metasploit | d23d9c5dc49cdcf7a13416b35de4f691ff0d77c7b3dcdc661680972623721a07

Analysis

max time kernel
149s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 07:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a0e6645f3ceb7d70a8627bce6838a25_JaffaCakes118.exe
Size

188KB
MD5

9a0e6645f3ceb7d70a8627bce6838a25
SHA1

43d76e08a412b2cef915cd5f0630f8aba7576f33
SHA256

d23d9c5dc49cdcf7a13416b35de4f691ff0d77c7b3dcdc661680972623721a07
SHA512

4866105fa5de239570243aecc326cab4317b2c2340fa58a1126d77361a2f2a7f695f46adf2c99143ed27ff3d91be941df247d8bfbc927a04a196bba27d251beb
SSDEEP

3072:9RgaAb3zidY/5HhbPKRgMR2tr4QPxC2ig81zhR5jShWyIZhsS91IZps8TA4AvFOw:pAb4CbPwgMshRxhTWzr5xywhsS9eU8k3

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Executes dropped EXE 64 IoCs

pid	Process
3436	nyxxy.exe
2608	nyxxy.exe
1048	mgxav.exe
1680	mgxav.exe
1256	mktqx.exe
2320	mktqx.exe
1828	saawq.exe
3192	saawq.exe
1944	xckpm.exe
1524	xckpm.exe
2308	zxxke.exe
4664	zxxke.exe
884	hryiz.exe
4412	hryiz.exe
4952	flcbp.exe
316	flcbp.exe
5040	mfdzj.exe
1360	mfdzj.exe
2748	rkgfi.exe
3984	rkgfi.exe
4344	xxcfy.exe
4680	xxcfy.exe
1788	hwqax.exe
3160	hwqax.exe
1560	peolo.exe
700	peolo.exe
1048	ropzm.exe
3996	ropzm.exe
2728	ukcue.exe
1856	ukcue.exe
4544	uzafv.exe
3136	uzafv.exe
1976	zqhlp.exe
1072	zqhlp.exe
2548	jpvgn.exe
452	jpvgn.exe
1824	mlacf.exe
1984	mlacf.exe
2384	orqki.exe
3804	orqki.exe
1452	wlziu.exe
2976	wlziu.exe
1956	wpoyw.exe
664	wpoyw.exe
1372	eiwwq.exe
4316	eiwwq.exe
2896	jcppm.exe
4688	jcppm.exe
832	gawug.exe
1216	gawug.exe
2168	mnrvw.exe
1176	mnrvw.exe
5032	tgalq.exe
4476	tgalq.exe
3204	ylerp.exe
224	ylerp.exe
1532	bdxze.exe
1976	bdxze.exe
3632	gibfl.exe
2548	gibfl.exe
2324	lktyh.exe
884	lktyh.exe
4528	tarjr.exe
3496	tarjr.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\gawug.exe	jcppm.exe
File created	C:\Windows\SysWOW64\acpbs.exe	dbxiw.exe
File opened for modification	C:\Windows\SysWOW64\ijijb.exe	clbeh.exe
File opened for modification	C:\Windows\SysWOW64\igsaz.exe	anjcf.exe
File opened for modification	C:\Windows\SysWOW64\pgvmy.exe	ijijb.exe
File opened for modification	C:\Windows\SysWOW64\mktqx.exe	mgxav.exe
File created	C:\Windows\SysWOW64\hryiz.exe	zxxke.exe
File opened for modification	C:\Windows\SysWOW64\eiwwq.exe	wpoyw.exe
File created	C:\Windows\SysWOW64\ghcqb.exe	xdpsn.exe
File created	C:\Windows\SysWOW64\shgyt.exe	krjnc.exe
File created	C:\Windows\SysWOW64\rkgfi.exe	mfdzj.exe
File created	C:\Windows\SysWOW64\mubmw.exe	medbn.exe
File created	C:\Windows\SysWOW64\lagfw.exe	dwuhq.exe
File opened for modification	C:\Windows\SysWOW64\uobuq.exe	nvtww.exe
File opened for modification	C:\Windows\SysWOW64\rkgfi.exe	mfdzj.exe
File created	C:\Windows\SysWOW64\idwnt.exe	dfpha.exe
File opened for modification	C:\Windows\SysWOW64\clbeh.exe	sacap.exe
File created	C:\Windows\SysWOW64\wpoyw.exe	wlziu.exe
File created	C:\Windows\SysWOW64\tarjr.exe	lktyh.exe
File opened for modification	C:\Windows\SysWOW64\hevjs.exe	cgovz.exe
File created	C:\Windows\SysWOW64\medbn.exe	fefmn.exe
File opened for modification	C:\Windows\SysWOW64\xwnjr.exe	nmngy.exe
File opened for modification	C:\Windows\SysWOW64\saawq.exe	mktqx.exe
File opened for modification	C:\Windows\SysWOW64\mlacf.exe	jpvgn.exe
File created	C:\Windows\SysWOW64\eiwwq.exe	wpoyw.exe
File opened for modification	C:\Windows\SysWOW64\jflch.exe	mzpwb.exe
File created	C:\Windows\SysWOW64\nmngy.exe	igsaz.exe
File created	C:\Windows\SysWOW64\jpvgn.exe	zqhlp.exe
File opened for modification	C:\Windows\SysWOW64\xdpsn.exe	qkgus.exe
File opened for modification	C:\Windows\SysWOW64\blxpi.exe	tsxro.exe
File created	C:\Windows\SysWOW64\uobuq.exe	nvtww.exe
File opened for modification	C:\Windows\SysWOW64\mgxav.exe	nyxxy.exe
File opened for modification	C:\Windows\SysWOW64\isddz.exe	ghcqb.exe
File opened for modification	C:\Windows\SysWOW64\mubmw.exe	medbn.exe
File opened for modification	C:\Windows\SysWOW64\wnfau.exe	lgrkf.exe
File created	C:\Windows\SysWOW64\nkklb.exe	jfgfc.exe
File created	C:\Windows\SysWOW64\pbbia.exe	etnak.exe
File created	C:\Windows\SysWOW64\bdxze.exe	ylerp.exe
File created	C:\Windows\SysWOW64\lktyh.exe	gibfl.exe
File opened for modification	C:\Windows\SysWOW64\hboeg.exe	bkhym.exe
File created	C:\Windows\SysWOW64\xwnjr.exe	nmngy.exe
File created	C:\Windows\SysWOW64\aaiof.exe	vvfqy.exe
File opened for modification	C:\Windows\SysWOW64\medbn.exe	fefmn.exe
File created	C:\Windows\SysWOW64\hmgyj.exe	clwfn.exe
File opened for modification	C:\Windows\SysWOW64\uxfzr.exe	mskou.exe
File opened for modification	C:\Windows\SysWOW64\cfcki.exe	uxfzr.exe
File created	C:\Windows\SysWOW64\dnizr.exe	isddz.exe
File created	C:\Windows\SysWOW64\chzwa.exe	aaiof.exe
File created	C:\Windows\SysWOW64\favkq.exe	cyuos.exe
File opened for modification	C:\Windows\SysWOW64\cerzo.exe	ziedw.exe
File opened for modification	C:\Windows\SysWOW64\vdljv.exe	nkklb.exe
File opened for modification	C:\Windows\SysWOW64\oesrt.exe	gougj.exe
File created	C:\Windows\SysWOW64\krjnc.exe	idwnt.exe
File opened for modification	C:\Windows\SysWOW64\sacap.exe	hqkxx.exe
File created	C:\Windows\SysWOW64\pgvmy.exe	ijijb.exe
File created	C:\Windows\SysWOW64\ylerp.exe	tgalq.exe
File opened for modification	C:\Windows\SysWOW64\ggwia.exe	aqpvh.exe
File opened for modification	C:\Windows\SysWOW64\rmsty.exe	kpgqb.exe
File opened for modification	C:\Windows\SysWOW64\rvous.exe	goaek.exe
File created	C:\Windows\SysWOW64\blxpi.exe	tsxro.exe
File opened for modification	C:\Windows\SysWOW64\cgovz.exe	ppjvc.exe
File opened for modification	C:\Windows\SysWOW64\rwtfa.exe	mubmw.exe
File opened for modification	C:\Windows\SysWOW64\jfgfc.exe	blxpi.exe
File opened for modification	C:\Windows\SysWOW64\notff.exe	lagfw.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 3344 set thread context of 444	3344	9a0e6645f3ceb7d70a8627bce6838a25_JaffaCakes118.exe	83
PID 3436 set thread context of 2608	3436	nyxxy.exe	87
PID 1048 set thread context of 1680	1048	mgxav.exe	91
PID 1256 set thread context of 2320	1256	mktqx.exe	93
PID 1828 set thread context of 3192	1828	saawq.exe	95
PID 1944 set thread context of 1524	1944	xckpm.exe	99
PID 2308 set thread context of 4664	2308	zxxke.exe	101
PID 884 set thread context of 4412	884	hryiz.exe	106
PID 4952 set thread context of 316	4952	flcbp.exe	108
PID 5040 set thread context of 1360	5040	mfdzj.exe	110
PID 2748 set thread context of 3984	2748	rkgfi.exe	112
PID 4344 set thread context of 4680	4344	xxcfy.exe	114
PID 1788 set thread context of 3160	1788	hwqax.exe	116
PID 1560 set thread context of 700	1560	peolo.exe	118
PID 1048 set thread context of 3996	1048	ropzm.exe	120
PID 2728 set thread context of 1856	2728	ukcue.exe	122
PID 4544 set thread context of 3136	4544	uzafv.exe	124
PID 1976 set thread context of 1072	1976	zqhlp.exe	126
PID 2548 set thread context of 452	2548	jpvgn.exe	128
PID 1824 set thread context of 1984	1824	mlacf.exe	130
PID 2384 set thread context of 3804	2384	orqki.exe	132
PID 1452 set thread context of 2976	1452	wlziu.exe	134
PID 1956 set thread context of 664	1956	wpoyw.exe	136
PID 1372 set thread context of 4316	1372	eiwwq.exe	138
PID 2896 set thread context of 4688	2896	jcppm.exe	140
PID 832 set thread context of 1216	832	gawug.exe	144
PID 2168 set thread context of 1176	2168	mnrvw.exe	146
PID 5032 set thread context of 4476	5032	tgalq.exe	149
PID 3204 set thread context of 224	3204	ylerp.exe	151
PID 1532 set thread context of 1976	1532	bdxze.exe	153
PID 3632 set thread context of 2548	3632	gibfl.exe	155
PID 2324 set thread context of 884	2324	lktyh.exe	157
PID 4528 set thread context of 3496	4528	tarjr.exe	159
PID 3640 set thread context of 868	3640	qnmjp.exe	161
PID 1860 set thread context of 2788	1860	sarkq.exe	163
PID 4848 set thread context of 3732	4848	aqpvh.exe	165
PID 1968 set thread context of 4740	1968	ggwia.exe	167
PID 804 set thread context of 4552	804	irxwy.exe	169
PID 5060 set thread context of 3052	5060	qkgus.exe	171
PID 1332 set thread context of 2168	1332	xdpsn.exe	173
PID 1972 set thread context of 1424	1972	ghcqb.exe	175
PID 3152 set thread context of 3528	3152	isddz.exe	177
PID 352 set thread context of 2216	352	dnizr.exe	179
PID 4348 set thread context of 548	4348	iparv.exe	181
PID 1308 set thread context of 3548	1308	qfycf.exe	183
PID 4384 set thread context of 3440	4384	vvfqy.exe	185
PID 836 set thread context of 4628	836	aaiof.exe	187
PID 1452 set thread context of 2716	1452	chzwa.exe	189
PID 1348 set thread context of 3504	1348	iqjkn.exe	191
PID 1252 set thread context of 1376	1252	stiso.exe	193
PID 1080 set thread context of 3704	1080	dbxiw.exe	195
PID 5052 set thread context of 4504	5052	acpbs.exe	198
PID 3212 set thread context of 2000	3212	cyuos.exe	200
PID 4636 set thread context of 2424	4636	favkq.exe	202
PID 3932 set thread context of 1476	3932	kycpj.exe	204
PID 992 set thread context of 232	992	ppjvc.exe	206
PID 812 set thread context of 2412	812	cgovz.exe	208
PID 3632 set thread context of 2084	3632	hevjs.exe	210
PID 3628 set thread context of 4384	3628	pxehm.exe	212
PID 3096 set thread context of 5096	3096	kpgqb.exe	214
PID 1808 set thread context of 1580	1808	rmsty.exe	216
PID 4324 set thread context of 1348	4324	ziedw.exe	218
PID 2912 set thread context of 4400	2912	cerzo.exe	220
PID 4284 set thread context of 1368	4284	jidcl.exe	222

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hryiz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kycpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iszde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	clbeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zxxke.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gawug.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rmsty.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqlyw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jflch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yrcqo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iaxov.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	blxpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hwqax.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	llhry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	snqiz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	medbn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mzpwb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jfgfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lagfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xwnjr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pxehm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	orqki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aqpvh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvfqy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbxiw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mubmw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lgrkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nyxxy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hdjqc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppjvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ziedw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	llhry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unpqp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mfdzj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qfycf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iqjkn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pxehm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pgvmy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jcppm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	favkq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rvous.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lagfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stiso.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fefmn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbjar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gougj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xdpsn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ggwia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vvfqy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dfpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mlacf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bdxze.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mlacf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	anjcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nvtww.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hevjs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pbbia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wxtpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	saawq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tgalq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	isddz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nvtww.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zxxke.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3344	9a0e6645f3ceb7d70a8627bce6838a25_JaffaCakes118.exe
3436	nyxxy.exe
1048	mgxav.exe
1256	mktqx.exe
1828	saawq.exe
1944	xckpm.exe
2308	zxxke.exe
884	hryiz.exe
4952	flcbp.exe
5040	mfdzj.exe
2748	rkgfi.exe
4344	xxcfy.exe
1788	hwqax.exe
1560	peolo.exe
1048	ropzm.exe
2728	ukcue.exe
4544	uzafv.exe
1976	zqhlp.exe
2548	jpvgn.exe
1824	mlacf.exe
2384	orqki.exe
1452	wlziu.exe
1956	wpoyw.exe
1372	eiwwq.exe
2896	jcppm.exe
832	gawug.exe
2168	mnrvw.exe
5032	tgalq.exe
3204	ylerp.exe
1532	bdxze.exe
3632	gibfl.exe
2324	lktyh.exe
4528	tarjr.exe
3640	qnmjp.exe
1860	sarkq.exe
4848	aqpvh.exe
1968	ggwia.exe
804	irxwy.exe
5060	qkgus.exe
1332	xdpsn.exe
1972	ghcqb.exe
3152	isddz.exe
352	dnizr.exe
4348	iparv.exe
1308	qfycf.exe
4384	vvfqy.exe
836	aaiof.exe
1452	chzwa.exe
1348	iqjkn.exe
1252	stiso.exe
1080	dbxiw.exe
5052	acpbs.exe
3212	cyuos.exe
4636	favkq.exe
3932	kycpj.exe
992	ppjvc.exe
812	cgovz.exe
3632	hevjs.exe
3628	pxehm.exe
3096	kpgqb.exe
1808	rmsty.exe
4324	ziedw.exe
2912	cerzo.exe
4284	jidcl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3344 wrote to memory of 444	3344	9a0e6645f3ceb7d70a8627bce6838a25_JaffaCakes118.exe	83
PID 3344 wrote to memory of 444	3344	9a0e6645f3ceb7d70a8627bce6838a25_JaffaCakes118.exe	83
PID 3344 wrote to memory of 444	3344	9a0e6645f3ceb7d70a8627bce6838a25_JaffaCakes118.exe	83
PID 3344 wrote to memory of 444	3344	9a0e6645f3ceb7d70a8627bce6838a25_JaffaCakes118.exe	83
PID 3344 wrote to memory of 444	3344	9a0e6645f3ceb7d70a8627bce6838a25_JaffaCakes118.exe	83
PID 3344 wrote to memory of 444	3344	9a0e6645f3ceb7d70a8627bce6838a25_JaffaCakes118.exe	83
PID 3344 wrote to memory of 444	3344	9a0e6645f3ceb7d70a8627bce6838a25_JaffaCakes118.exe	83
PID 444 wrote to memory of 3436	444	9a0e6645f3ceb7d70a8627bce6838a25_JaffaCakes118.exe	84
PID 444 wrote to memory of 3436	444	9a0e6645f3ceb7d70a8627bce6838a25_JaffaCakes118.exe	84
PID 444 wrote to memory of 3436	444	9a0e6645f3ceb7d70a8627bce6838a25_JaffaCakes118.exe	84
PID 3436 wrote to memory of 2608	3436	nyxxy.exe	87
PID 3436 wrote to memory of 2608	3436	nyxxy.exe	87
PID 3436 wrote to memory of 2608	3436	nyxxy.exe	87
PID 3436 wrote to memory of 2608	3436	nyxxy.exe	87
PID 3436 wrote to memory of 2608	3436	nyxxy.exe	87
PID 3436 wrote to memory of 2608	3436	nyxxy.exe	87
PID 3436 wrote to memory of 2608	3436	nyxxy.exe	87
PID 2608 wrote to memory of 1048	2608	nyxxy.exe	88
PID 2608 wrote to memory of 1048	2608	nyxxy.exe	88
PID 2608 wrote to memory of 1048	2608	nyxxy.exe	88
PID 1048 wrote to memory of 1680	1048	mgxav.exe	91
PID 1048 wrote to memory of 1680	1048	mgxav.exe	91
PID 1048 wrote to memory of 1680	1048	mgxav.exe	91
PID 1048 wrote to memory of 1680	1048	mgxav.exe	91
PID 1048 wrote to memory of 1680	1048	mgxav.exe	91
PID 1048 wrote to memory of 1680	1048	mgxav.exe	91
PID 1048 wrote to memory of 1680	1048	mgxav.exe	91
PID 1680 wrote to memory of 1256	1680	mgxav.exe	92
PID 1680 wrote to memory of 1256	1680	mgxav.exe	92
PID 1680 wrote to memory of 1256	1680	mgxav.exe	92
PID 1256 wrote to memory of 2320	1256	mktqx.exe	93
PID 1256 wrote to memory of 2320	1256	mktqx.exe	93
PID 1256 wrote to memory of 2320	1256	mktqx.exe	93
PID 1256 wrote to memory of 2320	1256	mktqx.exe	93
PID 1256 wrote to memory of 2320	1256	mktqx.exe	93
PID 1256 wrote to memory of 2320	1256	mktqx.exe	93
PID 1256 wrote to memory of 2320	1256	mktqx.exe	93
PID 2320 wrote to memory of 1828	2320	mktqx.exe	94
PID 2320 wrote to memory of 1828	2320	mktqx.exe	94
PID 2320 wrote to memory of 1828	2320	mktqx.exe	94
PID 1828 wrote to memory of 3192	1828	saawq.exe	95
PID 1828 wrote to memory of 3192	1828	saawq.exe	95
PID 1828 wrote to memory of 3192	1828	saawq.exe	95
PID 1828 wrote to memory of 3192	1828	saawq.exe	95
PID 1828 wrote to memory of 3192	1828	saawq.exe	95
PID 1828 wrote to memory of 3192	1828	saawq.exe	95
PID 1828 wrote to memory of 3192	1828	saawq.exe	95
PID 3192 wrote to memory of 1944	3192	saawq.exe	96
PID 3192 wrote to memory of 1944	3192	saawq.exe	96
PID 3192 wrote to memory of 1944	3192	saawq.exe	96
PID 1944 wrote to memory of 1524	1944	xckpm.exe	99
PID 1944 wrote to memory of 1524	1944	xckpm.exe	99
PID 1944 wrote to memory of 1524	1944	xckpm.exe	99
PID 1944 wrote to memory of 1524	1944	xckpm.exe	99
PID 1944 wrote to memory of 1524	1944	xckpm.exe	99
PID 1944 wrote to memory of 1524	1944	xckpm.exe	99
PID 1944 wrote to memory of 1524	1944	xckpm.exe	99
PID 1524 wrote to memory of 2308	1524	xckpm.exe	100
PID 1524 wrote to memory of 2308	1524	xckpm.exe	100
PID 1524 wrote to memory of 2308	1524	xckpm.exe	100
PID 2308 wrote to memory of 4664	2308	zxxke.exe	101
PID 2308 wrote to memory of 4664	2308	zxxke.exe	101
PID 2308 wrote to memory of 4664	2308	zxxke.exe	101
PID 2308 wrote to memory of 4664	2308	zxxke.exe	101

C:\Users\Admin\AppData\Local\Temp\9a0e6645f3ceb7d70a8627bce6838a25_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9a0e6645f3ceb7d70a8627bce6838a25_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3344
- C:\Users\Admin\AppData\Local\Temp\9a0e6645f3ceb7d70a8627bce6838a25_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\9a0e6645f3ceb7d70a8627bce6838a25_JaffaCakes118.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:444
- - C:\Windows\SysWOW64\nyxxy.exe
    C:\Windows\system32\nyxxy.exe 1000 "C:\Users\Admin\AppData\Local\Temp\9a0e6645f3ceb7d70a8627bce6838a25_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3436
  - - C:\Windows\SysWOW64\nyxxy.exe
      C:\Windows\SysWOW64\nyxxy.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2608
    - - C:\Windows\SysWOW64\mgxav.exe
        
        C:\Windows\system32\mgxav.exe 1044 "C:\Windows\SysWOW64\nyxxy.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1048
      - C:\Windows\SysWOW64\mgxav.exe
        
        C:\Windows\SysWOW64\mgxav.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\mktqx.exe
        
        C:\Windows\system32\mktqx.exe 1152 "C:\Windows\SysWOW64\mgxav.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1256
        
        C:\Windows\SysWOW64\mktqx.exe
        
        C:\Windows\SysWOW64\mktqx.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\SysWOW64\saawq.exe
        
        C:\Windows\system32\saawq.exe 1156 "C:\Windows\SysWOW64\mktqx.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Windows\SysWOW64\saawq.exe
        
        C:\Windows\SysWOW64\saawq.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3192
        
        C:\Windows\SysWOW64\xckpm.exe
        
        C:\Windows\system32\xckpm.exe 1156 "C:\Windows\SysWOW64\saawq.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\xckpm.exe
        
        C:\Windows\SysWOW64\xckpm.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\SysWOW64\zxxke.exe
        
        C:\Windows\system32\zxxke.exe 1148 "C:\Windows\SysWOW64\xckpm.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\SysWOW64\zxxke.exe
        
        C:\Windows\SysWOW64\zxxke.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4664
        
        C:\Windows\SysWOW64\hryiz.exe
        
        C:\Windows\system32\hryiz.exe 1044 "C:\Windows\SysWOW64\zxxke.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:884
        
        C:\Windows\SysWOW64\hryiz.exe
        
        C:\Windows\SysWOW64\hryiz.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4412
        
        C:\Windows\SysWOW64\flcbp.exe
        
        C:\Windows\system32\flcbp.exe 1040 "C:\Windows\SysWOW64\hryiz.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4952
        
        C:\Windows\SysWOW64\flcbp.exe
        
        C:\Windows\SysWOW64\flcbp.exe
        18⤵
        Executes dropped EXE
        
        PID:316
        
        C:\Windows\SysWOW64\mfdzj.exe
        
        C:\Windows\system32\mfdzj.exe 1016 "C:\Windows\SysWOW64\flcbp.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5040
        
        C:\Windows\SysWOW64\mfdzj.exe
        
        C:\Windows\SysWOW64\mfdzj.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1360
        
        C:\Windows\SysWOW64\rkgfi.exe
        
        C:\Windows\system32\rkgfi.exe 1148 "C:\Windows\SysWOW64\mfdzj.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2748
        
        C:\Windows\SysWOW64\rkgfi.exe
        
        C:\Windows\SysWOW64\rkgfi.exe
        22⤵
        Executes dropped EXE
        
        PID:3984
        
        C:\Windows\SysWOW64\xxcfy.exe
        
        C:\Windows\system32\xxcfy.exe 1020 "C:\Windows\SysWOW64\rkgfi.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4344
        
        C:\Windows\SysWOW64\xxcfy.exe
        
        C:\Windows\SysWOW64\xxcfy.exe
        24⤵
        Executes dropped EXE
        
        PID:4680
        
        C:\Windows\SysWOW64\hwqax.exe
        
        C:\Windows\system32\hwqax.exe 1016 "C:\Windows\SysWOW64\xxcfy.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1788
        
        C:\Windows\SysWOW64\hwqax.exe
        
        C:\Windows\SysWOW64\hwqax.exe
        26⤵
        Executes dropped EXE
        
        PID:3160
        
        C:\Windows\SysWOW64\peolo.exe
        
        C:\Windows\system32\peolo.exe 1016 "C:\Windows\SysWOW64\hwqax.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1560
        
        C:\Windows\SysWOW64\peolo.exe
        
        C:\Windows\SysWOW64\peolo.exe
        28⤵
        Executes dropped EXE
        
        PID:700
        
        C:\Windows\SysWOW64\ropzm.exe
        
        C:\Windows\system32\ropzm.exe 1016 "C:\Windows\SysWOW64\peolo.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1048
        
        C:\Windows\SysWOW64\ropzm.exe
        
        C:\Windows\SysWOW64\ropzm.exe
        30⤵
        Executes dropped EXE
        
        PID:3996
        
        C:\Windows\SysWOW64\ukcue.exe
        
        C:\Windows\system32\ukcue.exe 988 "C:\Windows\SysWOW64\ropzm.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2728
        
        C:\Windows\SysWOW64\ukcue.exe
        
        C:\Windows\SysWOW64\ukcue.exe
        32⤵
        Executes dropped EXE
        
        PID:1856
        
        C:\Windows\SysWOW64\uzafv.exe
        
        C:\Windows\system32\uzafv.exe 1032 "C:\Windows\SysWOW64\ukcue.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4544
        
        C:\Windows\SysWOW64\uzafv.exe
        
        C:\Windows\SysWOW64\uzafv.exe
        34⤵
        Executes dropped EXE
        
        PID:3136
        
        C:\Windows\SysWOW64\zqhlp.exe
        
        C:\Windows\system32\zqhlp.exe 1016 "C:\Windows\SysWOW64\uzafv.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1976
        
        C:\Windows\SysWOW64\zqhlp.exe
        
        C:\Windows\SysWOW64\zqhlp.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1072
        
        C:\Windows\SysWOW64\jpvgn.exe
        
        C:\Windows\system32\jpvgn.exe 1028 "C:\Windows\SysWOW64\zqhlp.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2548
        
        C:\Windows\SysWOW64\jpvgn.exe
        
        C:\Windows\SysWOW64\jpvgn.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:452
        
        C:\Windows\SysWOW64\mlacf.exe
        
        C:\Windows\system32\mlacf.exe 1148 "C:\Windows\SysWOW64\jpvgn.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1824
        
        C:\Windows\SysWOW64\mlacf.exe
        
        C:\Windows\SysWOW64\mlacf.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1984
        
        C:\Windows\SysWOW64\orqki.exe
        
        C:\Windows\system32\orqki.exe 1028 "C:\Windows\SysWOW64\mlacf.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2384
        
        C:\Windows\SysWOW64\orqki.exe
        
        C:\Windows\SysWOW64\orqki.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3804
        
        C:\Windows\SysWOW64\wlziu.exe
        
        C:\Windows\system32\wlziu.exe 1148 "C:\Windows\SysWOW64\orqki.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1452
        
        C:\Windows\SysWOW64\wlziu.exe
        
        C:\Windows\SysWOW64\wlziu.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2976
        
        C:\Windows\SysWOW64\wpoyw.exe
        
        C:\Windows\system32\wpoyw.exe 1020 "C:\Windows\SysWOW64\wlziu.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1956
        
        C:\Windows\SysWOW64\wpoyw.exe
        
        C:\Windows\SysWOW64\wpoyw.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:664
        
        C:\Windows\SysWOW64\eiwwq.exe
        
        C:\Windows\system32\eiwwq.exe 1148 "C:\Windows\SysWOW64\wpoyw.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1372
        
        C:\Windows\SysWOW64\eiwwq.exe
        
        C:\Windows\SysWOW64\eiwwq.exe
        48⤵
        Executes dropped EXE
        
        PID:4316
        
        C:\Windows\SysWOW64\jcppm.exe
        
        C:\Windows\system32\jcppm.exe 1028 "C:\Windows\SysWOW64\eiwwq.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2896
        
        C:\Windows\SysWOW64\jcppm.exe
        
        C:\Windows\SysWOW64\jcppm.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4688
        
        C:\Windows\SysWOW64\gawug.exe
        
        C:\Windows\system32\gawug.exe 1148 "C:\Windows\SysWOW64\jcppm.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:832
        
        C:\Windows\SysWOW64\gawug.exe
        
        C:\Windows\SysWOW64\gawug.exe
        52⤵
        Executes dropped EXE
        
        PID:1216
        
        C:\Windows\SysWOW64\mnrvw.exe
        
        C:\Windows\system32\mnrvw.exe 1148 "C:\Windows\SysWOW64\gawug.exe"
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2168
        
        C:\Windows\SysWOW64\mnrvw.exe
        
        C:\Windows\SysWOW64\mnrvw.exe
        54⤵
        Executes dropped EXE
        
        PID:1176
        
        C:\Windows\SysWOW64\tgalq.exe
        
        C:\Windows\system32\tgalq.exe 1148 "C:\Windows\SysWOW64\mnrvw.exe"
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:5032
        
        C:\Windows\SysWOW64\tgalq.exe
        
        C:\Windows\SysWOW64\tgalq.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4476
        
        C:\Windows\SysWOW64\ylerp.exe
        
        C:\Windows\system32\ylerp.exe 1152 "C:\Windows\SysWOW64\tgalq.exe"
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3204
        
        C:\Windows\SysWOW64\ylerp.exe
        
        C:\Windows\SysWOW64\ylerp.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:224
        
        C:\Windows\SysWOW64\bdxze.exe
        
        C:\Windows\system32\bdxze.exe 1148 "C:\Windows\SysWOW64\ylerp.exe"
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1532
        
        C:\Windows\SysWOW64\bdxze.exe
        
        C:\Windows\SysWOW64\bdxze.exe
        60⤵
        Executes dropped EXE
        
        PID:1976
        
        C:\Windows\SysWOW64\gibfl.exe
        
        C:\Windows\system32\gibfl.exe 1152 "C:\Windows\SysWOW64\bdxze.exe"
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3632
        
        C:\Windows\SysWOW64\gibfl.exe
        
        C:\Windows\SysWOW64\gibfl.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2548
        
        C:\Windows\SysWOW64\lktyh.exe
        
        C:\Windows\system32\lktyh.exe 1036 "C:\Windows\SysWOW64\gibfl.exe"
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2324
        
        C:\Windows\SysWOW64\lktyh.exe
        
        C:\Windows\SysWOW64\lktyh.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:884
        
        C:\Windows\SysWOW64\tarjr.exe
        
        C:\Windows\system32\tarjr.exe 1152 "C:\Windows\SysWOW64\lktyh.exe"
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4528
        
        C:\Windows\SysWOW64\tarjr.exe
        
        C:\Windows\SysWOW64\tarjr.exe
        66⤵
        Executes dropped EXE
        
        PID:3496
        
        C:\Windows\SysWOW64\qnmjp.exe
        
        C:\Windows\system32\qnmjp.exe 1040 "C:\Windows\SysWOW64\tarjr.exe"
        67⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3640
        
        C:\Windows\SysWOW64\qnmjp.exe
        
        C:\Windows\SysWOW64\qnmjp.exe
        68⤵
        
        PID:868
        
        C:\Windows\SysWOW64\sarkq.exe
        
        C:\Windows\system32\sarkq.exe 1112 "C:\Windows\SysWOW64\qnmjp.exe"
        69⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1860
        
        C:\Windows\SysWOW64\sarkq.exe
        
        C:\Windows\SysWOW64\sarkq.exe
        70⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\aqpvh.exe
        
        C:\Windows\system32\aqpvh.exe 1032 "C:\Windows\SysWOW64\sarkq.exe"
        71⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4848
        
        C:\Windows\SysWOW64\aqpvh.exe
        
        C:\Windows\SysWOW64\aqpvh.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3732
        
        C:\Windows\SysWOW64\ggwia.exe
        
        C:\Windows\system32\ggwia.exe 1160 "C:\Windows\SysWOW64\aqpvh.exe"
        73⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1968
        
        C:\Windows\SysWOW64\ggwia.exe
        
        C:\Windows\SysWOW64\ggwia.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:4740
        
        C:\Windows\SysWOW64\irxwy.exe
        
        C:\Windows\system32\irxwy.exe 1036 "C:\Windows\SysWOW64\ggwia.exe"
        75⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:804
        
        C:\Windows\SysWOW64\irxwy.exe
        
        C:\Windows\SysWOW64\irxwy.exe
        76⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\qkgus.exe
        
        C:\Windows\system32\qkgus.exe 1036 "C:\Windows\SysWOW64\irxwy.exe"
        77⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:5060
        
        C:\Windows\SysWOW64\qkgus.exe
        
        C:\Windows\SysWOW64\qkgus.exe
        78⤵
        Drops file in System32 directory
        
        PID:3052
        
        C:\Windows\SysWOW64\xdpsn.exe
        
        C:\Windows\system32\xdpsn.exe 1148 "C:\Windows\SysWOW64\qkgus.exe"
        79⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1332
        
        C:\Windows\SysWOW64\xdpsn.exe
        
        C:\Windows\SysWOW64\xdpsn.exe
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\ghcqb.exe
        
        C:\Windows\system32\ghcqb.exe 1020 "C:\Windows\SysWOW64\xdpsn.exe"
        81⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1972
        
        C:\Windows\SysWOW64\ghcqb.exe
        
        C:\Windows\SysWOW64\ghcqb.exe
        82⤵
        Drops file in System32 directory
        
        PID:1424
        
        C:\Windows\SysWOW64\isddz.exe
        
        C:\Windows\system32\isddz.exe 1156 "C:\Windows\SysWOW64\ghcqb.exe"
        83⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3152
        
        C:\Windows\SysWOW64\isddz.exe
        
        C:\Windows\SysWOW64\isddz.exe
        84⤵
        Drops file in System32 directory
        
        PID:3528
        
        C:\Windows\SysWOW64\dnizr.exe
        
        C:\Windows\system32\dnizr.exe 1032 "C:\Windows\SysWOW64\isddz.exe"
        85⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:352
        
        C:\Windows\SysWOW64\dnizr.exe
        
        C:\Windows\SysWOW64\dnizr.exe
        86⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\iparv.exe
        
        C:\Windows\system32\iparv.exe 1148 "C:\Windows\SysWOW64\dnizr.exe"
        87⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4348
        
        C:\Windows\SysWOW64\iparv.exe
        
        C:\Windows\SysWOW64\iparv.exe
        88⤵
        
        PID:548
        
        C:\Windows\SysWOW64\qfycf.exe
        
        C:\Windows\system32\qfycf.exe 1056 "C:\Windows\SysWOW64\iparv.exe"
        89⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1308
        
        C:\Windows\SysWOW64\qfycf.exe
        
        C:\Windows\SysWOW64\qfycf.exe
        90⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\vvfqy.exe
        
        C:\Windows\system32\vvfqy.exe 1016 "C:\Windows\SysWOW64\qfycf.exe"
        91⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4384
        
        C:\Windows\SysWOW64\vvfqy.exe
        
        C:\Windows\SysWOW64\vvfqy.exe
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3440
        
        C:\Windows\SysWOW64\aaiof.exe
        
        C:\Windows\system32\aaiof.exe 1032 "C:\Windows\SysWOW64\vvfqy.exe"
        93⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:836
        
        C:\Windows\SysWOW64\aaiof.exe
        
        C:\Windows\SysWOW64\aaiof.exe
        94⤵
        Drops file in System32 directory
        
        PID:4628
        
        C:\Windows\SysWOW64\chzwa.exe
        
        C:\Windows\system32\chzwa.exe 1148 "C:\Windows\SysWOW64\aaiof.exe"
        95⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1452
        
        C:\Windows\SysWOW64\chzwa.exe
        
        C:\Windows\SysWOW64\chzwa.exe
        96⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\iqjkn.exe
        
        C:\Windows\system32\iqjkn.exe 1044 "C:\Windows\SysWOW64\chzwa.exe"
        97⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1348
        
        C:\Windows\SysWOW64\iqjkn.exe
        
        C:\Windows\SysWOW64\iqjkn.exe
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:3504
        
        C:\Windows\SysWOW64\stiso.exe
        
        C:\Windows\system32\stiso.exe 1016 "C:\Windows\SysWOW64\iqjkn.exe"
        99⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1252
        
        C:\Windows\SysWOW64\stiso.exe
        
        C:\Windows\SysWOW64\stiso.exe
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:1376
        
        C:\Windows\SysWOW64\dbxiw.exe
        
        C:\Windows\system32\dbxiw.exe 1016 "C:\Windows\SysWOW64\stiso.exe"
        101⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1080
        
        C:\Windows\SysWOW64\dbxiw.exe
        
        C:\Windows\SysWOW64\dbxiw.exe
        102⤵
        Drops file in System32 directory
        
        PID:3704
        
        C:\Windows\SysWOW64\acpbs.exe
        
        C:\Windows\system32\acpbs.exe 1148 "C:\Windows\SysWOW64\dbxiw.exe"
        103⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:5052
        
        C:\Windows\SysWOW64\acpbs.exe
        
        C:\Windows\SysWOW64\acpbs.exe
        104⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\cyuos.exe
        
        C:\Windows\system32\cyuos.exe 1156 "C:\Windows\SysWOW64\acpbs.exe"
        105⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3212
        
        C:\Windows\SysWOW64\cyuos.exe
        
        C:\Windows\SysWOW64\cyuos.exe
        106⤵
        Drops file in System32 directory
        
        PID:2000
        
        C:\Windows\SysWOW64\favkq.exe
        
        C:\Windows\system32\favkq.exe 1184 "C:\Windows\SysWOW64\cyuos.exe"
        107⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4636
        
        C:\Windows\SysWOW64\favkq.exe
        
        C:\Windows\SysWOW64\favkq.exe
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Windows\SysWOW64\kycpj.exe
        
        C:\Windows\system32\kycpj.exe 1032 "C:\Windows\SysWOW64\favkq.exe"
        109⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3932
        
        C:\Windows\SysWOW64\kycpj.exe
        
        C:\Windows\SysWOW64\kycpj.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:1476
        
        C:\Windows\SysWOW64\ppjvc.exe
        
        C:\Windows\system32\ppjvc.exe 1044 "C:\Windows\SysWOW64\kycpj.exe"
        111⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:992
        
        C:\Windows\SysWOW64\ppjvc.exe
        
        C:\Windows\SysWOW64\ppjvc.exe
        112⤵
        Drops file in System32 directory
        
        PID:232
        
        C:\Windows\SysWOW64\cgovz.exe
        
        C:\Windows\system32\cgovz.exe 1032 "C:\Windows\SysWOW64\ppjvc.exe"
        113⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:812
        
        C:\Windows\SysWOW64\cgovz.exe
        
        C:\Windows\SysWOW64\cgovz.exe
        114⤵
        Drops file in System32 directory
        
        PID:2412
        
        C:\Windows\SysWOW64\hevjs.exe
        
        C:\Windows\system32\hevjs.exe 1120 "C:\Windows\SysWOW64\cgovz.exe"
        115⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3632
        
        C:\Windows\SysWOW64\hevjs.exe
        
        C:\Windows\SysWOW64\hevjs.exe
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Windows\SysWOW64\pxehm.exe
        
        C:\Windows\system32\pxehm.exe 1020 "C:\Windows\SysWOW64\hevjs.exe"
        117⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3628
        
        C:\Windows\SysWOW64\pxehm.exe
        
        C:\Windows\SysWOW64\pxehm.exe
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:4384
        
        C:\Windows\SysWOW64\kpgqb.exe
        
        C:\Windows\system32\kpgqb.exe 1040 "C:\Windows\SysWOW64\pxehm.exe"
        119⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3096
        
        C:\Windows\SysWOW64\kpgqb.exe
        
        C:\Windows\SysWOW64\kpgqb.exe
        120⤵
        Drops file in System32 directory
        
        PID:5096
        
        C:\Windows\SysWOW64\rmsty.exe
        
        C:\Windows\system32\rmsty.exe 1040 "C:\Windows\SysWOW64\kpgqb.exe"
        121⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:1808
        
        C:\Windows\SysWOW64\rmsty.exe
        
        C:\Windows\SysWOW64\rmsty.exe
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        C:\Windows\SysWOW64\ziedw.exe
        
        C:\Windows\system32\ziedw.exe 1016 "C:\Windows\SysWOW64\rmsty.exe"
        123⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4324
        
        C:\Windows\SysWOW64\ziedw.exe
        
        C:\Windows\SysWOW64\ziedw.exe
        124⤵
        Drops file in System32 directory
        
        PID:1348
        
        C:\Windows\SysWOW64\cerzo.exe
        
        C:\Windows\system32\cerzo.exe 1036 "C:\Windows\SysWOW64\ziedw.exe"
        125⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2912
        
        C:\Windows\SysWOW64\cerzo.exe
        
        C:\Windows\SysWOW64\cerzo.exe
        126⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\jidcl.exe
        
        C:\Windows\system32\jidcl.exe 1028 "C:\Windows\SysWOW64\cerzo.exe"
        127⤵
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4284
        
        C:\Windows\SysWOW64\jidcl.exe
        
        C:\Windows\SysWOW64\jidcl.exe
        128⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\snqiz.exe
        
        C:\Windows\system32\snqiz.exe 1032 "C:\Windows\SysWOW64\jidcl.exe"
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:1160
        
        C:\Windows\SysWOW64\snqiz.exe
        
        C:\Windows\SysWOW64\snqiz.exe
        130⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\xoibv.exe
        
        C:\Windows\system32\xoibv.exe 1036 "C:\Windows\SysWOW64\snqiz.exe"
        131⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\xoibv.exe
        
        C:\Windows\SysWOW64\xoibv.exe
        132⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\fefmn.exe
        
        C:\Windows\system32\fefmn.exe 1044 "C:\Windows\SysWOW64\xoibv.exe"
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:3780
        
        C:\Windows\SysWOW64\fefmn.exe
        
        C:\Windows\SysWOW64\fefmn.exe
        134⤵
        Drops file in System32 directory
        
        PID:1256
        
        C:\Windows\SysWOW64\medbn.exe
        
        C:\Windows\system32\medbn.exe 1148 "C:\Windows\SysWOW64\fefmn.exe"
        135⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\medbn.exe
        
        C:\Windows\SysWOW64\medbn.exe
        136⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        C:\Windows\SysWOW64\mubmw.exe
        
        C:\Windows\system32\mubmw.exe 1152 "C:\Windows\SysWOW64\medbn.exe"
        137⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\mubmw.exe
        
        C:\Windows\SysWOW64\mubmw.exe
        138⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3204
        
        C:\Windows\SysWOW64\rwtfa.exe
        
        C:\Windows\system32\rwtfa.exe 1016 "C:\Windows\SysWOW64\mubmw.exe"
        139⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\rwtfa.exe
        
        C:\Windows\SysWOW64\rwtfa.exe
        140⤵
        
        PID:220
        
        C:\Windows\SysWOW64\wqlyw.exe
        
        C:\Windows\system32\wqlyw.exe 1044 "C:\Windows\SysWOW64\rwtfa.exe"
        141⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\wqlyw.exe
        
        C:\Windows\SysWOW64\wqlyw.exe
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:956
        
        C:\Windows\SysWOW64\bkhym.exe
        
        C:\Windows\system32\bkhym.exe 1032 "C:\Windows\SysWOW64\wqlyw.exe"
        143⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\bkhym.exe
        
        C:\Windows\SysWOW64\bkhym.exe
        144⤵
        Drops file in System32 directory
        
        PID:2644
        
        C:\Windows\SysWOW64\hboeg.exe
        
        C:\Windows\system32\hboeg.exe 1048 "C:\Windows\SysWOW64\bkhym.exe"
        145⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\hboeg.exe
        
        C:\Windows\SysWOW64\hboeg.exe
        146⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\lgrkf.exe
        
        C:\Windows\system32\lgrkf.exe 1032 "C:\Windows\SysWOW64\hboeg.exe"
        147⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\lgrkf.exe
        
        C:\Windows\SysWOW64\lgrkf.exe
        148⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3640
        
        C:\Windows\SysWOW64\wnfau.exe
        
        C:\Windows\system32\wnfau.exe 1032 "C:\Windows\SysWOW64\lgrkf.exe"
        149⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\wnfau.exe
        
        C:\Windows\SysWOW64\wnfau.exe
        150⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\bsbgt.exe
        
        C:\Windows\system32\bsbgt.exe 1032 "C:\Windows\SysWOW64\wnfau.exe"
        151⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\bsbgt.exe
        
        C:\Windows\SysWOW64\bsbgt.exe
        152⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\mzpwb.exe
        
        C:\Windows\system32\mzpwb.exe 1032 "C:\Windows\SysWOW64\bsbgt.exe"
        153⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\mzpwb.exe
        
        C:\Windows\SysWOW64\mzpwb.exe
        154⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Windows\SysWOW64\jflch.exe
        
        C:\Windows\system32\jflch.exe 1020 "C:\Windows\SysWOW64\mzpwb.exe"
        155⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\jflch.exe
        
        C:\Windows\SysWOW64\jflch.exe
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:4640
        
        C:\Windows\SysWOW64\qyusu.exe
        
        C:\Windows\system32\qyusu.exe 1032 "C:\Windows\SysWOW64\jflch.exe"
        157⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\qyusu.exe
        
        C:\Windows\SysWOW64\qyusu.exe
        158⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\yrcqo.exe
        
        C:\Windows\system32\yrcqo.exe 1032 "C:\Windows\SysWOW64\qyusu.exe"
        159⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\yrcqo.exe
        
        C:\Windows\SysWOW64\yrcqo.exe
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:4420
        
        C:\Windows\SysWOW64\emyqe.exe
        
        C:\Windows\system32\emyqe.exe 1148 "C:\Windows\SysWOW64\yrcqo.exe"
        161⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\emyqe.exe
        
        C:\Windows\SysWOW64\emyqe.exe
        162⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\goaek.exe
        
        C:\Windows\system32\goaek.exe 1020 "C:\Windows\SysWOW64\emyqe.exe"
        163⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\goaek.exe
        
        C:\Windows\SysWOW64\goaek.exe
        164⤵
        Drops file in System32 directory
        
        PID:3860
        
        C:\Windows\SysWOW64\rvous.exe
        
        C:\Windows\system32\rvous.exe 1032 "C:\Windows\SysWOW64\goaek.exe"
        165⤵
        System Location Discovery: System Language Discovery
        
        PID:228
        
        C:\Windows\SysWOW64\rvous.exe
        
        C:\Windows\SysWOW64\rvous.exe
        166⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\vbjar.exe
        
        C:\Windows\system32\vbjar.exe 1032 "C:\Windows\SysWOW64\rvous.exe"
        167⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\vbjar.exe
        
        C:\Windows\SysWOW64\vbjar.exe
        168⤵
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Windows\SysWOW64\dqhli.exe
        
        C:\Windows\system32\dqhli.exe 1028 "C:\Windows\SysWOW64\vbjar.exe"
        169⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\dqhli.exe
        
        C:\Windows\SysWOW64\dqhli.exe
        170⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\iszde.exe
        
        C:\Windows\system32\iszde.exe 1016 "C:\Windows\SysWOW64\dqhli.exe"
        171⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\iszde.exe
        
        C:\Windows\SysWOW64\iszde.exe
        172⤵
        System Location Discovery: System Language Discovery
        
        PID:4244
        
        C:\Windows\SysWOW64\iaxov.exe
        
        C:\Windows\system32\iaxov.exe 1148 "C:\Windows\SysWOW64\iszde.exe"
        173⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\iaxov.exe
        
        C:\Windows\SysWOW64\iaxov.exe
        174⤵
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Windows\SysWOW64\tsxro.exe
        
        C:\Windows\system32\tsxro.exe 1028 "C:\Windows\SysWOW64\iaxov.exe"
        175⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\tsxro.exe
        
        C:\Windows\SysWOW64\tsxro.exe
        176⤵
        Drops file in System32 directory
        
        PID:4164
        
        C:\Windows\SysWOW64\blxpi.exe
        
        C:\Windows\system32\blxpi.exe 1148 "C:\Windows\SysWOW64\tsxro.exe"
        177⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\blxpi.exe
        
        C:\Windows\SysWOW64\blxpi.exe
        178⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1536
        
        C:\Windows\SysWOW64\jfgfc.exe
        
        C:\Windows\system32\jfgfc.exe 1148 "C:\Windows\SysWOW64\blxpi.exe"
        179⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\jfgfc.exe
        
        C:\Windows\SysWOW64\jfgfc.exe
        180⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4832
        
        C:\Windows\SysWOW64\nkklb.exe
        
        C:\Windows\system32\nkklb.exe 1148 "C:\Windows\SysWOW64\jfgfc.exe"
        181⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\nkklb.exe
        
        C:\Windows\SysWOW64\nkklb.exe
        182⤵
        Drops file in System32 directory
        
        PID:4444
        
        C:\Windows\SysWOW64\vdljv.exe
        
        C:\Windows\system32\vdljv.exe 1148 "C:\Windows\SysWOW64\nkklb.exe"
        183⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\vdljv.exe
        
        C:\Windows\SysWOW64\vdljv.exe
        184⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\dwuhq.exe
        
        C:\Windows\system32\dwuhq.exe 1156 "C:\Windows\SysWOW64\vdljv.exe"
        185⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\dwuhq.exe
        
        C:\Windows\SysWOW64\dwuhq.exe
        186⤵
        Drops file in System32 directory
        
        PID:2284
        
        C:\Windows\SysWOW64\lagfw.exe
        
        C:\Windows\system32\lagfw.exe 1040 "C:\Windows\SysWOW64\dwuhq.exe"
        187⤵
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Windows\SysWOW64\lagfw.exe
        
        C:\Windows\SysWOW64\lagfw.exe
        188⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:408
        
        C:\Windows\SysWOW64\notff.exe
        
        C:\Windows\system32\notff.exe 1032 "C:\Windows\SysWOW64\lagfw.exe"
        189⤵
        System Location Discovery: System Language Discovery
        
        PID:3772
        
        C:\Windows\SysWOW64\notff.exe
        
        C:\Windows\SysWOW64\notff.exe
        190⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\qvhwm.exe
        
        C:\Windows\system32\qvhwm.exe 1128 "C:\Windows\SysWOW64\notff.exe"
        191⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\qvhwm.exe
        
        C:\Windows\SysWOW64\qvhwm.exe
        192⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\vxroi.exe
        
        C:\Windows\system32\vxroi.exe 1032 "C:\Windows\SysWOW64\qvhwm.exe"
        193⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\vxroi.exe
        
        C:\Windows\SysWOW64\vxroi.exe
        194⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\dfpha.exe
        
        C:\Windows\system32\dfpha.exe 1020 "C:\Windows\SysWOW64\vxroi.exe"
        195⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\dfpha.exe
        
        C:\Windows\SysWOW64\dfpha.exe
        196⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3264
        
        C:\Windows\SysWOW64\idwnt.exe
        
        C:\Windows\system32\idwnt.exe 1036 "C:\Windows\SysWOW64\dfpha.exe"
        197⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\idwnt.exe
        
        C:\Windows\SysWOW64\idwnt.exe
        198⤵
        Drops file in System32 directory
        
        PID:2844
        
        C:\Windows\SysWOW64\krjnc.exe
        
        C:\Windows\system32\krjnc.exe 988 "C:\Windows\SysWOW64\idwnt.exe"
        199⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\krjnc.exe
        
        C:\Windows\SysWOW64\krjnc.exe
        200⤵
        Drops file in System32 directory
        
        PID:836
        
        C:\Windows\SysWOW64\shgyt.exe
        
        C:\Windows\system32\shgyt.exe 1028 "C:\Windows\SysWOW64\krjnc.exe"
        201⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\shgyt.exe
        
        C:\Windows\SysWOW64\shgyt.exe
        202⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\aapwf.exe
        
        C:\Windows\system32\aapwf.exe 1020 "C:\Windows\SysWOW64\shgyt.exe"
        203⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\aapwf.exe
        
        C:\Windows\SysWOW64\aapwf.exe
        204⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\llhry.exe
        
        C:\Windows\system32\llhry.exe 1092 "C:\Windows\SysWOW64\aapwf.exe"
        205⤵
        System Location Discovery: System Language Discovery
        
        PID:4864
        
        C:\Windows\SysWOW64\llhry.exe
        
        C:\Windows\SysWOW64\llhry.exe
        206⤵
        System Location Discovery: System Language Discovery
        
        PID:2524
        
        C:\Windows\SysWOW64\hqkxx.exe
        
        C:\Windows\system32\hqkxx.exe 1080 "C:\Windows\SysWOW64\llhry.exe"
        207⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\hqkxx.exe
        
        C:\Windows\SysWOW64\hqkxx.exe
        208⤵
        Drops file in System32 directory
        
        PID:5092
        
        C:\Windows\SysWOW64\sacap.exe
        
        C:\Windows\system32\sacap.exe 1036 "C:\Windows\SysWOW64\hqkxx.exe"
        209⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\sacap.exe
        
        C:\Windows\SysWOW64\sacap.exe
        210⤵
        Drops file in System32 directory
        
        PID:536
        
        C:\Windows\SysWOW64\clbeh.exe
        
        C:\Windows\system32\clbeh.exe 1016 "C:\Windows\SysWOW64\sacap.exe"
        211⤵
        System Location Discovery: System Language Discovery
        
        PID:3832
        
        C:\Windows\SysWOW64\clbeh.exe
        
        C:\Windows\SysWOW64\clbeh.exe
        212⤵
        Drops file in System32 directory
        
        PID:3196
        
        C:\Windows\SysWOW64\ijijb.exe
        
        C:\Windows\system32\ijijb.exe 992 "C:\Windows\SysWOW64\clbeh.exe"
        213⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\ijijb.exe
        
        C:\Windows\SysWOW64\ijijb.exe
        214⤵
        Drops file in System32 directory
        
        PID:2268
        
        C:\Windows\SysWOW64\pgvmy.exe
        
        C:\Windows\system32\pgvmy.exe 1032 "C:\Windows\SysWOW64\ijijb.exe"
        215⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\pgvmy.exe
        
        C:\Windows\SysWOW64\pgvmy.exe
        216⤵
        System Location Discovery: System Language Discovery
        
        PID:3756
        
        C:\Windows\SysWOW64\anjcf.exe
        
        C:\Windows\system32\anjcf.exe 1032 "C:\Windows\SysWOW64\pgvmy.exe"
        217⤵
        System Location Discovery: System Language Discovery
        
        PID:3120
        
        C:\Windows\SysWOW64\anjcf.exe
        
        C:\Windows\SysWOW64\anjcf.exe
        218⤵
        Drops file in System32 directory
        
        PID:2972
        
        C:\Windows\SysWOW64\igsaz.exe
        
        C:\Windows\system32\igsaz.exe 1148 "C:\Windows\SysWOW64\anjcf.exe"
        219⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\igsaz.exe
        
        C:\Windows\SysWOW64\igsaz.exe
        220⤵
        Drops file in System32 directory
        
        PID:3152
        
        C:\Windows\SysWOW64\nmngy.exe
        
        C:\Windows\system32\nmngy.exe 1004 "C:\Windows\SysWOW64\igsaz.exe"
        221⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\nmngy.exe
        
        C:\Windows\SysWOW64\nmngy.exe
        222⤵
        Drops file in System32 directory
        
        PID:812
        
        C:\Windows\SysWOW64\xwnjr.exe
        
        C:\Windows\system32\xwnjr.exe 992 "C:\Windows\SysWOW64\nmngy.exe"
        223⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\xwnjr.exe
        
        C:\Windows\SysWOW64\xwnjr.exe
        224⤵
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Windows\SysWOW64\fbxca.exe
        
        C:\Windows\system32\fbxca.exe 1000 "C:\Windows\SysWOW64\xwnjr.exe"
        225⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\fbxca.exe
        
        C:\Windows\SysWOW64\fbxca.exe
        226⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\nugsu.exe
        
        C:\Windows\system32\nugsu.exe 992 "C:\Windows\SysWOW64\fbxca.exe"
        227⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\nugsu.exe
        
        C:\Windows\SysWOW64\nugsu.exe
        228⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\unpqp.exe
        
        C:\Windows\system32\unpqp.exe 1028 "C:\Windows\SysWOW64\nugsu.exe"
        229⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\unpqp.exe
        
        C:\Windows\SysWOW64\unpqp.exe
        230⤵
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\SysWOW64\comop.exe
        
        C:\Windows\system32\comop.exe 1032 "C:\Windows\SysWOW64\unpqp.exe"
        231⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\comop.exe
        
        C:\Windows\SysWOW64\comop.exe
        232⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\nvtww.exe
        
        C:\Windows\system32\nvtww.exe 1040 "C:\Windows\SysWOW64\comop.exe"
        233⤵
        System Location Discovery: System Language Discovery
        
        PID:4428
        
        C:\Windows\SysWOW64\nvtww.exe
        
        C:\Windows\SysWOW64\nvtww.exe
        234⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1472
        
        C:\Windows\SysWOW64\uobuq.exe
        
        C:\Windows\system32\uobuq.exe 1032 "C:\Windows\SysWOW64\nvtww.exe"
        235⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\uobuq.exe
        
        C:\Windows\SysWOW64\uobuq.exe
        236⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\clwfn.exe
        
        C:\Windows\system32\clwfn.exe 1020 "C:\Windows\SysWOW64\uobuq.exe"
        237⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\clwfn.exe
        
        C:\Windows\SysWOW64\clwfn.exe
        238⤵
        Drops file in System32 directory
        
        PID:5072
        
        C:\Windows\SysWOW64\hmgyj.exe
        
        C:\Windows\system32\hmgyj.exe 1032 "C:\Windows\SysWOW64\clwfn.exe"
        239⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\hmgyj.exe
        
        C:\Windows\SysWOW64\hmgyj.exe
        240⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\pzawy.exe
        
        C:\Windows\system32\pzawy.exe 1016 "C:\Windows\SysWOW64\hmgyj.exe"
        241⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\pzawy.exe
        
        C:\Windows\SysWOW64\pzawy.exe
        242⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\mskou.exe
        
        C:\Windows\system32\mskou.exe 1020 "C:\Windows\SysWOW64\pzawy.exe"
        243⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\mskou.exe
        
        C:\Windows\SysWOW64\mskou.exe
        244⤵
        Drops file in System32 directory
        
        PID:2588
        
        C:\Windows\SysWOW64\uxfzr.exe
        
        C:\Windows\system32\uxfzr.exe 1032 "C:\Windows\SysWOW64\mskou.exe"
        245⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\uxfzr.exe
        
        C:\Windows\SysWOW64\uxfzr.exe
        246⤵
        Drops file in System32 directory
        
        PID:404
        
        C:\Windows\SysWOW64\cfcki.exe
        
        C:\Windows\system32\cfcki.exe 1028 "C:\Windows\SysWOW64\uxfzr.exe"
        247⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cfcki.exe
        
        C:\Windows\SysWOW64\cfcki.exe
        248⤵
        
        PID:920
        
        C:\Windows\SysWOW64\hdjqc.exe
        
        C:\Windows\system32\hdjqc.exe 1156 "C:\Windows\SysWOW64\cfcki.exe"
        249⤵
        System Location Discovery: System Language Discovery
        
        PID:3860
        
        C:\Windows\SysWOW64\hdjqc.exe
        
        C:\Windows\SysWOW64\hdjqc.exe
        250⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\gougj.exe
        
        C:\Windows\system32\gougj.exe 1032 "C:\Windows\SysWOW64\hdjqc.exe"
        251⤵
        System Location Discovery: System Language Discovery
        
        PID:4056
        
        C:\Windows\SysWOW64\gougj.exe
        
        C:\Windows\SysWOW64\gougj.exe
        252⤵
        Drops file in System32 directory
        
        PID:4140
        
        C:\Windows\SysWOW64\oesrt.exe
        
        C:\Windows\system32\oesrt.exe 1028 "C:\Windows\SysWOW64\gougj.exe"
        253⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\oesrt.exe
        
        C:\Windows\SysWOW64\oesrt.exe
        254⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\wxtpn.exe
        
        C:\Windows\system32\wxtpn.exe 1016 "C:\Windows\SysWOW64\oesrt.exe"
        255⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\wxtpn.exe
        
        C:\Windows\SysWOW64\wxtpn.exe
        256⤵
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\etnak.exe
        
        C:\Windows\system32\etnak.exe 1064 "C:\Windows\SysWOW64\wxtpn.exe"
        257⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\etnak.exe
        
        C:\Windows\SysWOW64\etnak.exe
        258⤵
        Drops file in System32 directory
        
        PID:2132
        
        C:\Windows\SysWOW64\pbbia.exe
        
        C:\Windows\system32\pbbia.exe 1028 "C:\Windows\SysWOW64\etnak.exe"
        259⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\pbbia.exe
        
        C:\Windows\SysWOW64\pbbia.exe
        260⤵
        System Location Discovery: System Language Discovery
        
        PID:3372
        
        C:\Windows\SysWOW64\lgwoy.exe
        
        C:\Windows\system32\lgwoy.exe 1032 "C:\Windows\SysWOW64\pbbia.exe"
        261⤵
        
        PID:1276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\nyxxy.exe

Filesize
188KB

MD5
9a0e6645f3ceb7d70a8627bce6838a25

SHA1
43d76e08a412b2cef915cd5f0630f8aba7576f33

SHA256
d23d9c5dc49cdcf7a13416b35de4f691ff0d77c7b3dcdc661680972623721a07

SHA512
4866105fa5de239570243aecc326cab4317b2c2340fa58a1126d77361a2f2a7f695f46adf2c99143ed27ff3d91be941df247d8bfbc927a04a196bba27d251beb

Download Submit
memory/220-927-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/224-428-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/224-418-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/232-763-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/316-140-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/444-5-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/444-10-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/444-19-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/444-2-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/444-8-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/444-7-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/444-4-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/444-6-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/452-294-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/452-284-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/548-613-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/664-343-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/664-353-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/700-216-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/868-489-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/884-465-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/884-457-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1072-266-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1072-278-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1176-402-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1216-390-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1256-899-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1348-838-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1348-828-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1360-154-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1368-862-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1376-688-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1424-568-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1424-576-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1476-751-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1476-741-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1524-96-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1560-874-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1580-815-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1580-825-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1628-887-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1628-877-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1680-52-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1680-42-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1856-246-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1976-440-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/1984-309-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2000-726-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2084-778-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2084-788-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2168-563-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2216-601-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2320-67-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2320-59-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2412-775-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2424-738-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2548-452-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2608-37-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2608-25-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2608-29-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2716-664-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2716-654-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2788-501-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2976-340-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2976-331-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/3052-551-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/3136-250-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/3136-262-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/3160-201-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/3192-82-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/3192-74-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/3204-914-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/3204-924-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/3440-628-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/3440-638-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/3496-477-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/3504-676-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/3528-589-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/3528-579-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/3548-625-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/3704-691-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/3704-701-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/3732-514-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/3732-504-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/3804-313-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/3804-325-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/3984-170-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/3996-231-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/4316-356-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/4316-366-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/4340-911-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/4384-800-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/4400-850-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/4412-126-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/4412-118-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/4476-407-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/4476-415-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/4504-714-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/4504-704-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/4552-539-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/4628-651-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/4628-643-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/4664-111-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/4664-103-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/4680-174-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/4680-186-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/4688-378-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/4740-527-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/4740-517-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/5096-812-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download