metasploit | d23d9c5dc49cdcf7a13416b35de4f691ff0d77c7b3dcdc661680972623721a07

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
25/11/2024, 07:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a0e6645f3ceb7d70a8627bce6838a25_JaffaCakes118.exe
Size

188KB
MD5

9a0e6645f3ceb7d70a8627bce6838a25
SHA1

43d76e08a412b2cef915cd5f0630f8aba7576f33
SHA256

d23d9c5dc49cdcf7a13416b35de4f691ff0d77c7b3dcdc661680972623721a07
SHA512

4866105fa5de239570243aecc326cab4317b2c2340fa58a1126d77361a2f2a7f695f46adf2c99143ed27ff3d91be941df247d8bfbc927a04a196bba27d251beb
SSDEEP

3072:9RgaAb3zidY/5HhbPKRgMR2tr4QPxC2ig81zhR5jShWyIZhsS91IZps8TA4AvFOw:pAb4CbPwgMshRxhTWzr5xywhsS9eU8k3

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Executes dropped EXE 64 IoCs

pid	Process
904	mitbu.exe
2244	mitbu.exe
2788	xrvry.exe
2812	xrvry.exe
2604	zuwrn.exe
2248	zuwrn.exe
2364	yuezs.exe
1840	yuezs.exe
1544	fjqpx.exe
1676	fjqpx.exe
1720	otepe.exe
2916	otepe.exe
2100	xpdcn.exe
2700	xpdcn.exe
660	bnedp.exe
2220	bnedp.exe
956	hrmla.exe
2136	hrmla.exe
896	rbalg.exe
768	rbalg.exe
684	xuxop.exe
2492	xuxop.exe
1864	ejreu.exe
1640	ejreu.exe
2084	lvagx.exe
2228	lvagx.exe
764	ufohv.exe
2132	ufohv.exe
3000	dancf.exe
2620	dancf.exe
2676	nhqpi.exe
2772	nhqpi.exe
1120	zxrus.exe
2268	zxrus.exe
1964	aethw.exe
1028	aethw.exe
1684	mnyvt.exe
1832	mnyvt.exe
1404	yaofa.exe
2260	yaofa.exe
1608	kfdxa.exe
3012	kfdxa.exe
2168	txrgg.exe
1788	txrgg.exe
1276	aqoao.exe
1692	aqoao.exe
612	jxzws.exe
1768	jxzws.exe
2468	qmllx.exe
1428	qmllx.exe
1520	zhkzh.exe
2516	zhkzh.exe
1876	ivjmq.exe
2000	ivjmq.exe
2536	mblek.exe
2792	mblek.exe
2340	ycpkp.exe
2816	ycpkp.exe
2740	hbrkb.exe
2240	hbrkb.exe
1740	tlwpx.exe
908	tlwpx.exe
940	ipcnd.exe
1896	ipcnd.exe

Loads dropped DLL 64 IoCs

pid	Process
2684	9a0e6645f3ceb7d70a8627bce6838a25_JaffaCakes118.exe
2684	9a0e6645f3ceb7d70a8627bce6838a25_JaffaCakes118.exe
904	mitbu.exe
2244	mitbu.exe
2244	mitbu.exe
2812	xrvry.exe
2812	xrvry.exe
2248	zuwrn.exe
2248	zuwrn.exe
1840	yuezs.exe
1840	yuezs.exe
1676	fjqpx.exe
1676	fjqpx.exe
2916	otepe.exe
2916	otepe.exe
2700	xpdcn.exe
2700	xpdcn.exe
2220	bnedp.exe
2220	bnedp.exe
2136	hrmla.exe
2136	hrmla.exe
768	rbalg.exe
768	rbalg.exe
2492	xuxop.exe
2492	xuxop.exe
1640	ejreu.exe
1640	ejreu.exe
2228	lvagx.exe
2228	lvagx.exe
2132	ufohv.exe
2132	ufohv.exe
2620	dancf.exe
2620	dancf.exe
2772	nhqpi.exe
2772	nhqpi.exe
2268	zxrus.exe
2268	zxrus.exe
1028	aethw.exe
1028	aethw.exe
1832	mnyvt.exe
1832	mnyvt.exe
2260	yaofa.exe
2260	yaofa.exe
3012	kfdxa.exe
3012	kfdxa.exe
1788	txrgg.exe
1788	txrgg.exe
1692	aqoao.exe
1692	aqoao.exe
1768	jxzws.exe
1768	jxzws.exe
1428	qmllx.exe
1428	qmllx.exe
2516	zhkzh.exe
2516	zhkzh.exe
2000	ivjmq.exe
2000	ivjmq.exe
2792	mblek.exe
2792	mblek.exe
2816	ycpkp.exe
2816	ycpkp.exe
2240	hbrkb.exe
2240	hbrkb.exe
908	tlwpx.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\hbrkb.exe	ycpkp.exe
File opened for modification	C:\Windows\SysWOW64\pfpbu.exe	jnsyl.exe
File created	C:\Windows\SysWOW64\gnscm.exe	rqjem.exe
File created	C:\Windows\SysWOW64\nhqpi.exe	dancf.exe
File opened for modification	C:\Windows\SysWOW64\qclpl.exe	bebrt.exe
File opened for modification	C:\Windows\SysWOW64\mdsno.exe	foyxj.exe
File created	C:\Windows\SysWOW64\uuiyf.exe	jpsoy.exe
File opened for modification	C:\Windows\SysWOW64\xpuzd.exe	ilnbg.exe
File opened for modification	C:\Windows\SysWOW64\hwzsi.exe	apfcd.exe
File created	C:\Windows\SysWOW64\fjqpx.exe	yuezs.exe
File opened for modification	C:\Windows\SysWOW64\aqoao.exe	txrgg.exe
File created	C:\Windows\SysWOW64\dwdld.exe	ruzfg.exe
File created	C:\Windows\SysWOW64\kctua.exe	ytood.exe
File opened for modification	C:\Windows\SysWOW64\wcnaq.exe	saiul.exe
File created	C:\Windows\SysWOW64\iycxp.exe	yoppi.exe
File created	C:\Windows\SysWOW64\duntl.exe	uflyh.exe
File created	C:\Windows\SysWOW64\zxrus.exe	nhqpi.exe
File created	C:\Windows\SysWOW64\yaofa.exe	mnyvt.exe
File opened for modification	C:\Windows\SysWOW64\vpdyx.exe	owxdp.exe
File opened for modification	C:\Windows\SysWOW64\iycxp.exe	yoppi.exe
File opened for modification	C:\Windows\SysWOW64\cyquq.exe	toums.exe
File opened for modification	C:\Windows\SysWOW64\cvwjg.exe	qxuje.exe
File opened for modification	C:\Windows\SysWOW64\maanl.exe	duysi.exe
File opened for modification	C:\Windows\SysWOW64\mddhg.exe	lqeux.exe
File created	C:\Windows\SysWOW64\duysi.exe	rktml.exe
File opened for modification	C:\Windows\SysWOW64\fgnab.exe	vwaav.exe
File created	C:\Windows\SysWOW64\kvzxg.exe	dcccx.exe
File created	C:\Windows\SysWOW64\xpdcn.exe	otepe.exe
File opened for modification	C:\Windows\SysWOW64\hjgsi.exe	grlsb.exe
File created	C:\Windows\SysWOW64\xuxop.exe	rbalg.exe
File created	C:\Windows\SysWOW64\ejreu.exe	xuxop.exe
File opened for modification	C:\Windows\SysWOW64\ejreu.exe	xuxop.exe
File created	C:\Windows\SysWOW64\ankfj.exe	rdofc.exe
File opened for modification	C:\Windows\SysWOW64\kvzxg.exe	dcccx.exe
File created	C:\Windows\SysWOW64\gqbuq.exe	aperi.exe
File created	C:\Windows\SysWOW64\mitbu.exe	9a0e6645f3ceb7d70a8627bce6838a25_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\bnedp.exe	xpdcn.exe
File created	C:\Windows\SysWOW64\tbktq.exe	knkgh.exe
File created	C:\Windows\SysWOW64\rtuao.exe	hjgsi.exe
File created	C:\Windows\SysWOW64\rqphs.exe	kqkek.exe
File opened for modification	C:\Windows\SysWOW64\aethw.exe	zxrus.exe
File created	C:\Windows\SysWOW64\ucsfc.exe	ipcnd.exe
File opened for modification	C:\Windows\SysWOW64\kqkek.exe	eucwz.exe
File created	C:\Windows\SysWOW64\ficcn.exe	ankfj.exe
File opened for modification	C:\Windows\SysWOW64\icjjl.exe	xpuzd.exe
File created	C:\Windows\SysWOW64\ctxbw.exe	tbktq.exe
File created	C:\Windows\SysWOW64\tiqbx.exe	mhvrc.exe
File created	C:\Windows\SysWOW64\vuoui.exe	jljpd.exe
File created	C:\Windows\SysWOW64\saiul.exe	gnscm.exe
File created	C:\Windows\SysWOW64\ewfts.exe	vpdyx.exe
File created	C:\Windows\SysWOW64\ipcnd.exe	tlwpx.exe
File created	C:\Windows\SysWOW64\cvwjg.exe	qxuje.exe
File created	C:\Windows\SysWOW64\yuezs.exe	zuwrn.exe
File created	C:\Windows\SysWOW64\dyzwi.exe	uzxww.exe
File created	C:\Windows\SysWOW64\pfcfw.exe	dsump.exe
File opened for modification	C:\Windows\SysWOW64\mblek.exe	ivjmq.exe
File created	C:\Windows\SysWOW64\zbzbz.exe	kepvz.exe
File created	C:\Windows\SysWOW64\ivjmq.exe	zhkzh.exe
File opened for modification	C:\Windows\SysWOW64\szavz.exe	mdsno.exe
File opened for modification	C:\Windows\SysWOW64\jnsyl.exe	whygk.exe
File created	C:\Windows\SysWOW64\pimbe.exe	dyzwi.exe
File opened for modification	C:\Windows\SysWOW64\xuxop.exe	rbalg.exe
File opened for modification	C:\Windows\SysWOW64\zxrus.exe	nhqpi.exe
File created	C:\Windows\SysWOW64\ahszb.exe	ognte.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 1872 set thread context of 2684	1872	9a0e6645f3ceb7d70a8627bce6838a25_JaffaCakes118.exe	30
PID 904 set thread context of 2244	904	mitbu.exe	32
PID 2788 set thread context of 2812	2788	xrvry.exe	35
PID 2604 set thread context of 2248	2604	zuwrn.exe	37
PID 2364 set thread context of 1840	2364	yuezs.exe	39
PID 1544 set thread context of 1676	1544	fjqpx.exe	41
PID 1720 set thread context of 2916	1720	otepe.exe	43
PID 2100 set thread context of 2700	2100	xpdcn.exe	45
PID 660 set thread context of 2220	660	bnedp.exe	47
PID 956 set thread context of 2136	956	hrmla.exe	49
PID 896 set thread context of 768	896	rbalg.exe	51
PID 684 set thread context of 2492	684	xuxop.exe	53
PID 1864 set thread context of 1640	1864	ejreu.exe	55
PID 2084 set thread context of 2228	2084	lvagx.exe	57
PID 764 set thread context of 2132	764	ufohv.exe	59
PID 3000 set thread context of 2620	3000	dancf.exe	61
PID 2676 set thread context of 2772	2676	nhqpi.exe	63
PID 1120 set thread context of 2268	1120	zxrus.exe	65
PID 1964 set thread context of 1028	1964	aethw.exe	67
PID 1684 set thread context of 1832	1684	mnyvt.exe	69
PID 1404 set thread context of 2260	1404	yaofa.exe	71
PID 1608 set thread context of 3012	1608	kfdxa.exe	73
PID 2168 set thread context of 1788	2168	txrgg.exe	75
PID 1276 set thread context of 1692	1276	aqoao.exe	77
PID 612 set thread context of 1768	612	jxzws.exe	79
PID 2468 set thread context of 1428	2468	qmllx.exe	81
PID 1520 set thread context of 2516	1520	zhkzh.exe	83
PID 1876 set thread context of 2000	1876	ivjmq.exe	85
PID 2536 set thread context of 2792	2536	mblek.exe	87
PID 2340 set thread context of 2816	2340	ycpkp.exe	89
PID 2740 set thread context of 2240	2740	hbrkb.exe	91
PID 1740 set thread context of 908	1740	tlwpx.exe	93
PID 940 set thread context of 1896	940	ipcnd.exe	95
PID 1892 set thread context of 2668	1892	ucsfc.exe	97
PID 2940 set thread context of 632	2940	djvag.exe	99
PID 3028 set thread context of 2108	3028	pkhgl.exe	101
PID 1184 set thread context of 2380	1184	wpqnw.exe	103
PID 1452 set thread context of 580	1452	lealo.exe	105
PID 2288 set thread context of 684	2288	mwotu.exe	107
PID 2148 set thread context of 2256	2148	qxuje.exe	109
PID 836 set thread context of 2528	836	cvwjg.exe	111
PID 2540 set thread context of 2744	2540	joteo.exe	113
PID 2748 set thread context of 2712	2748	phqhx.exe	115
PID 2656 set thread context of 2596	2656	tetse.exe	117
PID 272 set thread context of 1344	272	foyxj.exe	119
PID 1188 set thread context of 1016	1188	mdsno.exe	121
PID 940 set thread context of 1672	940	szavz.exe	123
PID 1892 set thread context of 2856	1892	cgdqd.exe	125
PID 2216 set thread context of 572	2216	yhrnn.exe	127
PID 1664 set thread context of 112	1664	knkgh.exe	129
PID 1916 set thread context of 2308	1916	tbktq.exe	131
PID 2372 set thread context of 992	2372	ctxbw.exe	133
PID 1584 set thread context of 980	1584	ognte.exe	135
PID 1500 set thread context of 2416	1500	ahszb.exe	137
PID 2504 set thread context of 2680	2504	efvjq.exe	139
PID 2836 set thread context of 2752	2836	qoapm.exe	141
PID 2892 set thread context of 2804	2892	xhxsv.exe	143
PID 2844 set thread context of 2336	2844	grlsb.exe	145
PID 1496 set thread context of 1936	1496	hjgsi.exe	147
PID 1680 set thread context of 2064	1680	rtuao.exe	149
PID 1920 set thread context of 1236	1920	aaxnk.exe	151
PID 2232 set thread context of 1444	2232	mnngr.exe	153
PID 1480 set thread context of 1708	1480	sjvnc.exe	155
PID 1184 set thread context of 2928	1184	whygk.exe	157

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dhhno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iycxp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	otepe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dancf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efvjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sjvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ewfts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xpdcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rbalg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jpsoy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rbovu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	owxdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cyquq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xpdcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qoapm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jnsyl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dcccx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pfcfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lqeux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hrmla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cpbhs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ilnbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saiul.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wcnaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aethw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ucsfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	apfcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nhqpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lazfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jljpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nlkio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mblek.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpqnw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rodlz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kepvz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pkhgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ficcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bebrt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iycxp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ejreu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cgdqd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lazfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tfffj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xrvry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bnedp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mnyvt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	phqhx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dyzwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pimbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uflyh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mitbu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	djvag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qxuje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hjgsi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sjvnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ivjmq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ewfts.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dyzwi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fkuak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yaofa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctxbw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fxcgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tlwpx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ucsfc.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1872	9a0e6645f3ceb7d70a8627bce6838a25_JaffaCakes118.exe
904	mitbu.exe
2788	xrvry.exe
2604	zuwrn.exe
2364	yuezs.exe
1544	fjqpx.exe
1720	otepe.exe
2100	xpdcn.exe
660	bnedp.exe
956	hrmla.exe
896	rbalg.exe
684	xuxop.exe
1864	ejreu.exe
2084	lvagx.exe
764	ufohv.exe
3000	dancf.exe
2676	nhqpi.exe
1120	zxrus.exe
1964	aethw.exe
1684	mnyvt.exe
1404	yaofa.exe
1608	kfdxa.exe
2168	txrgg.exe
1276	aqoao.exe
612	jxzws.exe
2468	qmllx.exe
1520	zhkzh.exe
1876	ivjmq.exe
2536	mblek.exe
2340	ycpkp.exe
2740	hbrkb.exe
1740	tlwpx.exe
940	ipcnd.exe
1892	ucsfc.exe
2940	djvag.exe
3028	pkhgl.exe
1184	wpqnw.exe
1452	lealo.exe
2288	mwotu.exe
2148	qxuje.exe
836	cvwjg.exe
2540	joteo.exe
2748	phqhx.exe
2656	tetse.exe
272	foyxj.exe
1188	mdsno.exe
940	szavz.exe
1892	cgdqd.exe
2216	yhrnn.exe
1664	knkgh.exe
1916	tbktq.exe
2372	ctxbw.exe
1584	ognte.exe
1500	ahszb.exe
2504	efvjq.exe
2836	qoapm.exe
2892	xhxsv.exe
2844	grlsb.exe
1496	hjgsi.exe
1680	rtuao.exe
1920	aaxnk.exe
2232	mnngr.exe
1480	sjvnc.exe
1184	whygk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 2684	1872	9a0e6645f3ceb7d70a8627bce6838a25_JaffaCakes118.exe	30
PID 1872 wrote to memory of 2684	1872	9a0e6645f3ceb7d70a8627bce6838a25_JaffaCakes118.exe	30
PID 1872 wrote to memory of 2684	1872	9a0e6645f3ceb7d70a8627bce6838a25_JaffaCakes118.exe	30
PID 1872 wrote to memory of 2684	1872	9a0e6645f3ceb7d70a8627bce6838a25_JaffaCakes118.exe	30
PID 1872 wrote to memory of 2684	1872	9a0e6645f3ceb7d70a8627bce6838a25_JaffaCakes118.exe	30
PID 1872 wrote to memory of 2684	1872	9a0e6645f3ceb7d70a8627bce6838a25_JaffaCakes118.exe	30
PID 1872 wrote to memory of 2684	1872	9a0e6645f3ceb7d70a8627bce6838a25_JaffaCakes118.exe	30
PID 1872 wrote to memory of 2684	1872	9a0e6645f3ceb7d70a8627bce6838a25_JaffaCakes118.exe	30
PID 2684 wrote to memory of 904	2684	9a0e6645f3ceb7d70a8627bce6838a25_JaffaCakes118.exe	31
PID 2684 wrote to memory of 904	2684	9a0e6645f3ceb7d70a8627bce6838a25_JaffaCakes118.exe	31
PID 2684 wrote to memory of 904	2684	9a0e6645f3ceb7d70a8627bce6838a25_JaffaCakes118.exe	31
PID 2684 wrote to memory of 904	2684	9a0e6645f3ceb7d70a8627bce6838a25_JaffaCakes118.exe	31
PID 904 wrote to memory of 2244	904	mitbu.exe	32
PID 904 wrote to memory of 2244	904	mitbu.exe	32
PID 904 wrote to memory of 2244	904	mitbu.exe	32
PID 904 wrote to memory of 2244	904	mitbu.exe	32
PID 904 wrote to memory of 2244	904	mitbu.exe	32
PID 904 wrote to memory of 2244	904	mitbu.exe	32
PID 904 wrote to memory of 2244	904	mitbu.exe	32
PID 904 wrote to memory of 2244	904	mitbu.exe	32
PID 2244 wrote to memory of 2788	2244	mitbu.exe	33
PID 2244 wrote to memory of 2788	2244	mitbu.exe	33
PID 2244 wrote to memory of 2788	2244	mitbu.exe	33
PID 2244 wrote to memory of 2788	2244	mitbu.exe	33
PID 2788 wrote to memory of 2812	2788	xrvry.exe	35
PID 2788 wrote to memory of 2812	2788	xrvry.exe	35
PID 2788 wrote to memory of 2812	2788	xrvry.exe	35
PID 2788 wrote to memory of 2812	2788	xrvry.exe	35
PID 2788 wrote to memory of 2812	2788	xrvry.exe	35
PID 2788 wrote to memory of 2812	2788	xrvry.exe	35
PID 2788 wrote to memory of 2812	2788	xrvry.exe	35
PID 2788 wrote to memory of 2812	2788	xrvry.exe	35
PID 2812 wrote to memory of 2604	2812	xrvry.exe	36
PID 2812 wrote to memory of 2604	2812	xrvry.exe	36
PID 2812 wrote to memory of 2604	2812	xrvry.exe	36
PID 2812 wrote to memory of 2604	2812	xrvry.exe	36
PID 2604 wrote to memory of 2248	2604	zuwrn.exe	37
PID 2604 wrote to memory of 2248	2604	zuwrn.exe	37
PID 2604 wrote to memory of 2248	2604	zuwrn.exe	37
PID 2604 wrote to memory of 2248	2604	zuwrn.exe	37
PID 2604 wrote to memory of 2248	2604	zuwrn.exe	37
PID 2604 wrote to memory of 2248	2604	zuwrn.exe	37
PID 2604 wrote to memory of 2248	2604	zuwrn.exe	37
PID 2604 wrote to memory of 2248	2604	zuwrn.exe	37
PID 2248 wrote to memory of 2364	2248	zuwrn.exe	38
PID 2248 wrote to memory of 2364	2248	zuwrn.exe	38
PID 2248 wrote to memory of 2364	2248	zuwrn.exe	38
PID 2248 wrote to memory of 2364	2248	zuwrn.exe	38
PID 2364 wrote to memory of 1840	2364	yuezs.exe	39
PID 2364 wrote to memory of 1840	2364	yuezs.exe	39
PID 2364 wrote to memory of 1840	2364	yuezs.exe	39
PID 2364 wrote to memory of 1840	2364	yuezs.exe	39
PID 2364 wrote to memory of 1840	2364	yuezs.exe	39
PID 2364 wrote to memory of 1840	2364	yuezs.exe	39
PID 2364 wrote to memory of 1840	2364	yuezs.exe	39
PID 2364 wrote to memory of 1840	2364	yuezs.exe	39
PID 1840 wrote to memory of 1544	1840	yuezs.exe	40
PID 1840 wrote to memory of 1544	1840	yuezs.exe	40
PID 1840 wrote to memory of 1544	1840	yuezs.exe	40
PID 1840 wrote to memory of 1544	1840	yuezs.exe	40
PID 1544 wrote to memory of 1676	1544	fjqpx.exe	41
PID 1544 wrote to memory of 1676	1544	fjqpx.exe	41
PID 1544 wrote to memory of 1676	1544	fjqpx.exe	41
PID 1544 wrote to memory of 1676	1544	fjqpx.exe	41

C:\Users\Admin\AppData\Local\Temp\9a0e6645f3ceb7d70a8627bce6838a25_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9a0e6645f3ceb7d70a8627bce6838a25_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Users\Admin\AppData\Local\Temp\9a0e6645f3ceb7d70a8627bce6838a25_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\9a0e6645f3ceb7d70a8627bce6838a25_JaffaCakes118.exe
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\SysWOW64\mitbu.exe
    C:\Windows\system32\mitbu.exe 460 "C:\Users\Admin\AppData\Local\Temp\9a0e6645f3ceb7d70a8627bce6838a25_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:904
  - - C:\Windows\SysWOW64\mitbu.exe
      C:\Windows\SysWOW64\mitbu.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2244
    - - C:\Windows\SysWOW64\xrvry.exe
        
        C:\Windows\system32\xrvry.exe 452 "C:\Windows\SysWOW64\mitbu.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2788
      - C:\Windows\SysWOW64\xrvry.exe
        
        C:\Windows\SysWOW64\xrvry.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\SysWOW64\zuwrn.exe
        
        C:\Windows\system32\zuwrn.exe 452 "C:\Windows\SysWOW64\xrvry.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\zuwrn.exe
        
        C:\Windows\SysWOW64\zuwrn.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\yuezs.exe
        
        C:\Windows\system32\yuezs.exe 480 "C:\Windows\SysWOW64\zuwrn.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\SysWOW64\yuezs.exe
        
        C:\Windows\SysWOW64\yuezs.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\SysWOW64\fjqpx.exe
        
        C:\Windows\system32\fjqpx.exe 468 "C:\Windows\SysWOW64\yuezs.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\SysWOW64\fjqpx.exe
        
        C:\Windows\SysWOW64\fjqpx.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1676
        
        C:\Windows\SysWOW64\otepe.exe
        
        C:\Windows\system32\otepe.exe 468 "C:\Windows\SysWOW64\fjqpx.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1720
        
        C:\Windows\SysWOW64\otepe.exe
        
        C:\Windows\SysWOW64\otepe.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Windows\SysWOW64\xpdcn.exe
        
        C:\Windows\system32\xpdcn.exe 476 "C:\Windows\SysWOW64\otepe.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2100
        
        C:\Windows\SysWOW64\xpdcn.exe
        
        C:\Windows\SysWOW64\xpdcn.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Windows\SysWOW64\bnedp.exe
        
        C:\Windows\system32\bnedp.exe 384 "C:\Windows\SysWOW64\xpdcn.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:660
        
        C:\Windows\SysWOW64\bnedp.exe
        
        C:\Windows\SysWOW64\bnedp.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2220
        
        C:\Windows\SysWOW64\hrmla.exe
        
        C:\Windows\system32\hrmla.exe 424 "C:\Windows\SysWOW64\bnedp.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:956
        
        C:\Windows\SysWOW64\hrmla.exe
        
        C:\Windows\SysWOW64\hrmla.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Windows\SysWOW64\rbalg.exe
        
        C:\Windows\system32\rbalg.exe 472 "C:\Windows\SysWOW64\hrmla.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:896
        
        C:\Windows\SysWOW64\rbalg.exe
        
        C:\Windows\SysWOW64\rbalg.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:768
        
        C:\Windows\SysWOW64\xuxop.exe
        
        C:\Windows\system32\xuxop.exe 484 "C:\Windows\SysWOW64\rbalg.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:684
        
        C:\Windows\SysWOW64\xuxop.exe
        
        C:\Windows\SysWOW64\xuxop.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2492
        
        C:\Windows\SysWOW64\ejreu.exe
        
        C:\Windows\system32\ejreu.exe 388 "C:\Windows\SysWOW64\xuxop.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1864
        
        C:\Windows\SysWOW64\ejreu.exe
        
        C:\Windows\SysWOW64\ejreu.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Windows\SysWOW64\lvagx.exe
        
        C:\Windows\system32\lvagx.exe 476 "C:\Windows\SysWOW64\ejreu.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2084
        
        C:\Windows\SysWOW64\lvagx.exe
        
        C:\Windows\SysWOW64\lvagx.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2228
        
        C:\Windows\SysWOW64\ufohv.exe
        
        C:\Windows\system32\ufohv.exe 472 "C:\Windows\SysWOW64\lvagx.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:764
        
        C:\Windows\SysWOW64\ufohv.exe
        
        C:\Windows\SysWOW64\ufohv.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2132
        
        C:\Windows\SysWOW64\dancf.exe
        
        C:\Windows\system32\dancf.exe 452 "C:\Windows\SysWOW64\ufohv.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3000
        
        C:\Windows\SysWOW64\dancf.exe
        
        C:\Windows\SysWOW64\dancf.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2620
        
        C:\Windows\SysWOW64\nhqpi.exe
        
        C:\Windows\system32\nhqpi.exe 452 "C:\Windows\SysWOW64\dancf.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2676
        
        C:\Windows\SysWOW64\nhqpi.exe
        
        C:\Windows\SysWOW64\nhqpi.exe
        34⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2772
        
        C:\Windows\SysWOW64\zxrus.exe
        
        C:\Windows\system32\zxrus.exe 452 "C:\Windows\SysWOW64\nhqpi.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1120
        
        C:\Windows\SysWOW64\zxrus.exe
        
        C:\Windows\SysWOW64\zxrus.exe
        36⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2268
        
        C:\Windows\SysWOW64\aethw.exe
        
        C:\Windows\system32\aethw.exe 468 "C:\Windows\SysWOW64\zxrus.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1964
        
        C:\Windows\SysWOW64\aethw.exe
        
        C:\Windows\SysWOW64\aethw.exe
        38⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1028
        
        C:\Windows\SysWOW64\mnyvt.exe
        
        C:\Windows\system32\mnyvt.exe 432 "C:\Windows\SysWOW64\aethw.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1684
        
        C:\Windows\SysWOW64\mnyvt.exe
        
        C:\Windows\SysWOW64\mnyvt.exe
        40⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1832
        
        C:\Windows\SysWOW64\yaofa.exe
        
        C:\Windows\system32\yaofa.exe 472 "C:\Windows\SysWOW64\mnyvt.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1404
        
        C:\Windows\SysWOW64\yaofa.exe
        
        C:\Windows\SysWOW64\yaofa.exe
        42⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        C:\Windows\SysWOW64\kfdxa.exe
        
        C:\Windows\system32\kfdxa.exe 532 "C:\Windows\SysWOW64\yaofa.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1608
        
        C:\Windows\SysWOW64\kfdxa.exe
        
        C:\Windows\SysWOW64\kfdxa.exe
        44⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3012
        
        C:\Windows\SysWOW64\txrgg.exe
        
        C:\Windows\system32\txrgg.exe 480 "C:\Windows\SysWOW64\kfdxa.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2168
        
        C:\Windows\SysWOW64\txrgg.exe
        
        C:\Windows\SysWOW64\txrgg.exe
        46⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1788
        
        C:\Windows\SysWOW64\aqoao.exe
        
        C:\Windows\system32\aqoao.exe 488 "C:\Windows\SysWOW64\txrgg.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1276
        
        C:\Windows\SysWOW64\aqoao.exe
        
        C:\Windows\SysWOW64\aqoao.exe
        48⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1692
        
        C:\Windows\SysWOW64\jxzws.exe
        
        C:\Windows\system32\jxzws.exe 456 "C:\Windows\SysWOW64\aqoao.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:612
        
        C:\Windows\SysWOW64\jxzws.exe
        
        C:\Windows\SysWOW64\jxzws.exe
        50⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1768
        
        C:\Windows\SysWOW64\qmllx.exe
        
        C:\Windows\system32\qmllx.exe 452 "C:\Windows\SysWOW64\jxzws.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2468
        
        C:\Windows\SysWOW64\qmllx.exe
        
        C:\Windows\SysWOW64\qmllx.exe
        52⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1428
        
        C:\Windows\SysWOW64\zhkzh.exe
        
        C:\Windows\system32\zhkzh.exe 452 "C:\Windows\SysWOW64\qmllx.exe"
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1520
        
        C:\Windows\SysWOW64\zhkzh.exe
        
        C:\Windows\SysWOW64\zhkzh.exe
        54⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2516
        
        C:\Windows\SysWOW64\ivjmq.exe
        
        C:\Windows\system32\ivjmq.exe 472 "C:\Windows\SysWOW64\zhkzh.exe"
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1876
        
        C:\Windows\SysWOW64\ivjmq.exe
        
        C:\Windows\SysWOW64\ivjmq.exe
        56⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2000
        
        C:\Windows\SysWOW64\mblek.exe
        
        C:\Windows\system32\mblek.exe 460 "C:\Windows\SysWOW64\ivjmq.exe"
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2536
        
        C:\Windows\SysWOW64\mblek.exe
        
        C:\Windows\SysWOW64\mblek.exe
        58⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Windows\SysWOW64\ycpkp.exe
        
        C:\Windows\system32\ycpkp.exe 452 "C:\Windows\SysWOW64\mblek.exe"
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2340
        
        C:\Windows\SysWOW64\ycpkp.exe
        
        C:\Windows\SysWOW64\ycpkp.exe
        60⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2816
        
        C:\Windows\SysWOW64\hbrkb.exe
        
        C:\Windows\system32\hbrkb.exe 480 "C:\Windows\SysWOW64\ycpkp.exe"
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2740
        
        C:\Windows\SysWOW64\hbrkb.exe
        
        C:\Windows\SysWOW64\hbrkb.exe
        62⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2240
        
        C:\Windows\SysWOW64\tlwpx.exe
        
        C:\Windows\system32\tlwpx.exe 460 "C:\Windows\SysWOW64\hbrkb.exe"
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1740
        
        C:\Windows\SysWOW64\tlwpx.exe
        
        C:\Windows\SysWOW64\tlwpx.exe
        64⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:908
        
        C:\Windows\SysWOW64\ipcnd.exe
        
        C:\Windows\system32\ipcnd.exe 452 "C:\Windows\SysWOW64\tlwpx.exe"
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:940
        
        C:\Windows\SysWOW64\ipcnd.exe
        
        C:\Windows\SysWOW64\ipcnd.exe
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1896
        
        C:\Windows\SysWOW64\ucsfc.exe
        
        C:\Windows\system32\ucsfc.exe 476 "C:\Windows\SysWOW64\ipcnd.exe"
        67⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1892
        
        C:\Windows\SysWOW64\ucsfc.exe
        
        C:\Windows\SysWOW64\ucsfc.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Windows\SysWOW64\djvag.exe
        
        C:\Windows\system32\djvag.exe 484 "C:\Windows\SysWOW64\ucsfc.exe"
        69⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2940
        
        C:\Windows\SysWOW64\djvag.exe
        
        C:\Windows\SysWOW64\djvag.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:632
        
        C:\Windows\SysWOW64\pkhgl.exe
        
        C:\Windows\system32\pkhgl.exe 468 "C:\Windows\SysWOW64\djvag.exe"
        71⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3028
        
        C:\Windows\SysWOW64\pkhgl.exe
        
        C:\Windows\SysWOW64\pkhgl.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\wpqnw.exe
        
        C:\Windows\system32\wpqnw.exe 452 "C:\Windows\SysWOW64\pkhgl.exe"
        73⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1184
        
        C:\Windows\SysWOW64\wpqnw.exe
        
        C:\Windows\SysWOW64\wpqnw.exe
        74⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\lealo.exe
        
        C:\Windows\system32\lealo.exe 476 "C:\Windows\SysWOW64\wpqnw.exe"
        75⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1452
        
        C:\Windows\SysWOW64\lealo.exe
        
        C:\Windows\SysWOW64\lealo.exe
        76⤵
        
        PID:580
        
        C:\Windows\SysWOW64\mwotu.exe
        
        C:\Windows\system32\mwotu.exe 468 "C:\Windows\SysWOW64\lealo.exe"
        77⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2288
        
        C:\Windows\SysWOW64\mwotu.exe
        
        C:\Windows\SysWOW64\mwotu.exe
        78⤵
        
        PID:684
        
        C:\Windows\SysWOW64\qxuje.exe
        
        C:\Windows\system32\qxuje.exe 452 "C:\Windows\SysWOW64\mwotu.exe"
        79⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2148
        
        C:\Windows\SysWOW64\qxuje.exe
        
        C:\Windows\SysWOW64\qxuje.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Windows\SysWOW64\cvwjg.exe
        
        C:\Windows\system32\cvwjg.exe 460 "C:\Windows\SysWOW64\qxuje.exe"
        81⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:836
        
        C:\Windows\SysWOW64\cvwjg.exe
        
        C:\Windows\SysWOW64\cvwjg.exe
        82⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\joteo.exe
        
        C:\Windows\system32\joteo.exe 452 "C:\Windows\SysWOW64\cvwjg.exe"
        83⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2540
        
        C:\Windows\SysWOW64\joteo.exe
        
        C:\Windows\SysWOW64\joteo.exe
        84⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\phqhx.exe
        
        C:\Windows\system32\phqhx.exe 488 "C:\Windows\SysWOW64\joteo.exe"
        85⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2748
        
        C:\Windows\SysWOW64\phqhx.exe
        
        C:\Windows\SysWOW64\phqhx.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:2712
        
        C:\Windows\SysWOW64\tetse.exe
        
        C:\Windows\system32\tetse.exe 452 "C:\Windows\SysWOW64\phqhx.exe"
        87⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2656
        
        C:\Windows\SysWOW64\tetse.exe
        
        C:\Windows\SysWOW64\tetse.exe
        88⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\foyxj.exe
        
        C:\Windows\system32\foyxj.exe 452 "C:\Windows\SysWOW64\tetse.exe"
        89⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:272
        
        C:\Windows\SysWOW64\foyxj.exe
        
        C:\Windows\SysWOW64\foyxj.exe
        90⤵
        Drops file in System32 directory
        
        PID:1344
        
        C:\Windows\SysWOW64\mdsno.exe
        
        C:\Windows\system32\mdsno.exe 528 "C:\Windows\SysWOW64\foyxj.exe"
        91⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1188
        
        C:\Windows\SysWOW64\mdsno.exe
        
        C:\Windows\SysWOW64\mdsno.exe
        92⤵
        Drops file in System32 directory
        
        PID:1016
        
        C:\Windows\SysWOW64\szavz.exe
        
        C:\Windows\system32\szavz.exe 472 "C:\Windows\SysWOW64\mdsno.exe"
        93⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:940
        
        C:\Windows\SysWOW64\szavz.exe
        
        C:\Windows\SysWOW64\szavz.exe
        94⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\cgdqd.exe
        
        C:\Windows\system32\cgdqd.exe 472 "C:\Windows\SysWOW64\szavz.exe"
        95⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1892
        
        C:\Windows\SysWOW64\cgdqd.exe
        
        C:\Windows\SysWOW64\cgdqd.exe
        96⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\yhrnn.exe
        
        C:\Windows\system32\yhrnn.exe 476 "C:\Windows\SysWOW64\cgdqd.exe"
        97⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2216
        
        C:\Windows\SysWOW64\yhrnn.exe
        
        C:\Windows\SysWOW64\yhrnn.exe
        98⤵
        
        PID:572
        
        C:\Windows\SysWOW64\knkgh.exe
        
        C:\Windows\system32\knkgh.exe 452 "C:\Windows\SysWOW64\yhrnn.exe"
        99⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1664
        
        C:\Windows\SysWOW64\knkgh.exe
        
        C:\Windows\SysWOW64\knkgh.exe
        100⤵
        Drops file in System32 directory
        
        PID:112
        
        C:\Windows\SysWOW64\tbktq.exe
        
        C:\Windows\system32\tbktq.exe 468 "C:\Windows\SysWOW64\knkgh.exe"
        101⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1916
        
        C:\Windows\SysWOW64\tbktq.exe
        
        C:\Windows\SysWOW64\tbktq.exe
        102⤵
        Drops file in System32 directory
        
        PID:2308
        
        C:\Windows\SysWOW64\ctxbw.exe
        
        C:\Windows\system32\ctxbw.exe 472 "C:\Windows\SysWOW64\tbktq.exe"
        103⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2372
        
        C:\Windows\SysWOW64\ctxbw.exe
        
        C:\Windows\SysWOW64\ctxbw.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:992
        
        C:\Windows\SysWOW64\ognte.exe
        
        C:\Windows\system32\ognte.exe 472 "C:\Windows\SysWOW64\ctxbw.exe"
        105⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1584
        
        C:\Windows\SysWOW64\ognte.exe
        
        C:\Windows\SysWOW64\ognte.exe
        106⤵
        Drops file in System32 directory
        
        PID:980
        
        C:\Windows\SysWOW64\ahszb.exe
        
        C:\Windows\system32\ahszb.exe 480 "C:\Windows\SysWOW64\ognte.exe"
        107⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1500
        
        C:\Windows\SysWOW64\ahszb.exe
        
        C:\Windows\SysWOW64\ahszb.exe
        108⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\efvjq.exe
        
        C:\Windows\system32\efvjq.exe 472 "C:\Windows\SysWOW64\ahszb.exe"
        109⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2504
        
        C:\Windows\SysWOW64\efvjq.exe
        
        C:\Windows\SysWOW64\efvjq.exe
        110⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\qoapm.exe
        
        C:\Windows\system32\qoapm.exe 484 "C:\Windows\SysWOW64\efvjq.exe"
        111⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2836
        
        C:\Windows\SysWOW64\qoapm.exe
        
        C:\Windows\SysWOW64\qoapm.exe
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:2752
        
        C:\Windows\SysWOW64\xhxsv.exe
        
        C:\Windows\system32\xhxsv.exe 468 "C:\Windows\SysWOW64\qoapm.exe"
        113⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2892
        
        C:\Windows\SysWOW64\xhxsv.exe
        
        C:\Windows\SysWOW64\xhxsv.exe
        114⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\grlsb.exe
        
        C:\Windows\system32\grlsb.exe 500 "C:\Windows\SysWOW64\xhxsv.exe"
        115⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2844
        
        C:\Windows\SysWOW64\grlsb.exe
        
        C:\Windows\SysWOW64\grlsb.exe
        116⤵
        Drops file in System32 directory
        
        PID:2336
        
        C:\Windows\SysWOW64\hjgsi.exe
        
        C:\Windows\system32\hjgsi.exe 480 "C:\Windows\SysWOW64\grlsb.exe"
        117⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1496
        
        C:\Windows\SysWOW64\hjgsi.exe
        
        C:\Windows\SysWOW64\hjgsi.exe
        118⤵
        Drops file in System32 directory
        
        PID:1936
        
        C:\Windows\SysWOW64\rtuao.exe
        
        C:\Windows\system32\rtuao.exe 500 "C:\Windows\SysWOW64\hjgsi.exe"
        119⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1680
        
        C:\Windows\SysWOW64\rtuao.exe
        
        C:\Windows\SysWOW64\rtuao.exe
        120⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\aaxnk.exe
        
        C:\Windows\system32\aaxnk.exe 468 "C:\Windows\SysWOW64\rtuao.exe"
        121⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1920
        
        C:\Windows\SysWOW64\aaxnk.exe
        
        C:\Windows\SysWOW64\aaxnk.exe
        122⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\mnngr.exe
        
        C:\Windows\system32\mnngr.exe 532 "C:\Windows\SysWOW64\aaxnk.exe"
        123⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2232
        
        C:\Windows\SysWOW64\mnngr.exe
        
        C:\Windows\SysWOW64\mnngr.exe
        124⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\sjvnc.exe
        
        C:\Windows\system32\sjvnc.exe 480 "C:\Windows\SysWOW64\mnngr.exe"
        125⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1480
        
        C:\Windows\SysWOW64\sjvnc.exe
        
        C:\Windows\SysWOW64\sjvnc.exe
        126⤵
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Windows\SysWOW64\whygk.exe
        
        C:\Windows\system32\whygk.exe 472 "C:\Windows\SysWOW64\sjvnc.exe"
        127⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1184
        
        C:\Windows\SysWOW64\whygk.exe
        
        C:\Windows\SysWOW64\whygk.exe
        128⤵
        Drops file in System32 directory
        
        PID:2928
        
        C:\Windows\SysWOW64\jnsyl.exe
        
        C:\Windows\system32\jnsyl.exe 452 "C:\Windows\SysWOW64\whygk.exe"
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Windows\SysWOW64\jnsyl.exe
        
        C:\Windows\SysWOW64\jnsyl.exe
        130⤵
        Drops file in System32 directory
        
        PID:2396
        
        C:\Windows\SysWOW64\pfpbu.exe
        
        C:\Windows\system32\pfpbu.exe 456 "C:\Windows\SysWOW64\jnsyl.exe"
        131⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\pfpbu.exe
        
        C:\Windows\SysWOW64\pfpbu.exe
        132⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\ytood.exe
        
        C:\Windows\system32\ytood.exe 468 "C:\Windows\SysWOW64\pfpbu.exe"
        133⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\ytood.exe
        
        C:\Windows\SysWOW64\ytood.exe
        134⤵
        Drops file in System32 directory
        
        PID:1500
        
        C:\Windows\SysWOW64\kctua.exe
        
        C:\Windows\system32\kctua.exe 452 "C:\Windows\SysWOW64\ytood.exe"
        135⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\kctua.exe
        
        C:\Windows\SysWOW64\kctua.exe
        136⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\rdofc.exe
        
        C:\Windows\system32\rdofc.exe 500 "C:\Windows\SysWOW64\kctua.exe"
        137⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\rdofc.exe
        
        C:\Windows\SysWOW64\rdofc.exe
        138⤵
        Drops file in System32 directory
        
        PID:2340
        
        C:\Windows\SysWOW64\ankfj.exe
        
        C:\Windows\system32\ankfj.exe 472 "C:\Windows\SysWOW64\rdofc.exe"
        139⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\ankfj.exe
        
        C:\Windows\SysWOW64\ankfj.exe
        140⤵
        Drops file in System32 directory
        
        PID:1468
        
        C:\Windows\SysWOW64\ficcn.exe
        
        C:\Windows\system32\ficcn.exe 468 "C:\Windows\SysWOW64\ankfj.exe"
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\ficcn.exe
        
        C:\Windows\SysWOW64\ficcn.exe
        142⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\lazfw.exe
        
        C:\Windows\system32\lazfw.exe 480 "C:\Windows\SysWOW64\ficcn.exe"
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Windows\SysWOW64\lazfw.exe
        
        C:\Windows\SysWOW64\lazfw.exe
        144⤵
        System Location Discovery: System Language Discovery
        
        PID:1740
        
        C:\Windows\SysWOW64\uknfc.exe
        
        C:\Windows\system32\uknfc.exe 544 "C:\Windows\SysWOW64\lazfw.exe"
        145⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\uknfc.exe
        
        C:\Windows\SysWOW64\uknfc.exe
        146⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\wnogi.exe
        
        C:\Windows\system32\wnogi.exe 452 "C:\Windows\SysWOW64\uknfc.exe"
        147⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\wnogi.exe
        
        C:\Windows\SysWOW64\wnogi.exe
        148⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\fxcgp.exe
        
        C:\Windows\system32\fxcgp.exe 468 "C:\Windows\SysWOW64\wnogi.exe"
        149⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\fxcgp.exe
        
        C:\Windows\SysWOW64\fxcgp.exe
        150⤵
        System Location Discovery: System Language Discovery
        
        PID:1532
        
        C:\Windows\SysWOW64\rodlz.exe
        
        C:\Windows\system32\rodlz.exe 480 "C:\Windows\SysWOW64\fxcgp.exe"
        151⤵
        System Location Discovery: System Language Discovery
        
        PID:924
        
        C:\Windows\SysWOW64\rodlz.exe
        
        C:\Windows\SysWOW64\rodlz.exe
        152⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\dbtdy.exe
        
        C:\Windows\system32\dbtdy.exe 452 "C:\Windows\SysWOW64\rodlz.exe"
        153⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\dbtdy.exe
        
        C:\Windows\SysWOW64\dbtdy.exe
        154⤵
        
        PID:896
        
        C:\Windows\SysWOW64\mhvrc.exe
        
        C:\Windows\system32\mhvrc.exe 472 "C:\Windows\SysWOW64\dbtdy.exe"
        155⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\mhvrc.exe
        
        C:\Windows\SysWOW64\mhvrc.exe
        156⤵
        Drops file in System32 directory
        
        PID:1996
        
        C:\Windows\SysWOW64\tiqbx.exe
        
        C:\Windows\system32\tiqbx.exe 452 "C:\Windows\SysWOW64\mhvrc.exe"
        157⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\tiqbx.exe
        
        C:\Windows\SysWOW64\tiqbx.exe
        158⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\zfzri.exe
        
        C:\Windows\system32\zfzri.exe 504 "C:\Windows\SysWOW64\tiqbx.exe"
        159⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\zfzri.exe
        
        C:\Windows\SysWOW64\zfzri.exe
        160⤵
        
        PID:936
        
        C:\Windows\SysWOW64\dcccx.exe
        
        C:\Windows\system32\dcccx.exe 508 "C:\Windows\SysWOW64\zfzri.exe"
        161⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\dcccx.exe
        
        C:\Windows\SysWOW64\dcccx.exe
        162⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Windows\SysWOW64\kvzxg.exe
        
        C:\Windows\system32\kvzxg.exe 488 "C:\Windows\SysWOW64\dcccx.exe"
        163⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\kvzxg.exe
        
        C:\Windows\SysWOW64\kvzxg.exe
        164⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\rktml.exe
        
        C:\Windows\system32\rktml.exe 464 "C:\Windows\SysWOW64\kvzxg.exe"
        165⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\rktml.exe
        
        C:\Windows\SysWOW64\rktml.exe
        166⤵
        Drops file in System32 directory
        
        PID:2360
        
        C:\Windows\SysWOW64\duysi.exe
        
        C:\Windows\system32\duysi.exe 472 "C:\Windows\SysWOW64\rktml.exe"
        167⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\duysi.exe
        
        C:\Windows\SysWOW64\duysi.exe
        168⤵
        Drops file in System32 directory
        
        PID:1620
        
        C:\Windows\SysWOW64\maanl.exe
        
        C:\Windows\system32\maanl.exe 476 "C:\Windows\SysWOW64\duysi.exe"
        169⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\maanl.exe
        
        C:\Windows\SysWOW64\maanl.exe
        170⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\vwaav.exe
        
        C:\Windows\system32\vwaav.exe 476 "C:\Windows\SysWOW64\maanl.exe"
        171⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\vwaav.exe
        
        C:\Windows\SysWOW64\vwaav.exe
        172⤵
        Drops file in System32 directory
        
        PID:2060
        
        C:\Windows\SysWOW64\fgnab.exe
        
        C:\Windows\system32\fgnab.exe 480 "C:\Windows\SysWOW64\vwaav.exe"
        173⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\fgnab.exe
        
        C:\Windows\SysWOW64\fgnab.exe
        174⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\jpsoy.exe
        
        C:\Windows\system32\jpsoy.exe 452 "C:\Windows\SysWOW64\fgnab.exe"
        175⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\jpsoy.exe
        
        C:\Windows\SysWOW64\jpsoy.exe
        176⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Windows\SysWOW64\uuiyf.exe
        
        C:\Windows\system32\uuiyf.exe 476 "C:\Windows\SysWOW64\jpsoy.exe"
        177⤵
        
        PID:924
        
        C:\Windows\SysWOW64\uuiyf.exe
        
        C:\Windows\SysWOW64\uuiyf.exe
        178⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\gemlk.exe
        
        C:\Windows\system32\gemlk.exe 460 "C:\Windows\SysWOW64\uuiyf.exe"
        179⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\gemlk.exe
        
        C:\Windows\SysWOW64\gemlk.exe
        180⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\tfrrh.exe
        
        C:\Windows\system32\tfrrh.exe 452 "C:\Windows\SysWOW64\gemlk.exe"
        181⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\tfrrh.exe
        
        C:\Windows\SysWOW64\tfrrh.exe
        182⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\bebrt.exe
        
        C:\Windows\system32\bebrt.exe 456 "C:\Windows\SysWOW64\tfrrh.exe"
        183⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\bebrt.exe
        
        C:\Windows\SysWOW64\bebrt.exe
        184⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2564
        
        C:\Windows\SysWOW64\qclpl.exe
        
        C:\Windows\system32\qclpl.exe 452 "C:\Windows\SysWOW64\bebrt.exe"
        185⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\qclpl.exe
        
        C:\Windows\SysWOW64\qclpl.exe
        186⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\cpbhs.exe
        
        C:\Windows\system32\cpbhs.exe 452 "C:\Windows\SysWOW64\qclpl.exe"
        187⤵
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Windows\SysWOW64\cpbhs.exe
        
        C:\Windows\SysWOW64\cpbhs.exe
        188⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\jljpd.exe
        
        C:\Windows\system32\jljpd.exe 480 "C:\Windows\SysWOW64\cpbhs.exe"
        189⤵
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Windows\SysWOW64\jljpd.exe
        
        C:\Windows\SysWOW64\jljpd.exe
        190⤵
        Drops file in System32 directory
        
        PID:2876
        
        C:\Windows\SysWOW64\vuoui.exe
        
        C:\Windows\system32\vuoui.exe 484 "C:\Windows\SysWOW64\jljpd.exe"
        191⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\vuoui.exe
        
        C:\Windows\SysWOW64\vuoui.exe
        192⤵
        
        PID:272
        
        C:\Windows\SysWOW64\gzenh.exe
        
        C:\Windows\system32\gzenh.exe 488 "C:\Windows\SysWOW64\vuoui.exe"
        193⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\gzenh.exe
        
        C:\Windows\SysWOW64\gzenh.exe
        194⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\tfffj.exe
        
        C:\Windows\system32\tfffj.exe 484 "C:\Windows\SysWOW64\gzenh.exe"
        195⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\tfffj.exe
        
        C:\Windows\SysWOW64\tfffj.exe
        196⤵
        System Location Discovery: System Language Discovery
        
        PID:1364
        
        C:\Windows\SysWOW64\rbovu.exe
        
        C:\Windows\system32\rbovu.exe 380 "C:\Windows\SysWOW64\tfffj.exe"
        197⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\rbovu.exe
        
        C:\Windows\SysWOW64\rbovu.exe
        198⤵
        System Location Discovery: System Language Discovery
        
        PID:2232
        
        C:\Windows\SysWOW64\dhhno.exe
        
        C:\Windows\system32\dhhno.exe 476 "C:\Windows\SysWOW64\rbovu.exe"
        199⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\dhhno.exe
        
        C:\Windows\SysWOW64\dhhno.exe
        200⤵
        System Location Discovery: System Language Discovery
        
        PID:1232
        
        C:\Windows\SysWOW64\kepvz.exe
        
        C:\Windows\system32\kepvz.exe 484 "C:\Windows\SysWOW64\dhhno.exe"
        201⤵
        System Location Discovery: System Language Discovery
        
        PID:1212
        
        C:\Windows\SysWOW64\kepvz.exe
        
        C:\Windows\SysWOW64\kepvz.exe
        202⤵
        Drops file in System32 directory
        
        PID:1560
        
        C:\Windows\SysWOW64\zbzbz.exe
        
        C:\Windows\system32\zbzbz.exe 452 "C:\Windows\SysWOW64\kepvz.exe"
        203⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\zbzbz.exe
        
        C:\Windows\SysWOW64\zbzbz.exe
        204⤵
        
        PID:544
        
        C:\Windows\SysWOW64\ilnbg.exe
        
        C:\Windows\system32\ilnbg.exe 460 "C:\Windows\SysWOW64\zbzbz.exe"
        205⤵
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Windows\SysWOW64\ilnbg.exe
        
        C:\Windows\SysWOW64\ilnbg.exe
        206⤵
        Drops file in System32 directory
        
        PID:2780
        
        C:\Windows\SysWOW64\xpuzd.exe
        
        C:\Windows\system32\xpuzd.exe 464 "C:\Windows\SysWOW64\ilnbg.exe"
        207⤵
        
        PID:792
        
        C:\Windows\SysWOW64\xpuzd.exe
        
        C:\Windows\SysWOW64\xpuzd.exe
        208⤵
        Drops file in System32 directory
        
        PID:2188
        
        C:\Windows\SysWOW64\icjjl.exe
        
        C:\Windows\system32\icjjl.exe 472 "C:\Windows\SysWOW64\xpuzd.exe"
        209⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\icjjl.exe
        
        C:\Windows\SysWOW64\icjjl.exe
        210⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\rqjem.exe
        
        C:\Windows\system32\rqjem.exe 436 "C:\Windows\SysWOW64\icjjl.exe"
        211⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\rqjem.exe
        
        C:\Windows\SysWOW64\rqjem.exe
        212⤵
        Drops file in System32 directory
        
        PID:872
        
        C:\Windows\SysWOW64\gnscm.exe
        
        C:\Windows\system32\gnscm.exe 492 "C:\Windows\SysWOW64\rqjem.exe"
        213⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\gnscm.exe
        
        C:\Windows\SysWOW64\gnscm.exe
        214⤵
        Drops file in System32 directory
        
        PID:2628
        
        C:\Windows\SysWOW64\saiul.exe
        
        C:\Windows\system32\saiul.exe 488 "C:\Windows\SysWOW64\gnscm.exe"
        215⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\saiul.exe
        
        C:\Windows\SysWOW64\saiul.exe
        216⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\SysWOW64\wcnaq.exe
        
        C:\Windows\system32\wcnaq.exe 468 "C:\Windows\SysWOW64\saiul.exe"
        217⤵
        System Location Discovery: System Language Discovery
        
        PID:560
        
        C:\Windows\SysWOW64\wcnaq.exe
        
        C:\Windows\SysWOW64\wcnaq.exe
        218⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\apfcd.exe
        
        C:\Windows\system32\apfcd.exe 476 "C:\Windows\SysWOW64\wcnaq.exe"
        219⤵
        System Location Discovery: System Language Discovery
        
        PID:1420
        
        C:\Windows\SysWOW64\apfcd.exe
        
        C:\Windows\SysWOW64\apfcd.exe
        220⤵
        Drops file in System32 directory
        
        PID:2944
        
        C:\Windows\SysWOW64\hwzsi.exe
        
        C:\Windows\system32\hwzsi.exe 484 "C:\Windows\SysWOW64\apfcd.exe"
        221⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\hwzsi.exe
        
        C:\Windows\SysWOW64\hwzsi.exe
        222⤵
        
        PID:448
        
        C:\Windows\SysWOW64\nlkio.exe
        
        C:\Windows\system32\nlkio.exe 464 "C:\Windows\SysWOW64\hwzsi.exe"
        223⤵
        System Location Discovery: System Language Discovery
        
        PID:2980
        
        C:\Windows\SysWOW64\nlkio.exe
        
        C:\Windows\SysWOW64\nlkio.exe
        224⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\ruzfg.exe
        
        C:\Windows\system32\ruzfg.exe 452 "C:\Windows\SysWOW64\nlkio.exe"
        225⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\ruzfg.exe
        
        C:\Windows\SysWOW64\ruzfg.exe
        226⤵
        Drops file in System32 directory
        
        PID:1392
        
        C:\Windows\SysWOW64\dwdld.exe
        
        C:\Windows\system32\dwdld.exe 476 "C:\Windows\SysWOW64\ruzfg.exe"
        227⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\dwdld.exe
        
        C:\Windows\SysWOW64\dwdld.exe
        228⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\klpbi.exe
        
        C:\Windows\system32\klpbi.exe 484 "C:\Windows\SysWOW64\dwdld.exe"
        229⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\klpbi.exe
        
        C:\Windows\SysWOW64\klpbi.exe
        230⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\tvlbp.exe
        
        C:\Windows\system32\tvlbp.exe 452 "C:\Windows\SysWOW64\klpbi.exe"
        231⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\tvlbp.exe
        
        C:\Windows\SysWOW64\tvlbp.exe
        232⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\dkows.exe
        
        C:\Windows\system32\dkows.exe 476 "C:\Windows\SysWOW64\tvlbp.exe"
        233⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\dkows.exe
        
        C:\Windows\SysWOW64\dkows.exe
        234⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\eucwz.exe
        
        C:\Windows\system32\eucwz.exe 508 "C:\Windows\SysWOW64\dkows.exe"
        235⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\eucwz.exe
        
        C:\Windows\SysWOW64\eucwz.exe
        236⤵
        Drops file in System32 directory
        
        PID:588
        
        C:\Windows\SysWOW64\kqkek.exe
        
        C:\Windows\system32\kqkek.exe 484 "C:\Windows\SysWOW64\eucwz.exe"
        237⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\kqkek.exe
        
        C:\Windows\SysWOW64\kqkek.exe
        238⤵
        Drops file in System32 directory
        
        PID:380
        
        C:\Windows\SysWOW64\rqphs.exe
        
        C:\Windows\system32\rqphs.exe 484 "C:\Windows\SysWOW64\kqkek.exe"
        239⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\rqphs.exe
        
        C:\Windows\SysWOW64\rqphs.exe
        240⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\dsump.exe
        
        C:\Windows\system32\dsump.exe 452 "C:\Windows\SysWOW64\rqphs.exe"
        241⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\dsump.exe
        
        C:\Windows\SysWOW64\dsump.exe
        242⤵
        Drops file in System32 directory
        
        PID:1112
        
        C:\Windows\SysWOW64\pfcfw.exe
        
        C:\Windows\system32\pfcfw.exe 456 "C:\Windows\SysWOW64\dsump.exe"
        243⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\pfcfw.exe
        
        C:\Windows\SysWOW64\pfcfw.exe
        244⤵
        System Location Discovery: System Language Discovery
        
        PID:484
        
        C:\Windows\SysWOW64\bddxq.exe
        
        C:\Windows\system32\bddxq.exe 504 "C:\Windows\SysWOW64\pfcfw.exe"
        245⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\bddxq.exe
        
        C:\Windows\SysWOW64\bddxq.exe
        246⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\hhlnj.exe
        
        C:\Windows\system32\hhlnj.exe 484 "C:\Windows\SysWOW64\bddxq.exe"
        247⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\hhlnj.exe
        
        C:\Windows\SysWOW64\hhlnj.exe
        248⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\owxdp.exe
        
        C:\Windows\system32\owxdp.exe 480 "C:\Windows\SysWOW64\hhlnj.exe"
        249⤵
        System Location Discovery: System Language Discovery
        
        PID:1184
        
        C:\Windows\SysWOW64\owxdp.exe
        
        C:\Windows\SysWOW64\owxdp.exe
        250⤵
        Drops file in System32 directory
        
        PID:1652
        
        C:\Windows\SysWOW64\vpdyx.exe
        
        C:\Windows\system32\vpdyx.exe 464 "C:\Windows\SysWOW64\owxdp.exe"
        251⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\vpdyx.exe
        
        C:\Windows\SysWOW64\vpdyx.exe
        252⤵
        Drops file in System32 directory
        
        PID:3032
        
        C:\Windows\SysWOW64\ewfts.exe
        
        C:\Windows\system32\ewfts.exe 464 "C:\Windows\SysWOW64\vpdyx.exe"
        253⤵
        System Location Discovery: System Language Discovery
        
        PID:1012
        
        C:\Windows\SysWOW64\ewfts.exe
        
        C:\Windows\SysWOW64\ewfts.exe
        254⤵
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Windows\SysWOW64\axuqk.exe
        
        C:\Windows\system32\axuqk.exe 460 "C:\Windows\SysWOW64\ewfts.exe"
        255⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\axuqk.exe
        
        C:\Windows\SysWOW64\axuqk.exe
        256⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\uzxww.exe
        
        C:\Windows\system32\uzxww.exe 452 "C:\Windows\SysWOW64\axuqk.exe"
        257⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\uzxww.exe
        
        C:\Windows\SysWOW64\uzxww.exe
        258⤵
        Drops file in System32 directory
        
        PID:2508
        
        C:\Windows\SysWOW64\dyzwi.exe
        
        C:\Windows\system32\dyzwi.exe 472 "C:\Windows\SysWOW64\uzxww.exe"
        259⤵
        System Location Discovery: System Language Discovery
        
        PID:2800
        
        C:\Windows\SysWOW64\dyzwi.exe
        
        C:\Windows\SysWOW64\dyzwi.exe
        260⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1884
        
        C:\Windows\SysWOW64\pimbe.exe
        
        C:\Windows\system32\pimbe.exe 476 "C:\Windows\SysWOW64\dyzwi.exe"
        261⤵
        System Location Discovery: System Language Discovery
        
        PID:1668
        
        C:\Windows\SysWOW64\pimbe.exe
        
        C:\Windows\SysWOW64\pimbe.exe
        262⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\yoppi.exe
        
        C:\Windows\system32\yoppi.exe 464 "C:\Windows\SysWOW64\pimbe.exe"
        263⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\yoppi.exe
        
        C:\Windows\SysWOW64\yoppi.exe
        264⤵
        Drops file in System32 directory
        
        PID:2036
        
        C:\Windows\SysWOW64\iycxp.exe
        
        C:\Windows\system32\iycxp.exe 472 "C:\Windows\SysWOW64\yoppi.exe"
        265⤵
        System Location Discovery: System Language Discovery
        
        PID:2652
        
        C:\Windows\SysWOW64\iycxp.exe
        
        C:\Windows\SysWOW64\iycxp.exe
        266⤵
        System Location Discovery: System Language Discovery
        
        PID:1252
        
        C:\Windows\SysWOW64\mzruz.exe
        
        C:\Windows\system32\mzruz.exe 452 "C:\Windows\SysWOW64\iycxp.exe"
        267⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\mzruz.exe
        
        C:\Windows\SysWOW64\mzruz.exe
        268⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\fkuak.exe
        
        C:\Windows\system32\fkuak.exe 480 "C:\Windows\SysWOW64\mzruz.exe"
        269⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\fkuak.exe
        
        C:\Windows\SysWOW64\fkuak.exe
        270⤵
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\puiaq.exe
        
        C:\Windows\system32\puiaq.exe 544 "C:\Windows\SysWOW64\fkuak.exe"
        271⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\puiaq.exe
        
        C:\Windows\SysWOW64\puiaq.exe
        272⤵
        
        PID:880
        
        C:\Windows\SysWOW64\vmgdz.exe
        
        C:\Windows\system32\vmgdz.exe 484 "C:\Windows\SysWOW64\puiaq.exe"
        273⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\vmgdz.exe
        
        C:\Windows\SysWOW64\vmgdz.exe
        274⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\uflyh.exe
        
        C:\Windows\system32\uflyh.exe 468 "C:\Windows\SysWOW64\vmgdz.exe"
        275⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\uflyh.exe
        
        C:\Windows\SysWOW64\uflyh.exe
        276⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        C:\Windows\SysWOW64\duntl.exe
        
        C:\Windows\system32\duntl.exe 512 "C:\Windows\SysWOW64\uflyh.exe"
        277⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\duntl.exe
        
        C:\Windows\SysWOW64\duntl.exe
        278⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\kmkot.exe
        
        C:\Windows\system32\kmkot.exe 484 "C:\Windows\SysWOW64\duntl.exe"
        279⤵
        
        PID:916
        
        C:\Windows\SysWOW64\kmkot.exe
        
        C:\Windows\SysWOW64\kmkot.exe
        280⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\qitee.exe
        
        C:\Windows\system32\qitee.exe 464 "C:\Windows\SysWOW64\kmkot.exe"
        281⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\qitee.exe
        
        C:\Windows\SysWOW64\qitee.exe
        282⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\aperi.exe
        
        C:\Windows\system32\aperi.exe 476 "C:\Windows\SysWOW64\qitee.exe"
        283⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\aperi.exe
        
        C:\Windows\SysWOW64\aperi.exe
        284⤵
        Drops file in System32 directory
        
        PID:2848
        
        C:\Windows\SysWOW64\gqbuq.exe
        
        C:\Windows\system32\gqbuq.exe 472 "C:\Windows\SysWOW64\aperi.exe"
        285⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\gqbuq.exe
        
        C:\Windows\SysWOW64\gqbuq.exe
        286⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\toums.exe
        
        C:\Windows\system32\toums.exe 484 "C:\Windows\SysWOW64\gqbuq.exe"
        287⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\toums.exe
        
        C:\Windows\SysWOW64\toums.exe
        288⤵
        Drops file in System32 directory
        
        PID:1988
        
        C:\Windows\SysWOW64\cyquq.exe
        
        C:\Windows\system32\cyquq.exe 460 "C:\Windows\SysWOW64\toums.exe"
        289⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cyquq.exe
        
        C:\Windows\SysWOW64\cyquq.exe
        290⤵
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\lqeux.exe
        
        C:\Windows\system32\lqeux.exe 472 "C:\Windows\SysWOW64\cyquq.exe"
        291⤵
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Windows\SysWOW64\lqeux.exe
        
        C:\Windows\SysWOW64\lqeux.exe
        292⤵
        Drops file in System32 directory
        
        PID:1732
        
        C:\Windows\SysWOW64\mddhg.exe
        
        C:\Windows\system32\mddhg.exe 492 "C:\Windows\SysWOW64\lqeux.exe"
        293⤵
        
        PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\mitbu.exe

Filesize
188KB

MD5
9a0e6645f3ceb7d70a8627bce6838a25

SHA1
43d76e08a412b2cef915cd5f0630f8aba7576f33

SHA256
d23d9c5dc49cdcf7a13416b35de4f691ff0d77c7b3dcdc661680972623721a07

SHA512
4866105fa5de239570243aecc326cab4317b2c2340fa58a1126d77361a2f2a7f695f46adf2c99143ed27ff3d91be941df247d8bfbc927a04a196bba27d251beb

Download Submit
memory/112-827-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/572-799-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/572-812-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/580-641-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/580-628-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/632-595-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/684-646-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/684-657-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/768-223-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/896-1232-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/908-550-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/936-1279-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/936-1266-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/980-873-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/980-860-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/992-857-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1016-765-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1028-353-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1144-1172-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1236-988-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1344-750-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1344-739-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1428-460-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1444-1003-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1468-1126-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1500-1080-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1532-1202-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1568-1217-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1640-263-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1672-768-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1672-781-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1676-126-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1692-430-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1692-417-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1708-1018-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1724-1141-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1740-1157-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1740-1144-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1768-445-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1788-414-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1832-368-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1840-107-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1896-565-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1936-958-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1996-1247-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2000-490-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2064-973-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2108-610-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2132-293-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2136-202-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2144-1310-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2220-183-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2228-278-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2240-535-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2244-34-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2244-46-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2248-88-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2256-672-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2260-383-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2268-338-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2308-842-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2336-943-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2340-1111-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2340-1098-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2356-1250-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2356-1263-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2380-625-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2396-1050-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2396-1037-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2400-1187-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2416-883-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2436-1065-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2440-1095-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2492-243-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2516-475-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2528-687-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2596-721-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2596-734-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2620-308-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2668-580-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2680-898-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2684-8-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2684-7-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2684-4-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2684-24-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2684-5-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2684-9-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2684-2-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2700-164-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2712-718-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2744-690-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2744-703-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2752-913-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2772-323-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2792-505-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2804-928-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2812-53-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2812-54-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2812-55-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2812-69-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2816-520-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2840-1295-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2840-1282-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2856-796-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2916-145-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2928-1021-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2928-1034-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/3012-399-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/3012-386-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download