp.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:4444
        
        C:\Windows\SysWOW64\tphbco.exe
        
        1028 C:\Windows\SysWOW64\vgxtgp.exe
        38⤵
        Executes dropped EXE
        
        PID:2104
        
        C:\Windows\SysWOW64\imobvu.exe
        
        C:\Windows\system32\imobvu.exe 1008 "C:\Windows\SysWOW64\tphbco.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3044
        
        C:\Windows\SysWOW64\imobvu.exe
        
        1008 C:\Windows\SysWOW64\tphbco.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5068
        
        C:\Windows\SysWOW64\gvzcqt.exe
        
        C:\Windows\system32\gvzcqt.exe 1128 "C:\Windows\SysWOW64\imobvu.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:3300
        
        C:\Windows\SysWOW64\gvzcqt.exe
        
        1128 C:\Windows\SysWOW64\imobvu.exe
        42⤵
        Executes dropped EXE
        
        PID:4300
        
        C:\Windows\SysWOW64\aqmrim.exe
        
        C:\Windows\system32\aqmrim.exe 1008 "C:\Windows\SysWOW64\gvzcqt.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2480
        
        C:\Windows\SysWOW64\aqmrim.exe
        
        1008 C:\Windows\SysWOW64\gvzcqt.exe
        44⤵
        Executes dropped EXE
        
        PID:4868
        
        C:\Windows\SysWOW64\aqnxum.exe
        
        C:\Windows\system32\aqnxum.exe 1020 "C:\Windows\SysWOW64\aqmrim.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:5072
        
        C:\Windows\SysWOW64\aqnxum.exe
        
        1020 C:\Windows\SysWOW64\aqmrim.exe
        46⤵
        Executes dropped EXE
        
        PID:2564
        
        C:\Windows\SysWOW64\dtqvgz.exe
        
        C:\Windows\system32\dtqvgz.exe 1020 "C:\Windows\SysWOW64\aqnxum.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:3008
        
        C:\Windows\SysWOW64\dtqvgz.exe
        
        1020 C:\Windows\SysWOW64\aqnxum.exe
        48⤵
        Executes dropped EXE
        
        PID:2536
        
        C:\Windows\SysWOW64\aqpvhg.exe
        
        C:\Windows\system32\aqpvhg.exe 1104 "C:\Windows\SysWOW64\dtqvgz.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:4464
        
        C:\Windows\SysWOW64\aqpvhg.exe
        
        1104 C:\Windows\SysWOW64\dtqvgz.exe
        50⤵
        Executes dropped EXE
        
        PID:2828
        
        C:\Windows\SysWOW64\bqyitg.exe
        
        C:\Windows\system32\bqyitg.exe 1140 "C:\Windows\SysWOW64\aqpvhg.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:3460
        
        C:\Windows\SysWOW64\bqyitg.exe
        
        1140 C:\Windows\SysWOW64\aqpvhg.exe
        52⤵
        Executes dropped EXE
        
        PID:1868
        
        C:\Windows\SysWOW64\yrinpr.exe
        
        C:\Windows\system32\yrinpr.exe 1140 "C:\Windows\SysWOW64\bqyitg.exe"
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2164
        
        C:\Windows\SysWOW64\yrinpr.exe
        
        1140 C:\Windows\SysWOW64\bqyitg.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1944
        
        C:\Windows\SysWOW64\ydvglv.exe
        
        C:\Windows\system32\ydvglv.exe 1008 "C:\Windows\SysWOW64\yrinpr.exe"
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:3620
        
        C:\Windows\SysWOW64\ydvglv.exe
        
        1008 C:\Windows\SysWOW64\yrinpr.exe
        56⤵
        Executes dropped EXE
        
        PID:2916
        
        C:\Windows\SysWOW64\vpqbby.exe
        
        C:\Windows\system32\vpqbby.exe 1020 "C:\Windows\SysWOW64\ydvglv.exe"
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:224
        
        C:\Windows\SysWOW64\vpqbby.exe
        
        1020 C:\Windows\SysWOW64\ydvglv.exe
        58⤵
        Executes dropped EXE
        
        PID:4880
        
        C:\Windows\SysWOW64\vadtqk.exe
        
        C:\Windows\system32\vadtqk.exe 1140 "C:\Windows\SysWOW64\vpqbby.exe"
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:708
        
        C:\Windows\SysWOW64\vadtqk.exe
        
        1140 C:\Windows\SysWOW64\vpqbby.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3640
        
        C:\Windows\SysWOW64\vaezbj.exe
        
        C:\Windows\system32\vaezbj.exe 1032 "C:\Windows\SysWOW64\vadtqk.exe"
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:4296
        
        C:\Windows\SysWOW64\vaezbj.exe
        
        1032 C:\Windows\SysWOW64\vadtqk.exe
        62⤵
        Executes dropped EXE
        
        PID:3108
        
        C:\Windows\SysWOW64\vmqrqn.exe
        
        C:\Windows\system32\vmqrqn.exe 1140 "C:\Windows\SysWOW64\vaezbj.exe"
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:4968
        
        C:\Windows\SysWOW64\vmqrqn.exe
        
        1140 C:\Windows\SysWOW64\vaezbj.exe
        64⤵
        Executes dropped EXE
        
        PID:2360
        
        C:\Windows\SysWOW64\sbxrru.exe
        
        C:\Windows\system32\sbxrru.exe 1028 "C:\Windows\SysWOW64\vmqrqn.exe"
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2128
        
        C:\Windows\SysWOW64\sbxrru.exe
        
        1028 C:\Windows\SysWOW64\vmqrqn.exe
        66⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3612
        
        C:\Windows\SysWOW64\ywrubr.exe
        
        C:\Windows\system32\ywrubr.exe 1008 "C:\Windows\SysWOW64\sbxrru.exe"
        67⤵
        Suspicious use of SetThreadContext
        
        PID:3900
        
        C:\Windows\SysWOW64\ywrubr.exe
        
        1008 C:\Windows\SysWOW64\sbxrru.exe
        68⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\vtquuy.exe
        
        C:\Windows\system32\vtquuy.exe 1144 "C:\Windows\SysWOW64\ywrubr.exe"
        69⤵
        Suspicious use of SetThreadContext
        
        PID:3988
        
        C:\Windows\SysWOW64\vtquuy.exe
        
        1144 C:\Windows\SysWOW64\ywrubr.exe
        70⤵
        Drops file in System32 directory
        
        PID:60
        
        C:\Windows\SysWOW64\vinzmg.exe
        
        C:\Windows\system32\vinzmg.exe 1032 "C:\Windows\SysWOW64\vtquuy.exe"
        71⤵
        Suspicious use of SetThreadContext
        
        PID:2852
        
        C:\Windows\SysWOW64\vinzmg.exe
        
        1032 C:\Windows\SysWOW64\vtquuy.exe
        72⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\viofxg.exe
        
        C:\Windows\system32\viofxg.exe 1140 "C:\Windows\SysWOW64\vinzmg.exe"
        73⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3008
        
        C:\Windows\SysWOW64\viofxg.exe
        
        1140 C:\Windows\SysWOW64\vinzmg.exe
        74⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\trhnte.exe
        
        C:\Windows\system32\trhnte.exe 1032 "C:\Windows\SysWOW64\viofxg.exe"
        75⤵
        Suspicious use of SetThreadContext
        
        PID:5092
        
        C:\Windows\SysWOW64\trhnte.exe
        
        1032 C:\Windows\SysWOW64\viofxg.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:956
        
        C:\Windows\SysWOW64\vbydla.exe
        
        C:\Windows\system32\vbydla.exe 1036 "C:\Windows\SysWOW64\trhnte.exe"
        77⤵
        Suspicious use of SetThreadContext
        
        PID:3064
        
        C:\Windows\SysWOW64\vbydla.exe
        
        1036 C:\Windows\SysWOW64\trhnte.exe
        78⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\akhytg.exe
        
        C:\Windows\system32\akhytg.exe 1008 "C:\Windows\SysWOW64\vbydla.exe"
        79⤵
        Suspicious use of SetThreadContext
        
        PID:4408
        
        C:\Windows\SysWOW64\akhytg.exe
        
        1008 C:\Windows\SysWOW64\vbydla.exe
        80⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\aotyqk.exe
        
        C:\Windows\system32\aotyqk.exe 1088 "C:\Windows\SysWOW64\akhytg.exe"
        81⤵
        Suspicious use of SetThreadContext
        
        PID:228
        
        C:\Windows\SysWOW64\aotyqk.exe
        
        1088 C:\Windows\SysWOW64\akhytg.exe
        82⤵
        Drops file in System32 directory
        
        PID:4528
        
        C:\Windows\SysWOW64\adrvha.exe
        
        C:\Windows\system32\adrvha.exe 1028 "C:\Windows\SysWOW64\aotyqk.exe"
        83⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1004
        
        C:\Windows\SysWOW64\adrvha.exe
        
        1028 C:\Windows\SysWOW64\aotyqk.exe
        84⤵
        
        PID:448
        
        C:\Windows\SysWOW64\xxmqxv.exe
        
        C:\Windows\system32\xxmqxv.exe 1020 "C:\Windows\SysWOW64\adrvha.exe"
        85⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3540
        
        C:\Windows\SysWOW64\xxmqxv.exe
        
        1020 C:\Windows\SysWOW64\adrvha.exe
        86⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\sspokq.exe
        
        C:\Windows\system32\sspokq.exe 1012 "C:\Windows\SysWOW64\xxmqxv.exe"
        87⤵
        Suspicious use of SetThreadContext
        
        PID:3424
        
        C:\Windows\SysWOW64\sspokq.exe
        
        1012 C:\Windows\SysWOW64\xxmqxv.exe
        88⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\shflby.exe
        
        C:\Windows\system32\shflby.exe 1144 "C:\Windows\SysWOW64\sspokq.exe"
        89⤵
        Suspicious use of SetThreadContext
        
        PID:1172
        
        C:\Windows\SysWOW64\shflby.exe
        
        1144 C:\Windows\SysWOW64\sspokq.exe
        90⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\shgzny.exe
        
        C:\Windows\system32\shgzny.exe 1140 "C:\Windows\SysWOW64\shflby.exe"
        91⤵
        Suspicious use of SetThreadContext
        
        PID:2872
        
        C:\Windows\SysWOW64\shgzny.exe
        
        1140 C:\Windows\SysWOW64\shflby.exe
        92⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\tssrjk.exe
        
        C:\Windows\system32\tssrjk.exe 1020 "C:\Windows\SysWOW64\shgzny.exe"
        93⤵
        Suspicious use of SetThreadContext
        
        PID:3012
        
        C:\Windows\SysWOW64\tssrjk.exe
        
        1020 C:\Windows\SysWOW64\shgzny.exe
        94⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\ptkefn.exe
        
        C:\Windows\system32\ptkefn.exe 1104 "C:\Windows\SysWOW64\tssrjk.exe"
        95⤵
        Suspicious use of SetThreadContext
        
        PID:1972
        
        C:\Windows\SysWOW64\ptkefn.exe
        
        1104 C:\Windows\SysWOW64\tssrjk.exe
        96⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\pxxxtz.exe
        
        C:\Windows\system32\pxxxtz.exe 1144 "C:\Windows\SysWOW64\ptkefn.exe"
        97⤵
        Suspicious use of SetThreadContext
        
        PID:2308
        
        C:\Windows\SysWOW64\pxxxtz.exe
        
        1144 C:\Windows\SysWOW64\ptkefn.exe
        98⤵
        
        PID:672
        
        C:\Windows\SysWOW64\twphdj.exe
        
        C:\Windows\system32\twphdj.exe 1008 "C:\Windows\SysWOW64\pxxxtz.exe"
        99⤵
        Suspicious use of SetThreadContext
        
        PID:4208
        
        C:\Windows\SysWOW64\twphdj.exe
        
        1008 C:\Windows\SysWOW64\pxxxtz.exe
        100⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\pxzvhu.exe
        
        C:\Windows\system32\pxzvhu.exe 1008 "C:\Windows\SysWOW64\twphdj.exe"
        101⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1096
        
        C:\Windows\SysWOW64\pxzvhu.exe
        
        1008 C:\Windows\SysWOW64\twphdj.exe
        102⤵
        Drops file in System32 directory
        
        PID:4552
        
        C:\Windows\SysWOW64\pblnvy.exe
        
        C:\Windows\system32\pblnvy.exe 1020 "C:\Windows\SysWOW64\pxzvhu.exe"
        103⤵
        Suspicious use of SetThreadContext
        
        PID:996
        
        C:\Windows\SysWOW64\pblnvy.exe
        
        1020 C:\Windows\SysWOW64\pxzvhu.exe
        104⤵
        
        PID:412
        
        C:\Windows\SysWOW64\sadyfh.exe
        
        C:\Windows\system32\sadyfh.exe 1032 "C:\Windows\SysWOW64\pblnvy.exe"
        105⤵
        Suspicious use of SetThreadContext
        
        PID:4600
        
        C:\Windows\SysWOW64\sadyfh.exe
        
        1032 C:\Windows\SysWOW64\pblnvy.exe
        106⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\nrfauw.exe
        
        C:\Windows\system32\nrfauw.exe 1144 "C:\Windows\SysWOW64\sadyfh.exe"
        107⤵
        Suspicious use of SetThreadContext
        
        PID:1236
        
        C:\Windows\SysWOW64\nrfauw.exe
        
        1144 C:\Windows\SysWOW64\sadyfh.exe
        108⤵
        
        PID:208
        
        C:\Windows\SysWOW64\ngcglm.exe
        
        C:\Windows\system32\ngcglm.exe 1140 "C:\Windows\SysWOW64\nrfauw.exe"
        109⤵
        Suspicious use of SetThreadContext
        
        PID:1232
        
        C:\Windows\SysWOW64\ngcglm.exe
        
        1140 C:\Windows\SysWOW64\nrfauw.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:2540
        
        C:\Windows\SysWOW64\nvsllu.exe
        
        C:\Windows\system32\nvsllu.exe 1008 "C:\Windows\SysWOW64\ngcglm.exe"
        111⤵
        Suspicious use of SetThreadContext
        
        PID:2312
        
        C:\Windows\SysWOW64\nvsllu.exe
        
        1008 C:\Windows\SysWOW64\ngcglm.exe
        112⤵
        
        PID:708
        
        C:\Windows\SysWOW64\ncqjcd.exe
        
        C:\Windows\system32\ncqjcd.exe 1140 "C:\Windows\SysWOW64\nvsllu.exe"
        113⤵
        Suspicious use of SetThreadContext
        
        PID:2956
        
        C:\Windows\SysWOW64\ncqjcd.exe
        
        1140 C:\Windows\SysWOW64\nvsllu.exe
        114⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\nkrwnk.exe
        
        C:\Windows\system32\nkrwnk.exe 1032 "C:\Windows\SysWOW64\ncqjcd.exe"
        115⤵
        Suspicious use of SetThreadContext
        
        PID:3140
        
        C:\Windows\SysWOW64\nkrwnk.exe
        
        1032 C:\Windows\SysWOW64\ncqjcd.exe
        116⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\nodoco.exe
        
        C:\Windows\system32\nodoco.exe 1036 "C:\Windows\SysWOW64\nkrwnk.exe"
        117⤵
        Suspicious use of SetThreadContext
        
        PID:5068
        
        C:\Windows\SysWOW64\nodoco.exe
        
        1036 C:\Windows\SysWOW64\nkrwnk.exe
        118⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\pgveuk.exe
        
        C:\Windows\system32\pgveuk.exe 1144 "C:\Windows\SysWOW64\nodoco.exe"
        119⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4124
        
        C:\Windows\SysWOW64\pgveuk.exe
        
        1144 C:\Windows\SysWOW64\nodoco.exe
        120⤵
        Drops file in System32 directory
        
        PID:3612
        
        C:\Windows\SysWOW64\pnsjlb.exe
        
        C:\Windows\system32\pnsjlb.exe 1020 "C:\Windows\SysWOW64\pgveuk.exe"
        121⤵
        Suspicious use of SetThreadContext
        
        PID:764
        
        C:\Windows\SysWOW64\pnsjlb.exe
        
        1020 C:\Windows\SysWOW64\pgveuk.exe
        122⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\pyfcif.exe
        
        C:\Windows\system32\pyfcif.exe 1016 "C:\Windows\SysWOW64\pnsjlb.exe"
        123⤵
        Suspicious use of SetThreadContext
        
        PID:532
        
        C:\Windows\SysWOW64\pyfcif.exe
        
        1016 C:\Windows\SysWOW64\pnsjlb.exe
        124⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\pkruwr.exe
        
        C:\Windows\system32\pkruwr.exe 1020 "C:\Windows\SysWOW64\pyfcif.exe"
        125⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Windows\SysWOW64\pkruwr.exe
        
        1020 C:\Windows\SysWOW64\pyfcif.exe
        126⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\qndnkv.exe
        
        C:\Windows\system32\qndnkv.exe 1040 "C:\Windows\SysWOW64\pkruwr.exe"
        127⤵
        Suspicious use of SetThreadContext
        
        PID:4808
        
        C:\Windows\SysWOW64\qndnkv.exe
        
        1040 C:\Windows\SysWOW64\pkruwr.exe
        128⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\nlkvdc.exe
        
        C:\Windows\system32\nlkvdc.exe 1140 "C:\Windows\SysWOW64\qndnkv.exe"
        129⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\nlkvdc.exe
        
        1140 C:\Windows\SysWOW64\qndnkv.exe
        130⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\nopnsg.exe
        
        C:\Windows\system32\nopnsg.exe 1020 "C:\Windows\SysWOW64\nlkvdc.exe"
        131⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\nopnsg.exe
        
        1020 C:\Windows\SysWOW64\nlkvdc.exe
        132⤵
        
        PID:956
        
        C:\Windows\SysWOW64\nwytln.exe
        
        C:\Windows\system32\nwytln.exe 1008 "C:\Windows\SysWOW64\nopnsg.exe"
        133⤵
        
        PID:804
        
        C:\Windows\SysWOW64\nwytln.exe
        
        1008 C:\Windows\SysWOW64\nopnsg.exe
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:3260
        
        C:\Windows\SysWOW64\citgci.exe
        
        C:\Windows\system32\citgci.exe 1032 "C:\Windows\SysWOW64\nwytln.exe"
        135⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\citgci.exe
        
        1032 C:\Windows\SysWOW64\nwytln.exe
        136⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cugyqu.exe
        
        C:\Windows\system32\cugyqu.exe 1140 "C:\Windows\SysWOW64\citgci.exe"
        137⤵
        
        PID:208
        
        C:\Windows\SysWOW64\cugyqu.exe
        
        1140 C:\Windows\SysWOW64\citgci.exe
        138⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cxsyey.exe
        
        C:\Windows\system32\cxsyey.exe 1008 "C:\Windows\SysWOW64\cugyqu.exe"
        139⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cxsyey.exe
        
        1008 C:\Windows\SysWOW64\cugyqu.exe
        140⤵
        Drops file in System32 directory
        
        PID:4360
        
        C:\Windows\SysWOW64\ftvbay.exe
        
        C:\Windows\system32\ftvbay.exe 1020 "C:\Windows\SysWOW64\cxsyey.exe"
        141⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\ftvbay.exe
        
        1020 C:\Windows\SysWOW64\cxsyey.exe
        142⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\fpluic.exe
        
        C:\Windows\system32\fpluic.exe 1008 "C:\Windows\SysWOW64\ftvbay.exe"
        143⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\fpluic.exe
        
        1008 C:\Windows\SysWOW64\ftvbay.exe
        144⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cqdhmf.exe
        
        C:\Windows\system32\cqdhmf.exe 1144 "C:\Windows\SysWOW64\fpluic.exe"
        145⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cqdhmf.exe
        
        1144 C:\Windows\SysWOW64\fpluic.exe
        146⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cqemyn.exe
        
        C:\Windows\system32\cqemyn.exe 1140 "C:\Windows\SysWOW64\cqdhmf.exe"
        147⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\cqemyn.exe
        
        1140 C:\Windows\SysWOW64\cqdhmf.exe
        148⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\zolmzm.exe
        
        C:\Windows\system32\zolmzm.exe 1072 "C:\Windows\SysWOW64\cqemyn.exe"
        149⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\zolmzm.exe
        
        1072 C:\Windows\SysWOW64\cqemyn.exe
        150⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\cfdfbd.exe
        
        C:\Windows\system32\cfdfbd.exe 1036 "C:\Windows\SysWOW64\zolmzm.exe"
        151⤵
        System Location Discovery: System Language Discovery
        
        PID:4908
        
        C:\Windows\SysWOW64\cfdfbd.exe
        
        1036 C:\Windows\SysWOW64\zolmzm.exe
        152⤵
        
        PID:672
        
        C:\Windows\SysWOW64\cuscal.exe
        
        C:\Windows\system32\cuscal.exe 1148 "C:\Windows\SysWOW64\cfdfbd.exe"
        153⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\cuscal.exe
        
        1148 C:\Windows\SysWOW64\cfdfbd.exe
        154⤵
        Drops file in System32 directory
        
        PID:1096
        
        C:\Windows\SysWOW64\adlknj.exe
        
        C:\Windows\system32\adlknj.exe 1008 "C:\Windows\SysWOW64\cuscal.exe"
        155⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\adlknj.exe
        
        1008 C:\Windows\SysWOW64\cuscal.exe
        156⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\cjrvdb.exe
        
        C:\Windows\system32\cjrvdb.exe 1032 "C:\Windows\SysWOW64\adlknj.exe"
        157⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cjrvdb.exe
        
        1032 C:\Windows\SysWOW64\adlknj.exe
        158⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\cypauj.exe
        
        C:\Windows\system32\cypauj.exe 1136 "C:\Windows\SysWOW64\cjrvdb.exe"
        159⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cypauj.exe
        
        1136 C:\Windows\SysWOW64\cjrvdb.exe
        160⤵
        Drops file in System32 directory
        
        PID:4744
        
        C:\Windows\SysWOW64\ckbtiv.exe
        
        C:\Windows\system32\ckbtiv.exe 1028 "C:\Windows\SysWOW64\cypauj.exe"
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:1100
        
        C:\Windows\SysWOW64\ckbtiv.exe
        
        1028 C:\Windows\SysWOW64\cypauj.exe
        162⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\crrqze.exe
        
        C:\Windows\system32\crrqze.exe 1020 "C:\Windows\SysWOW64\ckbtiv.exe"
        163⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\crrqze.exe
        
        1020 C:\Windows\SysWOW64\ckbtiv.exe
        164⤵
        Drops file in System32 directory
        
        PID:1492
        
        C:\Windows\SysWOW64\ccdrwi.exe
        
        C:\Windows\system32\ccdrwi.exe 1008 "C:\Windows\SysWOW64\crrqze.exe"
        165⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\ccdrwi.exe
        
        1008 C:\Windows\SysWOW64\crrqze.exe
        166⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\zozemk.exe
        
        C:\Windows\system32\zozemk.exe 1012 "C:\Windows\SysWOW64\ccdrwi.exe"
        167⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\zozemk.exe
        
        1012 C:\Windows\SysWOW64\ccdrwi.exe
        168⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\zdwjdt.exe
        
        C:\Windows\system32\zdwjdt.exe 1140 "C:\Windows\SysWOW64\zozemk.exe"
        169⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\zdwjdt.exe
        
        1140 C:\Windows\SysWOW64\zozemk.exe
        170⤵
        System Location Discovery: System Language Discovery
        
        PID:4968
        
        C:\Windows\SysWOW64\cdounk.exe
        
        C:\Windows\system32\cdounk.exe 1020 "C:\Windows\SysWOW64\zdwjdt.exe"
        171⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\cdounk.exe
        
        1020 C:\Windows\SysWOW64\zdwjdt.exe
        172⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\zeghrn.exe
        
        C:\Windows\system32\zeghrn.exe 1016 "C:\Windows\SysWOW64\cdounk.exe"
        173⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\zeghrn.exe
        
        1016 C:\Windows\SysWOW64\cdounk.exe
        174⤵
        
        PID:60
        
        C:\Windows\SysWOW64\cvyrbw.exe
        
        C:\Windows\system32\cvyrbw.exe 1028 "C:\Windows\SysWOW64\zeghrn.exe"
        175⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cvyrbw.exe
        
        1028 C:\Windows\SysWOW64\zeghrn.exe
        176⤵
        Drops file in System32 directory
        
        PID:4416
        
        C:\Windows\SysWOW64\ckoxsn.exe
        
        C:\Windows\system32\ckoxsn.exe 1008 "C:\Windows\SysWOW64\cvyrbw.exe"
        177⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\ckoxsn.exe
        
        1008 C:\Windows\SysWOW64\cvyrbw.exe
        178⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cwapgr.exe
        
        C:\Windows\system32\cwapgr.exe 1036 "C:\Windows\SysWOW64\ckoxsn.exe"
        179⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\cwapgr.exe
        
        1036 C:\Windows\SysWOW64\ckoxsn.exe
        180⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cojaad.exe
        
        C:\Windows\system32\cojaad.exe 1020 "C:\Windows\SysWOW64\cwapgr.exe"
        181⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cojaad.exe
        
        1020 C:\Windows\SysWOW64\cwapgr.exe
        182⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\xfbsku.exe
        
        C:\Windows\system32\xfbsku.exe 1020 "C:\Windows\SysWOW64\cojaad.exe"
        183⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\xfbsku.exe
        
        1020 C:\Windows\SysWOW64\cojaad.exe
        184⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\udisdt.exe
        
        C:\Windows\system32\udisdt.exe 1008 "C:\Windows\SysWOW64\xfbsku.exe"
        185⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\udisdt.exe
        
        1008 C:\Windows\SysWOW64\xfbsku.exe
        186⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\usxqck.exe
        
        C:\Windows\system32\usxqck.exe 1028 "C:\Windows\SysWOW64\udisdt.exe"
        187⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\usxqck.exe
        
        1028 C:\Windows\SysWOW64\udisdt.exe
        188⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:692
        
        C:\Windows\SysWOW64\upvqlf.exe
        
        C:\Windows\system32\upvqlf.exe 1020 "C:\Windows\SysWOW64\usxqck.exe"
        189⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\upvqlf.exe
        
        1020 C:\Windows\SysWOW64\usxqck.exe
        190⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\xvbbax.exe
        
        C:\Windows\system32\xvbbax.exe 1020 "C:\Windows\SysWOW64\upvqlf.exe"
        191⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\xvbbax.exe
        
        1020 C:\Windows\SysWOW64\upvqlf.exe
        192⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\rqgjsq.exe
        
        C:\Windows\system32\rqgjsq.exe 1028 "C:\Windows\SysWOW64\xvbbax.exe"
        193⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\rqgjsq.exe
        
        1028 C:\Windows\SysWOW64\xvbbax.exe
        194⤵
        System Location Discovery: System Language Discovery
        
        PID:3756
        
        C:\Windows\SysWOW64\utjgfd.exe
        
        C:\Windows\system32\utjgfd.exe 1144 "C:\Windows\SysWOW64\rqgjsq.exe"
        195⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\utjgfd.exe
        
        1144 C:\Windows\SysWOW64\rqgjsq.exe
        196⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\riqggk.exe
        
        C:\Windows\system32\riqggk.exe 1020 "C:\Windows\SysWOW64\utjgfd.exe"
        197⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\riqggk.exe
        
        1020 C:\Windows\SysWOW64\utjgfd.exe
        198⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\sqruss.exe
        
        C:\Windows\system32\sqruss.exe 1020 "C:\Windows\SysWOW64\riqggk.exe"
        199⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\sqruss.exe
        
        1020 C:\Windows\SysWOW64\riqggk.exe
        200⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\pgyulr.exe
        
        C:\Windows\system32\pgyulr.exe 1032 "C:\Windows\SysWOW64\sqruss.exe"
        201⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\pgyulr.exe
        
        1032 C:\Windows\SysWOW64\sqruss.exe
        202⤵
        Drops file in System32 directory
        
        PID:4372
        
        C:\Windows\SysWOW64\mauhjt.exe
        
        C:\Windows\system32\mauhjt.exe 1032 "C:\Windows\SysWOW64\pgyulr.exe"
        203⤵
        System Location Discovery: System Language Discovery
        
        PID:1824
        
        C:\Windows\SysWOW64\mauhjt.exe
        
        1032 C:\Windows\SysWOW64\pgyulr.exe
        204⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\mavnvt.exe
        
        C:\Windows\system32\mavnvt.exe 1036 "C:\Windows\SysWOW64\mauhjt.exe"
        205⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\mavnvt.exe
        
        1036 C:\Windows\SysWOW64\mauhjt.exe
        206⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\mlhfjf.exe
        
        C:\Windows\system32\mlhfjf.exe 1144 "C:\Windows\SysWOW64\mavnvt.exe"
        207⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\mlhfjf.exe
        
        1144 C:\Windows\SysWOW64\mavnvt.exe
        208⤵
        Drops file in System32 directory
        
        PID:2448
        
        C:\Windows\SysWOW64\msfkan.exe
        
        C:\Windows\system32\msfkan.exe 1008 "C:\Windows\SysWOW64\mlhfjf.exe"
        209⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\msfkan.exe
        
        1008 C:\Windows\SysWOW64\mlhfjf.exe
        210⤵
        
        PID:748
        
        C:\Windows\SysWOW64\mtgdua.exe
        
        C:\Windows\system32\mtgdua.exe 1020 "C:\Windows\SysWOW64\msfkan.exe"
        211⤵
        System Location Discovery: System Language Discovery
        
        PID:3388
        
        C:\Windows\SysWOW64\mtgdua.exe
        
        1020 C:\Windows\SysWOW64\msfkan.exe
        212⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\mpevld.exe
        
        C:\Windows\system32\mpevld.exe 1140 "C:\Windows\SysWOW64\mtgdua.exe"
        213⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\mpevld.exe
        
        1140 C:\Windows\SysWOW64\mtgdua.exe
        214⤵
        
        PID:456
        
        C:\Windows\SysWOW64\jqoihp.exe
        
        C:\Windows\system32\jqoihp.exe 1020 "C:\Windows\SysWOW64\mpevld.exe"
        215⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\jqoihp.exe
        
        1020 C:\Windows\SysWOW64\mpevld.exe
        216⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\juabvt.exe
        
        C:\Windows\system32\juabvt.exe 1020 "C:\Windows\SysWOW64\jqoihp.exe"
        217⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\juabvt.exe
        
        1020 C:\Windows\SysWOW64\jqoihp.exe
        218⤵
        Drops file in System32 directory
        
        PID:1396
        
        C:\Windows\SysWOW64\mxdyig.exe
        
        C:\Windows\system32\mxdyig.exe 1020 "C:\Windows\SysWOW64\juabvt.exe"
        219⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\mxdyig.exe
        
        1020 C:\Windows\SysWOW64\juabvt.exe
        220⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\pagwuu.exe
        
        C:\Windows\system32\pagwuu.exe 1008 "C:\Windows\SysWOW64\mxdyig.exe"
        221⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\pagwuu.exe
        
        1008 C:\Windows\SysWOW64\mxdyig.exe
        222⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\mtrjqf.exe
        
        C:\Windows\system32\mtrjqf.exe 1036 "C:\Windows\SysWOW64\pagwuu.exe"
        223⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\mtrjqf.exe
        
        1036 C:\Windows\SysWOW64\pagwuu.exe
        224⤵
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Windows\SysWOW64\psiuao.exe
        
        C:\Windows\system32\psiuao.exe 1144 "C:\Windows\SysWOW64\mtrjqf.exe"
        225⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\psiuao.exe
        
        1144 C:\Windows\SysWOW64\mtrjqf.exe
        226⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\mqpubv.exe
        
        C:\Windows\system32\mqpubv.exe 1008 "C:\Windows\SysWOW64\psiuao.exe"
        227⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\mqpubv.exe
        
        1008 C:\Windows\SysWOW64\psiuao.exe
        228⤵
        
        PID:540
        
        C:\Windows\SysWOW64\mxnzsd.exe
        
        C:\Windows\system32\mxnzsd.exe 1008 "C:\Windows\SysWOW64\mqpubv.exe"
        229⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\mxnzsd.exe
        
        1008 C:\Windows\SysWOW64\mqpubv.exe
        230⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\eizshp.exe
        
        C:\Windows\system32\eizshp.exe 1012 "C:\Windows\SysWOW64\mxnzsd.exe"
        231⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\eizshp.exe
        
        1012 C:\Windows\SysWOW64\mxnzsd.exe
        232⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\eiafsp.exe
        
        C:\Windows\system32\eiafsp.exe 1008 "C:\Windows\SysWOW64\eizshp.exe"
        233⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\eiafsp.exe
        
        1008 C:\Windows\SysWOW64\eizshp.exe
        234⤵
        
        PID:60
        
        C:\Windows\SysWOW64\exycrx.exe
        
        C:\Windows\system32\exycrx.exe 1032 "C:\Windows\SysWOW64\eiafsp.exe"
        235⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\exycrx.exe
        
        1032 C:\Windows\SysWOW64\eiafsp.exe
        236⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\bruyia.exe
        
        C:\Windows\system32\bruyia.exe 1140 "C:\Windows\SysWOW64\exycrx.exe"
        237⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\bruyia.exe
        
        1140 C:\Windows\SysWOW64\exycrx.exe
        238⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\byjdzi.exe
        
        C:\Windows\system32\byjdzi.exe 1008 "C:\Windows\SysWOW64\bruyia.exe"
        239⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\byjdzi.exe
        
        1008 C:\Windows\SysWOW64\bruyia.exe
        240⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\eyjojz.exe
        
        C:\Windows\system32\eyjojz.exe 1008 "C:\Windows\SysWOW64\byjdzi.exe"
        241⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\eyjojz.exe
        
        1008 C:\Windows\SysWOW64\byjdzi.exe
        242⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\enztai.exe
        
        C:\Windows\system32\enztai.exe 1020 "C:\Windows\SysWOW64\eyjojz.exe"
        243⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\enztai.exe
        
        1020 C:\Windows\SysWOW64\eyjojz.exe
        244⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\bcgtbo.exe
        
        C:\Windows\system32\bcgtbo.exe 1020 "C:\Windows\SysWOW64\enztai.exe"
        245⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\bcgtbo.exe
        
        1020 C:\Windows\SysWOW64\enztai.exe
        246⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\boslps.exe
        
        C:\Windows\system32\boslps.exe 1140 "C:\Windows\SysWOW64\bcgtbo.exe"
        247⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\boslps.exe
        
        1140 C:\Windows\SysWOW64\bcgtbo.exe
        248⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\bzeeew.exe
        
        C:\Windows\system32\bzeeew.exe 1140 "C:\Windows\SysWOW64\boslps.exe"
        249⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\bzeeew.exe
        
        1140 C:\Windows\SysWOW64\boslps.exe
        250⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\bdrwsi.exe
        
        C:\Windows\system32\bdrwsi.exe 1008 "C:\Windows\SysWOW64\bzeeew.exe"
        251⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\bdrwsi.exe
        
        1008 C:\Windows\SysWOW64\bzeeew.exe
        252⤵
        Drops file in System32 directory
        
        PID:3604
        
        C:\Windows\SysWOW64\bodphm.exe
        
        C:\Windows\system32\bodphm.exe 1020 "C:\Windows\SysWOW64\bdrwsi.exe"
        253⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\bodphm.exe
        
        1020 C:\Windows\SysWOW64\bdrwsi.exe
        254⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\bsphvy.exe
        
        C:\Windows\system32\bsphvy.exe 1016 "C:\Windows\SysWOW64\bodphm.exe"
        255⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\bsphvy.exe
        
        1016 C:\Windows\SysWOW64\bodphm.exe
        256⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\bhfmuh.exe
        
        C:\Windows\system32\bhfmuh.exe 1132 "C:\Windows\SysWOW64\bsphvy.exe"
        257⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\bhfmuh.exe
        
        1132 C:\Windows\SysWOW64\bsphvy.exe
        258⤵
        Drops file in System32 directory
        
        PID:2404
        
        C:\Windows\SysWOW64\chosgp.exe
        
        C:\Windows\system32\chosgp.exe 1144 "C:\Windows\SysWOW64\bhfmuh.exe"
        259⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\chosgp.exe
        
        1144 C:\Windows\SysWOW64\bhfmuh.exe
        260⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\zbknwj.exe
        
        C:\Windows\system32\zbknwj.exe 1008 "C:\Windows\SysWOW64\chosgp.exe"
        261⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\zbknwj.exe
        
        1008 C:\Windows\SysWOW64\chosgp.exe
        262⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\bonqrj.exe
        
        C:\Windows\system32\bonqrj.exe 1148 "C:\Windows\SysWOW64\zbknwj.exe"
        263⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\bonqrj.exe
        
        1148 C:\Windows\SysWOW64\zbknwj.exe
        264⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\bazifv.exe
        
        C:\Windows\system32\bazifv.exe 1140 "C:\Windows\SysWOW64\bonqrj.exe"
        265⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\bazifv.exe
        
        1140 C:\Windows\SysWOW64\bonqrj.exe
        266⤵
        Drops file in System32 directory
        
        PID:3968
        
        C:\Windows\SysWOW64\errtpf.exe
        
        C:\Windows\system32\errtpf.exe 1008 "C:\Windows\SysWOW64\bazifv.exe"
        267⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\errtpf.exe
        
        1008 C:\Windows\SysWOW64\bazifv.exe
        268⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4560
        
        C:\Windows\SysWOW64\bpqtqm.exe
        
        C:\Windows\system32\bpqtqm.exe 1140 "C:\Windows\SysWOW64\errtpf.exe"
        269⤵
        System Location Discovery: System Language Discovery
        
        PID:3120
        
        C:\Windows\SysWOW64\bpqtqm.exe
        
        1140 C:\Windows\SysWOW64\errtpf.exe
        270⤵
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Windows\SysWOW64\baclfq.exe
        
        C:\Windows\system32\baclfq.exe 1020 "C:\Windows\SysWOW64\bpqtqm.exe"
        271⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\baclfq.exe
        
        1020 C:\Windows\SysWOW64\bpqtqm.exe
        272⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\bparwy.exe
        
        C:\Windows\system32\bparwy.exe 1008 "C:\Windows\SysWOW64\baclfq.exe"
        273⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\bparwy.exe
        
        1008 C:\Windows\SysWOW64\baclfq.exe
        274⤵
        Drops file in System32 directory
        
        PID:3556
        
        C:\Windows\SysWOW64\ekdoil.exe
        
        C:\Windows\system32\ekdoil.exe 1008 "C:\Windows\SysWOW64\bparwy.exe"
        275⤵
        
        PID:640
        
        C:\Windows\SysWOW64\ekdoil.exe
        
        1008 C:\Windows\SysWOW64\bparwy.exe
        276⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\ewphxx.exe
        
        C:\Windows\system32\ewphxx.exe 1032 "C:\Windows\SysWOW64\ekdoil.exe"
        277⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\ewphxx.exe
        
        1032 C:\Windows\SysWOW64\ekdoil.exe
        278⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\tlwhye.exe
        
        C:\Windows\system32\tlwhye.exe 1016 "C:\Windows\SysWOW64\ewphxx.exe"
        279⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\tlwhye.exe
        
        1016 C:\Windows\SysWOW64\ewphxx.exe
        280⤵
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Windows\SysWOW64\txazmi.exe
        
        C:\Windows\system32\txazmi.exe 1008 "C:\Windows\SysWOW64\tlwhye.exe"
        281⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\txazmi.exe
        
        1008 C:\Windows\SysWOW64\tlwhye.exe
        282⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\uxjnyi.exe
        
        C:\Windows\system32\uxjnyi.exe 1140 "C:\Windows\SysWOW64\txazmi.exe"
        283⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\uxjnyi.exe
        
        1140 C:\Windows\SysWOW64\txazmi.exe
        284⤵
        Drops file in System32 directory
        
        PID:788
        
        C:\Windows\SysWOW64\qyusut.exe
        
        C:\Windows\system32\qyusut.exe 1020 "C:\Windows\SysWOW64\uxjnyi.exe"
        285⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\qyusut.exe
        
        1020 C:\Windows\SysWOW64\uxjnyi.exe
        286⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\rgvfnb.exe
        
        C:\Windows\system32\rgvfnb.exe 1008 "C:\Windows\SysWOW64\qyusut.exe"
        287⤵
        
        PID:516
        
        C:\Windows\SysWOW64\rgvfnb.exe
        
        1008 C:\Windows\SysWOW64\qyusut.exe
        288⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\rjhxcf.exe
        
        C:\Windows\system32\rjhxcf.exe 1088 "C:\Windows\SysWOW64\rgvfnb.exe"
        289⤵
        System Location Discovery: System Language Discovery
        
        PID:2568
        
        C:\Windows\SysWOW64\rjhxcf.exe
        
        1088 C:\Windows\SysWOW64\rgvfnb.exe
        290⤵
        Drops file in System32 directory
        
        PID:3140
        
        C:\Windows\SysWOW64\rvtqqj.exe
        
        C:\Windows\system32\rvtqqj.exe 1032 "C:\Windows\SysWOW64\rjhxcf.exe"
        291⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\rvtqqj.exe
        
        1032 C:\Windows\SysWOW64\rjhxcf.exe
        292⤵
        Drops file in System32 directory
        
        PID:3268
        
        C:\Windows\SysWOW64\okaqjq.exe
        
        C:\Windows\system32\okaqjq.exe 1036 "C:\Windows\SysWOW64\rvtqqj.exe"
        293⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\okaqjq.exe
        
        1036 C:\Windows\SysWOW64\rvtqqj.exe
        294⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\osbvvx.exe
        
        C:\Windows\system32\osbvvx.exe 1032 "C:\Windows\SysWOW64\okaqjq.exe"
        295⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\osbvvx.exe
        
        1032 C:\Windows\SysWOW64\okaqjq.exe
        296⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\lexqts.exe
        
        C:\Windows\system32\lexqts.exe 1028 "C:\Windows\SysWOW64\osbvvx.exe"
        297⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\lexqts.exe
        
        1028 C:\Windows\SysWOW64\osbvvx.exe
        298⤵
        System Location Discovery: System Language Discovery
        
        PID:3016
        
        C:\Windows\SysWOW64\jcermz.exe
        
        C:\Windows\system32\jcermz.exe 1008 "C:\Windows\SysWOW64\lexqts.exe"
        299⤵
        System Location Discovery: System Language Discovery
        
        PID:804
        
        C:\Windows\SysWOW64\jcermz.exe
        
        1008 C:\Windows\SysWOW64\lexqts.exe
        300⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\jcfwxz.exe
        
        C:\Windows\system32\jcfwxz.exe 1032 "C:\Windows\SysWOW64\jcermz.exe"
        301⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\jcfwxz.exe
        
        1032 C:\Windows\SysWOW64\jcermz.exe
        302⤵
        
        PID:456
        
        C:\Windows\SysWOW64\gamwzg.exe
        
        C:\Windows\system32\gamwzg.exe 1072 "C:\Windows\SysWOW64\jcfwxz.exe"
        303⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\gamwzg.exe
        
        1072 C:\Windows\SysWOW64\jcfwxz.exe
        304⤵
        Drops file in System32 directory
        
        PID:3164
        
        C:\Windows\SysWOW64\dmirpi.exe
        
        C:\Windows\system32\dmirpi.exe 1032 "C:\Windows\SysWOW64\gamwzg.exe"
        305⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\dmirpi.exe
        
        1032 C:\Windows\SysWOW64\gamwzg.exe
        306⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\gswuea.exe
        
        C:\Windows\system32\gswuea.exe 1012 "C:\Windows\SysWOW64\dmirpi.exe"
        307⤵
        
        PID:208
        
        C:\Windows\SysWOW64\gswuea.exe
        
        1012 C:\Windows\SysWOW64\dmirpi.exe
        308⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\dbgcay.exe
        
        C:\Windows\system32\dbgcay.exe 1032 "C:\Windows\SysWOW64\gswuea.exe"
        309⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\dbgcay.exe
        
        1032 C:\Windows\SysWOW64\gswuea.exe
        310⤵
        Drops file in System32 directory
        
        PID:1652
        
        C:\Windows\SysWOW64\dmtuoc.exe
        
        C:\Windows\system32\dmtuoc.exe 1028 "C:\Windows\SysWOW64\dbgcay.exe"
        311⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\dmtuoc.exe
        
        1028 C:\Windows\SysWOW64\dbgcay.exe
        312⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\emuaak.exe
        
        C:\Windows\system32\emuaak.exe 1020 "C:\Windows\SysWOW64\dmtuoc.exe"
        313⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\emuaak.exe
        
        1020 C:\Windows\SysWOW64\dmtuoc.exe
        314⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\bnmnvn.exe
        
        C:\Windows\system32\bnmnvn.exe 1048 "C:\Windows\SysWOW64\emuaak.exe"
        315⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\bnmnvn.exe
        
        1048 C:\Windows\SysWOW64\emuaak.exe
        316⤵
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Windows\SysWOW64\eneyfw.exe
        
        C:\Windows\system32\eneyfw.exe 1036 "C:\Windows\SysWOW64\bnmnvn.exe"
        317⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\eneyfw.exe
        
        1036 C:\Windows\SysWOW64\bnmnvn.exe
        318⤵
        Drops file in System32 directory
        
        PID:3536
        
        C:\Windows\SysWOW64\eqqqui.exe
        
        C:\Windows\system32\eqqqui.exe 1020 "C:\Windows\SysWOW64\eneyfw.exe"
        319⤵
        System Location Discovery: System Language Discovery
        
        PID:3588
        
        C:\Windows\SysWOW64\eqqqui.exe
        
        1020 C:\Windows\SysWOW64\eneyfw.exe
        320⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4176
        
        C:\Windows\SysWOW64\bopqvh.exe
        
        C:\Windows\system32\bopqvh.exe 1012 "C:\Windows\SysWOW64\eqqqui.exe"
        321⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\bopqvh.exe
        
        1012 C:\Windows\SysWOW64\eqqqui.exe
        322⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\bzcqjt.exe
        
        C:\Windows\system32\bzcqjt.exe 1020 "C:\Windows\SysWOW64\bopqvh.exe"
        323⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\bzcqjt.exe
        
        1020 C:\Windows\SysWOW64\bopqvh.exe
        324⤵
        System Location Discovery: System Language Discovery
        
        PID:4932
        
        C:\Windows\SysWOW64\qpircs.exe
        
        C:\Windows\system32\qpircs.exe 1148 "C:\Windows\SysWOW64\bzcqjt.exe"
        325⤵
        System Location Discovery: System Language Discovery
        
        PID:748
        
        C:\Windows\SysWOW64\qpircs.exe
        
        1148 C:\Windows\SysWOW64\bzcqjt.exe
        326⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\qpkwwa.exe
        
        C:\Windows\system32\qpkwwa.exe 1012 "C:\Windows\SysWOW64\qpircs.exe"
        327⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\qpkwwa.exe
        
        1012 C:\Windows\SysWOW64\qpircs.exe
        328⤵
        Drops file in System32 directory
        
        PID:1832
        
        C:\Windows\SysWOW64\qehbni.exe
        
        C:\Windows\system32\qehbni.exe 1032 "C:\Windows\SysWOW64\qpkwwa.exe"
        329⤵
        
        PID:636
        
        C:\Windows\SysWOW64\qehbni.exe
        
        1032 C:\Windows\SysWOW64\qpkwwa.exe
        330⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\qmihyq.exe
        
        C:\Windows\system32\qmihyq.exe 1008 "C:\Windows\SysWOW64\qehbni.exe"
        331⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\qmihyq.exe
        
        1008 C:\Windows\SysWOW64\qehbni.exe
        332⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\nbphrp.exe
        
        C:\Windows\system32\nbphrp.exe 1012 "C:\Windows\SysWOW64\qmihyq.exe"
        333⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\nbphrp.exe
        
        1012 C:\Windows\SysWOW64\qmihyq.exe
        334⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\ojqudx.exe
        
        C:\Windows\system32\ojqudx.exe 1008 "C:\Windows\SysWOW64\nbphrp.exe"
        335⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\ojqudx.exe
        
        1008 C:\Windows\SysWOW64\nbphrp.exe
        336⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\lzxuee.exe
        
        C:\Windows\system32\lzxuee.exe 1012 "C:\Windows\SysWOW64\ojqudx.exe"
        337⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\lzxuee.exe
        
        1012 C:\Windows\SysWOW64\ojqudx.exe
        338⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\llknsi.exe
        
        C:\Windows\system32\llknsi.exe 1028 "C:\Windows\SysWOW64\lzxuee.exe"
        339⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\llknsi.exe
        
        1028 C:\Windows\SysWOW64\lzxuee.exe
        340⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\lowfhm.exe
        
        C:\Windows\system32\lowfhm.exe 1012 "C:\Windows\SysWOW64\llknsi.exe"
        341⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\lowfhm.exe
        
        1012 C:\Windows\SysWOW64\llknsi.exe
        342⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\imdfit.exe
        
        C:\Windows\system32\imdfit.exe 1012 "C:\Windows\SysWOW64\lowfhm.exe"
        343⤵
        System Location Discovery: System Language Discovery
        
        PID:5032
        
        C:\Windows\SysWOW64\imdfit.exe
        
        1012 C:\Windows\SysWOW64\lowfhm.exe
        344⤵
        Drops file in System32 directory
        
        PID:516
        
        C:\Windows\SysWOW64\lpydug.exe
        
        C:\Windows\system32\lpydug.exe 1008 "C:\Windows\SysWOW64\imdfit.exe"
        345⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\lpydug.exe
        
        1008 C:\Windows\SysWOW64\imdfit.exe
        346⤵
        Drops file in System32 directory
        
        PID:3332
        
        C:\Windows\SysWOW64\lskvjs.exe
        
        C:\Windows\system32\lskvjs.exe 1028 "C:\Windows\SysWOW64\lpydug.exe"
        347⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\lskvjs.exe
        
        1028 C:\Windows\SysWOW64\lpydug.exe
        348⤵
        
        PID:448
        
        C:\Windows\SysWOW64\lexoxw.exe
        
        C:\Windows\system32\lexoxw.exe 1028 "C:\Windows\SysWOW64\lskvjs.exe"
        349⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\lexoxw.exe
        
        1028 C:\Windows\SysWOW64\lskvjs.exe
        350⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\iqsbnz.exe
        
        C:\Windows\system32\iqsbnz.exe 1008 "C:\Windows\SysWOW64\lexoxw.exe"
        351⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\iqsbnz.exe
        
        1008 C:\Windows\SysWOW64\lexoxw.exe
        352⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\ibftkd.exe
        
        C:\Windows\system32\ibftkd.exe 1008 "C:\Windows\SysWOW64\iqsbnz.exe"
        353⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\ibftkd.exe
        
        1008 C:\Windows\SysWOW64\iqsbnz.exe
        354⤵
        
        PID:768
        
        C:\Windows\SysWOW64\jnruyp.exe
        
        C:\Windows\system32\jnruyp.exe 1020 "C:\Windows\SysWOW64\ibftkd.exe"
        355⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\jnruyp.exe
        
        1020 C:\Windows\SysWOW64\ibftkd.exe
        356⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\jqdmnt.exe
        
        C:\Windows\system32\jqdmnt.exe 1020 "C:\Windows\SysWOW64\jnruyp.exe"
        357⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\jqdmnt.exe
        
        1020 C:\Windows\SysWOW64\jnruyp.exe
        358⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\gokmga.exe
        
        C:\Windows\system32\gokmga.exe 1140 "C:\Windows\SysWOW64\jqdmnt.exe"
        359⤵
        System Location Discovery: System Language Discovery
        
        PID:3208
        
        C:\Windows\SysWOW64\gokmga.exe
        
        1140 C:\Windows\SysWOW64\jqdmnt.exe
        360⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\irnksn.exe
        
        C:\Windows\system32\irnksn.exe 1144 "C:\Windows\SysWOW64\gokmga.exe"
        361⤵
        
        PID:692
        
        C:\Windows\SysWOW64\irnksn.exe
        
        1144 C:\Windows\SysWOW64\gokmga.exe
        362⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\ggmktu.exe
        
        C:\Windows\system32\ggmktu.exe 1008 "C:\Windows\SysWOW64\irnksn.exe"
        363⤵
        System Location Discovery: System Language Discovery
        
        PID:3668
        
        C:\Windows\SysWOW64\ggmktu.exe
        
        1008 C:\Windows\SysWOW64\irnksn.exe
        364⤵
        System Location Discovery: System Language Discovery
        
        PID:4692
        
        C:\Windows\SysWOW64\govpfu.exe
        
        C:\Windows\system32\govpfu.exe 1012 "C:\Windows\SysWOW64\ggmktu.exe"
        365⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\govpfu.exe
        
        1012 C:\Windows\SysWOW64\ggmktu.exe
        366⤵
        Drops file in System32 directory
        
        PID:1492
        
        C:\Windows\SysWOW64\gsiity.exe
        
        C:\Windows\system32\gsiity.exe 1008 "C:\Windows\SysWOW64\govpfu.exe"
        367⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\gsiity.exe
        
        1008 C:\Windows\SysWOW64\govpfu.exe
        368⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\dtsvpj.exe
        
        C:\Windows\system32\dtsvpj.exe 1144 "C:\Windows\SysWOW64\gsiity.exe"
        369⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\dtsvpj.exe
        
        1144 C:\Windows\SysWOW64\gsiity.exe
        370⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\veenmn.exe
        
        C:\Windows\system32\veenmn.exe 1032 "C:\Windows\SysWOW64\dtsvpj.exe"
        371⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\veenmn.exe
        
        1032 C:\Windows\SysWOW64\dtsvpj.exe
        372⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\snpvzl.exe
        
        C:\Windows\system32\snpvzl.exe 1008 "C:\Windows\SysWOW64\veenmn.exe"
        373⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\snpvzl.exe
        
        1008 C:\Windows\SysWOW64\veenmn.exe
        374⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\scmbqc.exe
        
        C:\Windows\system32\scmbqc.exe 1160 "C:\Windows\SysWOW64\snpvzl.exe"
        375⤵
        System Location Discovery: System Language Discovery
        
        PID:516
        
        C:\Windows\SysWOW64\scmbqc.exe
        
        1160 C:\Windows\SysWOW64\snpvzl.exe
        376⤵
        
        PID:332
        
        C:\Windows\SysWOW64\tcngcb.exe
        
        C:\Windows\system32\tcngcb.exe 1012 "C:\Windows\SysWOW64\scmbqc.exe"
        377⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\tcngcb.exe
        
        1012 C:\Windows\SysWOW64\scmbqc.exe
        378⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\tfazqn.exe
        
        C:\Windows\system32\tfazqn.exe 1008 "C:\Windows\SysWOW64\tcngcb.exe"
        379⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\tfazqn.exe
        
        1008 C:\Windows\SysWOW64\tcngcb.exe
        380⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\trmrnr.exe
        
        C:\Windows\system32\trmrnr.exe 1144 "C:\Windows\SysWOW64\tfazqn.exe"
        381⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\trmrnr.exe
        
        1144 C:\Windows\SysWOW64\tfazqn.exe
        382⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\pseeid.exe
        
        C:\Windows\system32\pseeid.exe 1020 "C:\Windows\SysWOW64\trmrnr.exe"
        383⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\pseeid.exe
        
        1020 C:\Windows\SysWOW64\trmrnr.exe
        384⤵
        Drops file in System32 directory
        
        PID:748
        
        C:\Windows\SysWOW64\qsfjuc.exe
        
        C:\Windows\system32\qsfjuc.exe 1028 "C:\Windows\SysWOW64\pseeid.exe"
        385⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\qsfjuc.exe
        
        1028 C:\Windows\SysWOW64\pseeid.exe
        386⤵
        Drops file in System32 directory
        
        PID:3620
        
        C:\Windows\SysWOW64\nqmkvj.exe
        
        C:\Windows\system32\nqmkvj.exe 1020 "C:\Windows\SysWOW64\qsfjuc.exe"
        387⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\nqmkvj.exe
        
        1020 C:\Windows\SysWOW64\qsfjuc.exe
        388⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\nqnxhj.exe
        
        C:\Windows\system32\nqnxhj.exe 1028 "C:\Windows\SysWOW64\nqmkvj.exe"
        389⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\nqnxhj.exe
        
        1028 C:\Windows\SysWOW64\nqmkvj.exe
        390⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\nfdcyz.exe
        
        C:\Windows\system32\nfdcyz.exe 1144 "C:\Windows\SysWOW64\nqnxhj.exe"
        391⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\nfdcyz.exe
        
        1144 C:\Windows\SysWOW64\nqnxhj.exe
        392⤵
        System Location Discovery: System Language Discovery
        
        PID:5016
        
        C:\Windows\SysWOW64\nubaph.exe
        
        C:\Windows\system32\nubaph.exe 1028 "C:\Windows\SysWOW64\nfdcyz.exe"
        393⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\nubaph.exe
        
        1028 C:\Windows\SysWOW64\nfdcyz.exe
        394⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\nucnbh.exe
        
        C:\Windows\system32\nucnbh.exe 1008 "C:\Windows\SysWOW64\nubaph.exe"
        395⤵
        
        PID:208
        
        C:\Windows\SysWOW64\nucnbh.exe
        
        1008 C:\Windows\SysWOW64\nubaph.exe
        396⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\njztax.exe
        
        C:\Windows\system32\njztax.exe 1012 "C:\Windows\SysWOW64\nucnbh.exe"
        397⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\njztax.exe
        
        1012 C:\Windows\SysWOW64\nucnbh.exe
        398⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\qlcqel.exe
        
        C:\Windows\system32\qlcqel.exe 1012 "C:\Windows\SysWOW64\njztax.exe"
        399⤵
        
        PID:432
        
        C:\Windows\SysWOW64\qlcqel.exe
        
        1012 C:\Windows\SysWOW64\njztax.exe
        400⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\qppjbp.exe
        
        C:\Windows\system32\qppjbp.exe 1080 "C:\Windows\SysWOW64\qlcqel.exe"
        401⤵
        
        PID:8
        
        C:\Windows\SysWOW64\qppjbp.exe
        
        1080 C:\Windows\SysWOW64\qlcqel.exe
        402⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\nmojuw.exe
        
        C:\Windows\system32\nmojuw.exe 1144 "C:\Windows\SysWOW64\qppjbp.exe"
        403⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\nmojuw.exe
        
        1144 C:\Windows\SysWOW64\qppjbp.exe
        404⤵
        System Location Discovery: System Language Discovery
        
        PID:4136
        
        C:\Windows\SysWOW64\nyabia.exe
        
        C:\Windows\system32\nyabia.exe 1008 "C:\Windows\SysWOW64\nmojuw.exe"
        405⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\nyabia.exe
        
        1008 C:\Windows\SysWOW64\nmojuw.exe
        406⤵
        System Location Discovery: System Language Discovery
        
        PID:3232
        
        C:\Windows\SysWOW64\nfygzq.exe
        
        C:\Windows\system32\nfygzq.exe 1008 "C:\Windows\SysWOW64\nyabia.exe"
        407⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\nfygzq.exe
        
        1008 C:\Windows\SysWOW64\nyabia.exe
        408⤵
        Drops file in System32 directory
        
        PID:2792
        
        C:\Windows\SysWOW64\qeprjz.exe
        
        C:\Windows\system32\qeprjz.exe 1008 "C:\Windows\SysWOW64\nfygzq.exe"
        409⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\qeprjz.exe
        
        1008 C:\Windows\SysWOW64\nfygzq.exe
        410⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\nqlehc.exe
        
        C:\Windows\system32\nqlehc.exe 1144 "C:\Windows\SysWOW64\qeprjz.exe"
        411⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\nqlehc.exe
        
        1144 C:\Windows\SysWOW64\qeprjz.exe
        412⤵
        
        PID:672
        
        C:\Windows\SysWOW64\ncxxwg.exe
        
        C:\Windows\system32\ncxxwg.exe 1008 "C:\Windows\SysWOW64\nqlehc.exe"
        413⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\ncxxwg.exe
        
        1008 C:\Windows\SysWOW64\nqlehc.exe
        414⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\lotsmj.exe
        
        C:\Windows\system32\lotsmj.exe 1028 "C:\Windows\SysWOW64\ncxxwg.exe"
        415⤵
        System Location Discovery: System Language Discovery
        
        PID:4176
        
        C:\Windows\SysWOW64\lotsmj.exe
        
        1028 C:\Windows\SysWOW64\ncxxwg.exe
        416⤵
        
        PID:664
        
        C:\Windows\SysWOW64\kdrpdr.exe
        
        C:\Windows\system32\kdrpdr.exe 1008 "C:\Windows\SysWOW64\lotsmj.exe"
        417⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\kdrpdr.exe
        
        1008 C:\Windows\SysWOW64\lotsmj.exe
        418⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\axmkct.exe
        
        C:\Windows\system32\axmkct.exe 1008 "C:\Windows\SysWOW64\kdrpdr.exe"
        419⤵
        
        PID:180
        
        C:\Windows\SysWOW64\axmkct.exe
        
        1008 C:\Windows\SysWOW64\kdrpdr.exe
        420⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\dspioh.exe
        
        C:\Windows\system32\dspioh.exe 1008 "C:\Windows\SysWOW64\axmkct.exe"
        421⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\dspioh.exe
        
        1008 C:\Windows\SysWOW64\axmkct.exe
        422⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\decadl.exe
        
        C:\Windows\system32\decadl.exe 1008 "C:\Windows\SysWOW64\dspioh.exe"
        423⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\decadl.exe
        
        1008 C:\Windows\SysWOW64\dspioh.exe
        424⤵
        
        PID:668
        
        C:\Windows\SysWOW64\zfmnyw.exe
        
        C:\Windows\system32\zfmnyw.exe 1012 "C:\Windows\SysWOW64\decadl.exe"
        425⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\zfmnyw.exe
        
        1012 C:\Windows\SysWOW64\decadl.exe
        426⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\dweyif.exe
        
        C:\Windows\system32\dweyif.exe 1012 "C:\Windows\SysWOW64\zfmnyw.exe"
        427⤵
        
        PID:888
        
        C:\Windows\SysWOW64\dweyif.exe
        
        1012 C:\Windows\SysWOW64\zfmnyw.exe
        428⤵
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\Windows\SysWOW64\diqrfr.exe
        
        C:\Windows\system32\diqrfr.exe 1028 "C:\Windows\SysWOW64\dweyif.exe"
        429⤵
        
        PID:208
        
        C:\Windows\SysWOW64\diqrfr.exe
        
        1028 C:\Windows\SysWOW64\dweyif.exe
        430⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\afxryq.exe
        
        C:\Windows\system32\afxryq.exe 1028 "C:\Windows\SysWOW64\diqrfr.exe"
        431⤵
        
        PID:936
        
        C:\Windows\SysWOW64\afxryq.exe
        
        1028 C:\Windows\SysWOW64\diqrfr.exe
        432⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\afywjy.exe
        
        C:\Windows\system32\afywjy.exe 1028 "C:\Windows\SysWOW64\afxryq.exe"
        433⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\afywjy.exe
        
        1028 C:\Windows\SysWOW64\afxryq.exe
        434⤵
        
        PID:400
        
        C:\Windows\SysWOW64\xrurzs.exe
        
        C:\Windows\system32\xrurzs.exe 1008 "C:\Windows\SysWOW64\afywjy.exe"
        435⤵
        System Location Discovery: System Language Discovery
        
        PID:548
        
        C:\Windows\SysWOW64\xrurzs.exe
        
        1008 C:\Windows\SysWOW64\afywjy.exe
        436⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\vlqeyv.exe
        
        C:\Windows\system32\vlqeyv.exe 1008 "C:\Windows\SysWOW64\xrurzs.exe"
        437⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\vlqeyv.exe
        
        1008 C:\Windows\SysWOW64\xrurzs.exe
        438⤵
        Drops file in System32 directory
        
        PID:2928
        
        C:\Windows\SysWOW64\vpcxmh.exe
        
        C:\Windows\system32\vpcxmh.exe 1008 "C:\Windows\SysWOW64\vlqeyv.exe"
        439⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\vpcxmh.exe
        
        1008 C:\Windows\SysWOW64\vlqeyv.exe
        440⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\veacdp.exe
        
        C:\Windows\system32\veacdp.exe 1032 "C:\Windows\SysWOW64\vpcxmh.exe"
        441⤵
        System Location Discovery: System Language Discovery
        
        PID:3432
        
        C:\Windows\SysWOW64\veacdp.exe
        
        1032 C:\Windows\SysWOW64\vpcxmh.exe
        442⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\vpmust.exe
        
        C:\Windows\system32\vpmust.exe 1016 "C:\Windows\SysWOW64\veacdp.exe"
        443⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\vpmust.exe
        
        1016 C:\Windows\SysWOW64\veacdp.exe
        444⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\sftvta.exe
        
        C:\Windows\system32\sftvta.exe 1008 "C:\Windows\SysWOW64\vpmust.exe"
        445⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\sftvta.exe
        
        1008 C:\Windows\SysWOW64\vpmust.exe
        446⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\snuaei.exe
        
        C:\Windows\system32\snuaei.exe 1028 "C:\Windows\SysWOW64\sftvta.exe"
        447⤵
        
        PID:672
        
        C:\Windows\SysWOW64\snuaei.exe
        
        1028 C:\Windows\SysWOW64\sftvta.exe
        448⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\sckfvq.exe
        
        C:\Windows\system32\sckfvq.exe 1008 "C:\Windows\SysWOW64\snuaei.exe"
        449⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\sckfvq.exe
        
        1008 C:\Windows\SysWOW64\snuaei.exe
        450⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\sctthq.exe
        
        C:\Windows\system32\sctthq.exe 1140 "C:\Windows\SysWOW64\sckfvq.exe"
        451⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\sctthq.exe
        
        1140 C:\Windows\SysWOW64\sckfvq.exe
        452⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\nxybhj.exe
        
        C:\Windows\system32\nxybhj.exe 1020 "C:\Windows\SysWOW64\sctthq.exe"
        453⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\nxybhj.exe
        
        1020 C:\Windows\SysWOW64\sctthq.exe
        454⤵
        
        PID:748
        
        C:\Windows\SysWOW64\niktvv.exe
        
        C:\Windows\system32\niktvv.exe 1140 "C:\Windows\SysWOW64\nxybhj.exe"
        455⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\niktvv.exe
        
        1140 C:\Windows\SysWOW64\nxybhj.exe
        456⤵
        Drops file in System32 directory
        
        PID:1096
        
        C:\Windows\SysWOW64\kyjtwu.exe
        
        C:\Windows\system32\kyjtwu.exe 1028 "C:\Windows\SysWOW64\niktvv.exe"
        457⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\kyjtwu.exe
        
        1028 C:\Windows\SysWOW64\niktvv.exe
        458⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\hgbbkt.exe
        
        C:\Windows\system32\hgbbkt.exe 1028 "C:\Windows\SysWOW64\kyjtwu.exe"
        459⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\hgbbkt.exe
        
        1028 C:\Windows\SysWOW64\kyjtwu.exe
        460⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\iochva.exe
        
        C:\Windows\system32\iochva.exe 1008 "C:\Windows\SysWOW64\hgbbkt.exe"
        461⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\iochva.exe
        
        1008 C:\Windows\SysWOW64\hgbbkt.exe
        462⤵
        Drops file in System32 directory
        
        PID:3228
        
        C:\Windows\SysWOW64\fejhwz.exe
        
        C:\Windows\system32\fejhwz.exe 1084 "C:\Windows\SysWOW64\iochva.exe"
        463⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\fejhwz.exe
        
        1084 C:\Windows\SysWOW64\iochva.exe
        464⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\xmkuih.exe
        
        C:\Windows\system32\xmkuih.exe 1028 "C:\Windows\SysWOW64\fejhwz.exe"
        465⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\xmkuih.exe
        
        1028 C:\Windows\SysWOW64\fejhwz.exe
        466⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\uyghyk.exe
        
        C:\Windows\system32\uyghyk.exe 1028 "C:\Windows\SysWOW64\xmkuih.exe"
        467⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\uyghyk.exe
        
        1028 C:\Windows\SysWOW64\xmkuih.exe
        468⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\ujsano.exe
        
        C:\Windows\system32\ujsano.exe 1008 "C:\Windows\SysWOW64\uyghyk.exe"
        469⤵
        
        PID:772
        
        C:\Windows\SysWOW64\ujsano.exe
        
        1008 C:\Windows\SysWOW64\uyghyk.exe
        470⤵
        Drops file in System32 directory
        
        PID:5024
        
        C:\Windows\SysWOW64\szzaov.exe
        
        C:\Windows\system32\szzaov.exe 1008 "C:\Windows\SysWOW64\ujsano.exe"
        471⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\szzaov.exe
        
        1008 C:\Windows\SysWOW64\ujsano.exe
        472⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\slmscz.exe
        
        C:\Windows\system32\slmscz.exe 1008 "C:\Windows\SysWOW64\szzaov.exe"
        473⤵
        
        PID:980
        
        C:\Windows\SysWOW64\slmscz.exe
        
        1008 C:\Windows\SysWOW64\szzaov.exe
        474⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\ursdsq.exe
        
        C:\Windows\system32\ursdsq.exe 1020 "C:\Windows\SysWOW64\slmscz.exe"
        475⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\ursdsq.exe
        
        1020 C:\Windows\SysWOW64\slmscz.exe
        476⤵
        Drops file in System32 directory
        
        PID:1956
        
        C:\Windows\SysWOW64\ucevgc.exe
        
        C:\Windows\system32\ucevgc.exe 1012 "C:\Windows\SysWOW64\ursdsq.exe"
        477⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\ucevgc.exe
        
        1012 C:\Windows\SysWOW64\ursdsq.exe
        478⤵
        Drops file in System32 directory
        
        PID:3612
        
        C:\Windows\SysWOW64\ujcbxl.exe
        
        C:\Windows\system32\ujcbxl.exe 1020 "C:\Windows\SysWOW64\ucevgc.exe"
        479⤵
        
        PID:60
        
        C:\Windows\SysWOW64\ujcbxl.exe
        
        1020 C:\Windows\SysWOW64\ucevgc.exe
        480⤵
        Drops file in System32 directory
        
        PID:4396
        
        C:\Windows\SysWOW64\urdgjk.exe
        
        C:\Windows\system32\urdgjk.exe 1028 "C:\Windows\SysWOW64\ujcbxl.exe"
        481⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\urdgjk.exe
        
        1028 C:\Windows\SysWOW64\ujcbxl.exe
        482⤵
        
        PID:972
        
        C:\Windows\SysWOW64\rsvtnw.exe
        
        C:\Windows\system32\rsvtnw.exe 1028 "C:\Windows\SysWOW64\urdgjk.exe"
        483⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\rsvtnw.exe
        
        1028 C:\Windows\SysWOW64\urdgjk.exe
        484⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\rwamba.exe
        
        C:\Windows\system32\rwamba.exe 1140 "C:\Windows\SysWOW64\rsvtnw.exe"
        485⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\rwamba.exe
        
        1140 C:\Windows\SysWOW64\rsvtnw.exe
        486⤵
        
        PID:664
        
        C:\Windows\SysWOW64\sejznh.exe
        
        C:\Windows\system32\sejznh.exe 1012 "C:\Windows\SysWOW64\rwamba.exe"
        487⤵
        
        PID:228
        
        C:\Windows\SysWOW64\sejznh.exe
        
        1012 C:\Windows\SysWOW64\rwamba.exe
        488⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\rlyweq.exe
        
        C:\Windows\system32\rlyweq.exe 1008 "C:\Windows\SysWOW64\sejznh.exe"
        489⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\rlyweq.exe
        
        1008 C:\Windows\SysWOW64\sejznh.exe
        490⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\pfurcs.exe
        
        C:\Windows\system32\pfurcs.exe 1020 "C:\Windows\SysWOW64\rlyweq.exe"
        491⤵
        
        PID:808
        
        C:\Windows\SysWOW64\pfurcs.exe
        
        1020 C:\Windows\SysWOW64\rlyweq.exe
        492⤵
        Drops file in System32 directory
        
        PID:3456
        
        C:\Windows\SysWOW64\sixppg.exe
        
        C:\Windows\system32\sixppg.exe 1008 "C:\Windows\SysWOW64\pfurcs.exe"
        493⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\sixppg.exe
        
        1008 C:\Windows\SysWOW64\pfurcs.exe
        494⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\prqpce.exe
        
        C:\Windows\system32\prqpce.exe 1020 "C:\Windows\SysWOW64\sixppg.exe"
        495⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\prqpce.exe
        
        1020 C:\Windows\SysWOW64\sixppg.exe
        496⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\mdlksh.exe
        
        C:\Windows\system32\mdlksh.exe 1008 "C:\Windows\SysWOW64\prqpce.exe"
        497⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\mdlksh.exe
        
        1008 C:\Windows\SysWOW64\prqpce.exe
        498⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\hjtfve.exe
        
        C:\Windows\system32\hjtfve.exe 1008 "C:\Windows\SysWOW64\mdlksh.exe"
        499⤵
        
        PID:756
        
        C:\Windows\SysWOW64\hjtfve.exe
        
        1008 C:\Windows\SysWOW64\mdlksh.exe
        500⤵
        Drops file in System32 directory
        
        PID:4296
        
        C:\Windows\SysWOW64\hjdlhe.exe
        
        C:\Windows\system32\hjdlhe.exe 1012 "C:\Windows\SysWOW64\hjtfve.exe"
        501⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\hjdlhe.exe
        
        1012 C:\Windows\SysWOW64\hjtfve.exe
        502⤵
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Windows\SysWOW64\egblil.exe
        
        C:\Windows\system32\egblil.exe 1020 "C:\Windows\SysWOW64\hjdlhe.exe"
        503⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\egblil.exe
        
        1020 C:\Windows\SysWOW64\hjdlhe.exe
        504⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\eglytk.exe
        
        C:\Windows\system32\eglytk.exe 1012 "C:\Windows\SysWOW64\egblil.exe"
        505⤵
        System Location Discovery: System Language Discovery
        
        PID:1664
        
        C:\Windows\SysWOW64\eglytk.exe
        
        1012 C:\Windows\SysWOW64\egblil.exe
        506⤵
        Drops file in System32 directory
        
        PID:400
        
        C:\Windows\SysWOW64\fkxriw.exe
        
        C:\Windows\system32\fkxriw.exe 1028 "C:\Windows\SysWOW64\eglytk.exe"
        507⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\fkxriw.exe
        
        1028 C:\Windows\SysWOW64\eglytk.exe
        508⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\fvbjwa.exe
        
        C:\Windows\system32\fvbjwa.exe 1032 "C:\Windows\SysWOW64\fkxriw.exe"
        509⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\fvbjwa.exe
        
        1032 C:\Windows\SysWOW64\fkxriw.exe
        510⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\hfbzow.exe
        
        C:\Windows\system32\hfbzow.exe 1008 "C:\Windows\SysWOW64\fvbjwa.exe"
        511⤵
        
        PID:516
        
        C:\Windows\SysWOW64\hfbzow.exe
        
        1008 C:\Windows\SysWOW64\fvbjwa.exe
        512⤵
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Windows\SysWOW64\wzxuez.exe
        
        C:\Windows\system32\wzxuez.exe 1028 "C:\Windows\SysWOW64\hfbzow.exe"
        513⤵
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\Windows\SysWOW64\wzxuez.exe
        
        1028 C:\Windows\SysWOW64\hfbzow.exe
        514⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\zuajrm.exe
        
        C:\Windows\system32\zuajrm.exe 1028 "C:\Windows\SysWOW64\wzxuez.exe"
        515⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\zuajrm.exe
        
        1028 C:\Windows\SysWOW64\wzxuez.exe
        516⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\wsyrst.exe
        
        C:\Windows\system32\wsyrst.exe 1008 "C:\Windows\SysWOW64\zuajrm.exe"
        517⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\wsyrst.exe
        
        1008 C:\Windows\SysWOW64\zuajrm.exe
        518⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\zryccc.exe
        
        C:\Windows\system32\zryccc.exe 1116 "C:\Windows\SysWOW64\wsyrst.exe"
        519⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\zryccc.exe
        
        1116 C:\Windows\SysWOW64\wsyrst.exe
        520⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\zyoitl.exe
        
        C:\Windows\system32\zyoitl.exe 1008 "C:\Windows\SysWOW64\zryccc.exe"
        521⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\zyoitl.exe
        
        1008 C:\Windows\SysWOW64\zryccc.exe
        522⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\wskvjn.exe
        
        C:\Windows\system32\wskvjn.exe 1008 "C:\Windows\SysWOW64\zyoitl.exe"
        523⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\wskvjn.exe
        
        1008 C:\Windows\SysWOW64\zyoitl.exe
        524⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\wwwngr.exe
        
        C:\Windows\system32\wwwngr.exe 1028 "C:\Windows\SysWOW64\wskvjn.exe"
        525⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\wwwngr.exe
        
        1028 C:\Windows\SysWOW64\wskvjn.exe
        526⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\xhifud.exe
        
        C:\Windows\system32\xhifud.exe 1028 "C:\Windows\SysWOW64\wwwngr.exe"
        527⤵
        
        PID:456
        
        C:\Windows\SysWOW64\xhifud.exe
        
        1028 C:\Windows\SysWOW64\wwwngr.exe
        528⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\xtvyjh.exe
        
        C:\Windows\system32\xtvyjh.exe 1008 "C:\Windows\SysWOW64\xhifud.exe"
        529⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\xtvyjh.exe
        
        1008 C:\Windows\SysWOW64\xhifud.exe
        530⤵
        Drops file in System32 directory
        
        PID:2088
        
        C:\Windows\SysWOW64\tmnlet.exe
        
        C:\Windows\system32\tmnlet.exe 1028 "C:\Windows\SysWOW64\xtvyjh.exe"
        531⤵
        System Location Discovery: System Language Discovery
        
        PID:3452
        
        C:\Windows\SysWOW64\tmnlet.exe
        
        1028 C:\Windows\SysWOW64\xtvyjh.exe
        532⤵
        Drops file in System32 directory
        
        PID:4880
        
        C:\Windows\SysWOW64\txrdtx.exe
        
        C:\Windows\system32\txrdtx.exe 1048 "C:\Windows\SysWOW64\tmnlet.exe"
        533⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\txrdtx.exe
        
        1048 C:\Windows\SysWOW64\tmnlet.exe
        534⤵
        Drops file in System32 directory
        
        PID:2956
        
        C:\Windows\SysWOW64\uxajme.exe
        
        C:\Windows\system32\uxajme.exe 1140 "C:\Windows\SysWOW64\txrdtx.exe"
        535⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\uxajme.exe
        
        1140 C:\Windows\SysWOW64\txrdtx.exe
        536⤵
        Drops file in System32 directory
        
        PID:3508
        
        C:\Windows\SysWOW64\ujnjbi.exe
        
        C:\Windows\system32\ujnjbi.exe 1012 "C:\Windows\SysWOW64\uxajme.exe"
        537⤵
        System Location Discovery: System Language Discovery
        
        PID:4828
        
        C:\Windows\SysWOW64\ujnjbi.exe
        
        1012 C:\Windows\SysWOW64\uxajme.exe
        538⤵
        System Location Discovery: System Language Discovery
        
        PID:1212
        
        C:\Windows\SysWOW64\uychsr.exe
        
        C:\Windows\system32\uychsr.exe 1028 "C:\Windows\SysWOW64\ujnjbi.exe"
        539⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\uychsr.exe
        
        1028 C:\Windows\SysWOW64\ujnjbi.exe
        540⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\ubphgd.exe
        
        C:\Windows\system32\ubphgd.exe 1032 "C:\Windows\SysWOW64\uychsr.exe"
        541⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\ubphgd.exe
        
        1032 C:\Windows\SysWOW64\uychsr.exe
        542⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\rwkuff.exe
        
        C:\Windows\system32\rwkuff.exe 1008 "C:\Windows\SysWOW64\ubphgd.exe"
        543⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\rwkuff.exe
        
        1008 C:\Windows\SysWOW64\ubphgd.exe
        544⤵
        Drops file in System32 directory
        
        PID:3196
        
        C:\Windows\SysWOW64\olruye.exe
        
        C:\Windows\system32\olruye.exe 1028 "C:\Windows\SysWOW64\rwkuff.exe"
        545⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\olruye.exe
        
        1028 C:\Windows\SysWOW64\rwkuff.exe
        546⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\otsajm.exe
        
        C:\Windows\system32\otsajm.exe 1028 "C:\Windows\SysWOW64\olruye.exe"
        547⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\otsajm.exe
        
        1028 C:\Windows\SysWOW64\olruye.exe
        548⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\mjzakl.exe
        
        C:\Windows\system32\mjzakl.exe 1028 "C:\Windows\SysWOW64\otsajm.exe"
        549⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\mjzakl.exe
        
        1028 C:\Windows\SysWOW64\otsajm.exe
        550⤵
        
        PID:60
        
        C:\Windows\SysWOW64\mranwt.exe
        
        C:\Windows\system32\mranwt.exe 1028 "C:\Windows\SysWOW64\mjzakl.exe"
        551⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\mranwt.exe
        
        1028 C:\Windows\SysWOW64\mjzakl.exe
        552⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\jghnpa.exe
        
        C:\Windows\system32\jghnpa.exe 1032 "C:\Windows\SysWOW64\mranwt.exe"
        553⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\jghnpa.exe
        
        1032 C:\Windows\SysWOW64\mranwt.exe
        554⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\joitaz.exe
        
        C:\Windows\system32\joitaz.exe 1140 "C:\Windows\SysWOW64\jghnpa.exe"
        555⤵
        
        PID:412
        
        C:\Windows\SysWOW64\joitaz.exe
        
        1140 C:\Windows\SysWOW64\jghnpa.exe
        556⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\hxtbwy.exe
        
        C:\Windows\system32\hxtbwy.exe 1032 "C:\Windows\SysWOW64\joitaz.exe"
        557⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\hxtbwy.exe
        
        1032 C:\Windows\SysWOW64\joitaz.exe
        558⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\wuabpx.exe
        
        C:\Windows\system32\wuabpx.exe 1008 "C:\Windows\SysWOW64\hxtbwy.exe"
        559⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\wuabpx.exe
        
        1008 C:\Windows\SysWOW64\hxtbwy.exe
        560⤵
        
        PID:768
        
        C:\Windows\SysWOW64\wymtdj.exe
        
        C:\Windows\system32\wymtdj.exe 1008 "C:\Windows\SysWOW64\wuabpx.exe"
        561⤵
        System Location Discovery: System Language Discovery
        
        PID:4368
        
        C:\Windows\SysWOW64\wymtdj.exe
        
        1008 C:\Windows\SysWOW64\wuabpx.exe
        562⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\wjymsn.exe
        
        C:\Windows\system32\wjymsn.exe 1008 "C:\Windows\SysWOW64\wymtdj.exe"
        563⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\wjymsn.exe
        
        1008 C:\Windows\SysWOW64\wymtdj.exe
        564⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\wnleoz.exe
        
        C:\Windows\system32\wnleoz.exe 1008 "C:\Windows\SysWOW64\wjymsn.exe"
        565⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\wnleoz.exe
        
        1008 C:\Windows\SysWOW64\wjymsn.exe
        566⤵
        
        PID:668
        
        C:\Windows\SysWOW64\wfmwil.exe
        
        C:\Windows\system32\wfmwil.exe 1140 "C:\Windows\SysWOW64\wnleoz.exe"
        567⤵
        System Location Discovery: System Language Discovery
        
        PID:3184
        
        C:\Windows\SysWOW64\wfmwil.exe
        
        1140 C:\Windows\SysWOW64\wnleoz.exe
        568⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\wcjprp.exe
        
        C:\Windows\system32\wcjprp.exe 1016 "C:\Windows\SysWOW64\wfmwil.exe"
        569⤵
        System Location Discovery: System Language Discovery
        
        PID:756
        
        C:\Windows\SysWOW64\wcjprp.exe
        
        1016 C:\Windows\SysWOW64\wfmwil.exe
        570⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\tducns.exe
        
        C:\Windows\system32\tducns.exe 1032 "C:\Windows\SysWOW64\wcjprp.exe"
        571⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\tducns.exe
        
        1032 C:\Windows\SysWOW64\wcjprp.exe
        572⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\wctnwb.exe
        
        C:\Windows\system32\wctnwb.exe 1008 "C:\Windows\SysWOW64\tducns.exe"
        573⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\wctnwb.exe
        
        1008 C:\Windows\SysWOW64\tducns.exe
        574⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\wrjsor.exe
        
        C:\Windows\system32\wrjsor.exe 1016 "C:\Windows\SysWOW64\wctnwb.exe"
        575⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\wrjsor.exe
        
        1016 C:\Windows\SysWOW64\wctnwb.exe
        576⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\wvvkkv.exe
        
        C:\Windows\system32\wvvkkv.exe 1020 "C:\Windows\SysWOW64\wrjsor.exe"
        577⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\wvvkkv.exe
        
        1020 C:\Windows\SysWOW64\wrjsor.exe
        578⤵
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Windows\SysWOW64\ttckdc.exe
        
        C:\Windows\system32\ttckdc.exe 1008 "C:\Windows\SysWOW64\wvvkkv.exe"
        579⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\ttckdc.exe
        
        1008 C:\Windows\SysWOW64\wvvkkv.exe
        580⤵
        Drops file in System32 directory
        
        PID:1684
        
        C:\Windows\SysWOW64\twpdsg.exe
        
        C:\Windows\system32\twpdsg.exe 1028 "C:\Windows\SysWOW64\ttckdc.exe"
        581⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\twpdsg.exe
        
        1028 C:\Windows\SysWOW64\ttckdc.exe
        582⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\tibdgs.exe
        
        C:\Windows\system32\tibdgs.exe 1008 "C:\Windows\SysWOW64\twpdsg.exe"
        583⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\tibdgs.exe
        
        1008 C:\Windows\SysWOW64\twpdsg.exe
        584⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\uicjas.exe
        
        C:\Windows\system32\uicjas.exe 1008 "C:\Windows\SysWOW64\tibdgs.exe"
        585⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\uicjas.exe
        
        1008 C:\Windows\SysWOW64\tibdgs.exe
        586⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\rfjjtz.exe
        
        C:\Windows\system32\rfjjtz.exe 1020 "C:\Windows\SysWOW64\uicjas.exe"
        587⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\rfjjtz.exe
        
        1020 C:\Windows\SysWOW64\uicjas.exe
        588⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\rfkoez.exe
        
        C:\Windows\system32\rfkoez.exe 1020 "C:\Windows\SysWOW64\rfjjtz.exe"
        589⤵
        
        PID:972
        
        C:\Windows\SysWOW64\rfkoez.exe
        
        1020 C:\Windows\SysWOW64\rfjjtz.exe
        590⤵
        System Location Discovery: System Language Discovery
        
        PID:1244
        
        C:\Windows\SysWOW64\ozgjcb.exe
        
        C:\Windows\system32\ozgjcb.exe 1140 "C:\Windows\SysWOW64\rfkoez.exe"
        591⤵
        
        PID:180
        
        C:\Windows\SysWOW64\ozgjcb.exe
        
        1140 C:\Windows\SysWOW64\rfkoez.exe
        592⤵
        
        PID:804
        
        C:\Windows\SysWOW64\oodpuk.exe
        
        C:\Windows\system32\oodpuk.exe 1008 "C:\Windows\SysWOW64\ozgjcb.exe"
        593⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\oodpuk.exe
        
        1008 C:\Windows\SysWOW64\ozgjcb.exe
        594⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\lecpnr.exe
        
        C:\Windows\system32\lecpnr.exe 1008 "C:\Windows\SysWOW64\oodpuk.exe"
        595⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\lecpnr.exe
        
        1008 C:\Windows\SysWOW64\oodpuk.exe
        596⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\lmmuyy.exe
        
        C:\Windows\system32\lmmuyy.exe 1140 "C:\Windows\SysWOW64\lecpnr.exe"
        597⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\lmmuyy.exe
        
        1140 C:\Windows\SysWOW64\lecpnr.exe
        598⤵
        
        PID:456
        
        C:\Windows\SysWOW64\mpynnc.exe
        
        C:\Windows\system32\mpynnc.exe 1144 "C:\Windows\SysWOW64\lmmuyy.exe"
        599⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\mpynnc.exe
        
        1144 C:\Windows\SysWOW64\lmmuyy.exe
        600⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\jnxnoj.exe
        
        C:\Windows\system32\jnxnoj.exe 1140 "C:\Windows\SysWOW64\mpynnc.exe"
        601⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\jnxnoj.exe
        
        1140 C:\Windows\SysWOW64\mpynnc.exe
        602⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\gzsiee.exe
        
        C:\Windows\system32\gzsiee.exe 1032 "C:\Windows\SysWOW64\jnxnoj.exe"
        603⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\gzsiee.exe
        
        1032 C:\Windows\SysWOW64\jnxnoj.exe
        604⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\ykfasq.exe
        
        C:\Windows\system32\ykfasq.exe 1012 "C:\Windows\SysWOW64\gzsiee.exe"
        605⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\ykfasq.exe
        
        1012 C:\Windows\SysWOW64\gzsiee.exe
        606⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\wtxaoo.exe
        
        C:\Windows\system32\wtxaoo.exe 1028 "C:\Windows\SysWOW64\ykfasq.exe"
        607⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\wtxaoo.exe
        
        1028 C:\Windows\SysWOW64\ykfasq.exe
        608⤵
        
        PID:936
        
        C:\Windows\SysWOW64\oizjpk.exe
        
        C:\Windows\system32\oizjpk.exe 1012 "C:\Windows\SysWOW64\wtxaoo.exe"
        609⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\oizjpk.exe
        
        1012 C:\Windows\SysWOW64\wtxaoo.exe
        610⤵
        Drops file in System32 directory
        
        PID:3044
        
        C:\Windows\SysWOW64\oxxohs.exe
        
        C:\Windows\system32\oxxohs.exe 1008 "C:\Windows\SysWOW64\oizjpk.exe"
        611⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\oxxohs.exe
        
        1008 C:\Windows\SysWOW64\oizjpk.exe
        612⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\lfhwcq.exe
        
        C:\Windows\system32\lfhwcq.exe 1012 "C:\Windows\SysWOW64\oxxohs.exe"
        613⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\lfhwcq.exe
        
        1012 C:\Windows\SysWOW64\oxxohs.exe
        614⤵
        
        PID:928
        
        C:\Windows\SysWOW64\lrtpqu.exe
        
        C:\Windows\system32\lrtpqu.exe 1008 "C:\Windows\SysWOW64\lfhwcq.exe"
        615⤵
        
        PID:708
        
        C:\Windows\SysWOW64\lrtpqu.exe
        
        1008 C:\Windows\SysWOW64\lfhwcq.exe
        616⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\igapjb.exe
        
        C:\Windows\system32\igapjb.exe 1020 "C:\Windows\SysWOW64\lrtpqu.exe"
        617⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\igapjb.exe
        
        1020 C:\Windows\SysWOW64\lrtpqu.exe
        618⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\lgsztk.exe
        
        C:\Windows\system32\lgsztk.exe 1008 "C:\Windows\SysWOW64\igapjb.exe"
        619⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\lgsztk.exe
        
        1008 C:\Windows\SysWOW64\igapjb.exe
        620⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\ivzaur.exe
        
        C:\Windows\system32\ivzaur.exe 1008 "C:\Windows\SysWOW64\lgsztk.exe"
        621⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\ivzaur.exe
        
        1008 C:\Windows\SysWOW64\lgsztk.exe
        622⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\jdangr.exe
        
        C:\Windows\system32\jdangr.exe 1012 "C:\Windows\SysWOW64\ivzaur.exe"
        623⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\jdangr.exe
        
        1012 C:\Windows\SysWOW64\ivzaur.exe
        624⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\gthnzy.exe
        
        C:\Windows\system32\gthnzy.exe 1028 "C:\Windows\SysWOW64\jdangr.exe"
        625⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\gthnzy.exe
        
        1028 C:\Windows\SysWOW64\jdangr.exe
        626⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\gflgnc.exe
        
        C:\Windows\system32\gflgnc.exe 1008 "C:\Windows\SysWOW64\gthnzy.exe"
        627⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\gflgnc.exe
        
        1008 C:\Windows\SysWOW64\gthnzy.exe
        628⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\gfvlzk.exe
        
        C:\Windows\system32\gfvlzk.exe 1008 "C:\Windows\SysWOW64\gflgnc.exe"
        629⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\gfvlzk.exe
        
        1008 C:\Windows\SysWOW64\gflgnc.exe
        630⤵
        
        PID:808
        
        C:\Windows\SysWOW64\dgfydn.exe
        
        C:\Windows\system32\dgfydn.exe 1128 "C:\Windows\SysWOW64\gfvlzk.exe"
        631⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\dgfydn.exe
        
        1128 C:\Windows\SysWOW64\gfvlzk.exe
        632⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\dggdov.exe
        
        C:\Windows\system32\dggdov.exe 1008 "C:\Windows\SysWOW64\dgfydn.exe"
        633⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\dggdov.exe
        
        1008 C:\Windows\SysWOW64\dgfydn.exe
        634⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\adnehc.exe
        
        C:\Windows\system32\adnehc.exe 1008 "C:\Windows\SysWOW64\dggdov.exe"
        635⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\adnehc.exe
        
        1008 C:\Windows\SysWOW64\dggdov.exe
        636⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\ddfwrl.exe
        
        C:\Windows\system32\ddfwrl.exe 1012 "C:\Windows\SysWOW64\adnehc.exe"
        637⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\ddfwrl.exe
        
        1012 C:\Windows\SysWOW64\adnehc.exe
        638⤵
        
        PID:208
        
        C:\Windows\SysWOW64\aslwsk.exe
        
        C:\Windows\system32\aslwsk.exe 1008 "C:\Windows\SysWOW64\ddfwrl.exe"
        639⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\aslwsk.exe
        
        1008 C:\Windows\SysWOW64\ddfwrl.exe
        640⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\ybwwgi.exe
        
        C:\Windows\system32\ybwwgi.exe 1020 "C:\Windows\SysWOW64\aslwsk.exe"
        641⤵
        System Location Discovery: System Language Discovery
        
        PID:3168
        
        C:\Windows\SysWOW64\ybwwgi.exe
        
        1020 C:\Windows\SysWOW64\aslwsk.exe
        642⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\yqucxy.exe
        
        C:\Windows\system32\yqucxy.exe 1008 "C:\Windows\SysWOW64\ybwwgi.exe"
        643⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\yqucxy.exe
        
        1008 C:\Windows\SysWOW64\ybwwgi.exe
        644⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\yfrhwh.exe
        
        C:\Windows\system32\yfrhwh.exe 1028 "C:\Windows\SysWOW64\yqucxy.exe"
        645⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\yfrhwh.exe
        
        1028 C:\Windows\SysWOW64\yqucxy.exe
        646⤵
        Drops file in System32 directory
        
        PID:4444
        
        C:\Windows\SysWOW64\yfsnig.exe
        
        C:\Windows\system32\yfsnig.exe 1008 "C:\Windows\SysWOW64\yfrhwh.exe"
        647⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\yfsnig.exe
        
        1008 C:\Windows\SysWOW64\yfrhwh.exe
        648⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\nzoiyj.exe
        
        C:\Windows\system32\nzoiyj.exe 1020 "C:\Windows\SysWOW64\yfsnig.exe"
        649⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\nzoiyj.exe
        
        1020 C:\Windows\SysWOW64\yfsnig.exe
        650⤵
        Drops file in System32 directory
        
        PID:2060
        
        C:\Windows\SysWOW64\ozpnjr.exe
        
        C:\Windows\system32\ozpnjr.exe 1012 "C:\Windows\SysWOW64\nzoiyj.exe"
        651⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\ozpnjr.exe
        
        1012 C:\Windows\SysWOW64\nzoiyj.exe
        652⤵
        
        PID:928
        
        C:\Windows\SysWOW64\ltlail.exe
        
        C:\Windows\system32\ltlail.exe 1028 "C:\Windows\SysWOW64\ozpnjr.exe"
        653⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\ltlail.exe
        
        1028 C:\Windows\SysWOW64\ozpnjr.exe
        654⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\lwxtwx.exe
        
        C:\Windows\system32\lwxtwx.exe 1008 "C:\Windows\SysWOW64\ltlail.exe"
        655⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\lwxtwx.exe
        
        1008 C:\Windows\SysWOW64\ltlail.exe
        656⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\iuebpw.exe
        
        C:\Windows\system32\iuebpw.exe 1012 "C:\Windows\SysWOW64\lwxtwx.exe"
        657⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\iuebpw.exe
        
        1012 C:\Windows\SysWOW64\lwxtwx.exe
        658⤵
        Drops file in System32 directory
        
        PID:3116
        
        C:\Windows\SysWOW64\iyqtdi.exe
        
        C:\Windows\system32\iyqtdi.exe 1020 "C:\Windows\SysWOW64\iuebpw.exe"
        659⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\iyqtdi.exe
        
        1020 C:\Windows\SysWOW64\iuebpw.exe
        660⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\ijdmam.exe
        
        C:\Windows\system32\ijdmam.exe 1008 "C:\Windows\SysWOW64\iyqtdi.exe"
        661⤵
        
        PID:412
        
        C:\Windows\SysWOW64\ijdmam.exe
        
        1008 C:\Windows\SysWOW64\iyqtdi.exe
        662⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\ivpeoy.exe
        
        C:\Windows\system32\ivpeoy.exe 1008 "C:\Windows\SysWOW64\ijdmam.exe"
        663⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\ivpeoy.exe
        
        1008 C:\Windows\SysWOW64\ijdmam.exe
        664⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\icfjfg.exe
        
        C:\Windows\system32\icfjfg.exe 1028 "C:\Windows\SysWOW64\ivpeoy.exe"
        665⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\icfjfg.exe
        
        1028 C:\Windows\SysWOW64\ivpeoy.exe
        666⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\fzmjyn.exe
        
        C:\Windows\system32\fzmjyn.exe 1016 "C:\Windows\SysWOW64\icfjfg.exe"
        667⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\fzmjyn.exe
        
        1016 C:\Windows\SysWOW64\icfjfg.exe
        668⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\gznpkn.exe
        
        C:\Windows\system32\gznpkn.exe 1008 "C:\Windows\SysWOW64\fzmjyn.exe"
        669⤵
        
        PID:692
        
        C:\Windows\SysWOW64\gznpkn.exe
        
        1008 C:\Windows\SysWOW64\fzmjyn.exe
        670⤵
        Drops file in System32 directory
        
        PID:2508
        
        C:\Windows\SysWOW64\dtikiq.exe
        
        C:\Windows\system32\dtikiq.exe 1012 "C:\Windows\SysWOW64\gznpkn.exe"
        671⤵
        System Location Discovery: System Language Discovery
        
        PID:888
        
        C:\Windows\SysWOW64\dtikiq.exe
        
        1012 C:\Windows\SysWOW64\gznpkn.exe
        672⤵
        Drops file in System32 directory
        
        PID:1616
        
        C:\Windows\SysWOW64\dxvcxu.exe
        
        C:\Windows\system32\dxvcxu.exe 1012 "C:\Windows\SysWOW64\dtikiq.exe"
        673⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\dxvcxu.exe
        
        1012 C:\Windows\SysWOW64\dtikiq.exe
        674⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\dmsaok.exe
        
        C:\Windows\system32\dmsaok.exe 1008 "C:\Windows\SysWOW64\dxvcxu.exe"
        675⤵
        
        PID:208
        
        C:\Windows\SysWOW64\dmsaok.exe
        
        1008 C:\Windows\SysWOW64\dxvcxu.exe
        676⤵
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Windows\SysWOW64\dmtnzk.exe
        
        C:\Windows\system32\dmtnzk.exe 1012 "C:\Windows\SysWOW64\dmsaok.exe"
        677⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\dmtnzk.exe
        
        1012 C:\Windows\SysWOW64\dmsaok.exe
        678⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\dbrtza.exe
        
        C:\Windows\system32\dbrtza.exe 1008 "C:\Windows\SysWOW64\dmtnzk.exe"
        679⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\dbrtza.exe
        
        1008 C:\Windows\SysWOW64\dmtnzk.exe
        680⤵
        
        PID:772
        
        C:\Windows\SysWOW64\fhxvos.exe
        
        C:\Windows\system32\fhxvos.exe 1012 "C:\Windows\SysWOW64\dbrtza.exe"
        681⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\fhxvos.exe
        
        1012 C:\Windows\SysWOW64\dbrtza.exe
        682⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\ikattf.exe
        
        C:\Windows\system32\ikattf.exe 1020 "C:\Windows\SysWOW64\fhxvos.exe"
        683⤵
        System Location Discovery: System Language Discovery
        
        PID:2780
        
        C:\Windows\SysWOW64\ikattf.exe
        
        1020 C:\Windows\SysWOW64\fhxvos.exe
        684⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\izyyso.exe
        
        C:\Windows\system32\izyyso.exe 1012 "C:\Windows\SysWOW64\ikattf.exe"
        685⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\izyyso.exe
        
        1012 C:\Windows\SysWOW64\ikattf.exe
        686⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\fxfylu.exe
        
        C:\Windows\system32\fxfylu.exe 1016 "C:\Windows\SysWOW64\izyyso.exe"
        687⤵
        
        PID:708
        
        C:\Windows\SysWOW64\fxfylu.exe
        
        1016 C:\Windows\SysWOW64\izyyso.exe
        688⤵
        Drops file in System32 directory
        
        PID:3860
        
        C:\Windows\SysWOW64\isawyi.exe
        
        C:\Windows\system32\isawyi.exe 1016 "C:\Windows\SysWOW64\fxfylu.exe"
        689⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\isawyi.exe
        
        1016 C:\Windows\SysWOW64\fxfylu.exe
        690⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\fphwrp.exe
        
        C:\Windows\system32\fphwrp.exe 1028 "C:\Windows\SysWOW64\isawyi.exe"
        691⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\fphwrp.exe
        
        1028 C:\Windows\SysWOW64\isawyi.exe
        692⤵
        Drops file in System32 directory
        
        PID:4936
        
        C:\Windows\SysWOW64\fpicko.exe
        
        C:\Windows\system32\fpicko.exe 1028 "C:\Windows\SysWOW64\fphwrp.exe"
        693⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\fpicko.exe
        
        1028 C:\Windows\SysWOW64\fphwrp.exe
        694⤵
        System Location Discovery: System Language Discovery
        
        PID:828
        
        C:\Windows\SysWOW64\xbucza.exe
        
        C:\Windows\system32\xbucza.exe 1144 "C:\Windows\SysWOW64\fpicko.exe"
        695⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\xbucza.exe
        
        1144 C:\Windows\SysWOW64\fpicko.exe
        696⤵
        Drops file in System32 directory
        
        PID:5092
        
        C:\Windows\SysWOW64\vnqppv.exe
        
        C:\Windows\system32\vnqppv.exe 1008 "C:\Windows\SysWOW64\xbucza.exe"
        697⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\vnqppv.exe
        
        1008 C:\Windows\SysWOW64\xbucza.exe
        698⤵
        
        PID:2132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4616,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=1008 /prefetch:8
1⤵
PID:4680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\lconcf.exe

Filesize
222KB

MD5
f38d258532673cf62200ab2d7dd5268a

SHA1
39bf714b2e9ffb5a8cf534977588b71e35952ec6

SHA256
5edaadd37dd1dd9425dbbbdcd360194fe1f965ae971a5c8165a3effdc25c7e80

SHA512
b2c994c3e6575c0463d4278220f79e29867f37049076e28c97feab5af90eec86a472a0f12945df608d73336121c2ff7b9a0c6b30ba82906c67d7f3fdcedc28cf

Download Submit
memory/8-64-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/516-3-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/980-92-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1036-52-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1384-74-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1988-42-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2184-152-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2388-22-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/2436-0-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2436-2-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/3016-112-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3204-84-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3260-142-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3356-14-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/3360-144-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/3776-34-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3980-12-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/3988-103-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4180-94-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4488-124-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/5092-132-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download