metasploit | eb168aaf39c4926770e387f1b34bda57823b6afe7a26779856bf9391573b2a37

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-12-2024 09:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5d0650411b0b4c0e5989d62895a35af_JaffaCakes118.exe
Size

377KB
MD5

e5d0650411b0b4c0e5989d62895a35af
SHA1

0307a3a8827743c27079b3db4abb541126564cd9
SHA256

eb168aaf39c4926770e387f1b34bda57823b6afe7a26779856bf9391573b2a37
SHA512

10666e2fc8739c7fc6e1d0e6b6ddf63780f8ce823d946f1d8727a126c8741fec676a233c6f12aaef2bfec64260f6aeb92418640ac924a39a1f7579bbe749dadd
SSDEEP

6144:reVaO/iUJ4BrbvBJfK4PVCX23mGBWuMFvYoc9dRT+GDNmMzuMs6Cyv3kgg:reVT/iUJ45bvregmZ/Fgoc9bLX643

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Executes dropped EXE 64 IoCs

pid	Process
2272	ciu.exe
2696	kph.exe
2580	wok.exe
2700	jef.exe
2992	ovk.exe
536	vcx.exe
2764	gyy.exe
2812	qtz.exe
2240	vkw.exe
1916	fji.exe
2872	nnk.exe
1884	zpq.exe
3024	hxl.exe
904	rpb.exe
2196	ejh.exe
448	lrd.exe
2024	lyq.exe
1568	xaw.exe
2236	kno.exe
1976	xmi.exe
2300	iln.exe
2896	rnk.exe
1584	byz.exe
2952	opu.exe
1532	bnp.exe
1680	lqm.exe
2884	ydw.exe
2520	lbz.exe
2592	vpr.exe
2716	igu.exe
532	vte.exe
1404	ehe.exe
2796	rxh.exe
640	ewc.exe
840	rmx.exe
2484	ela.exe
1992	onp.exe
2660	bek.exe
1860	ocf.exe
3016	xqf.exe
1840	ldx.exe
2904	vgm.exe
2352	ite.exe
1508	rhw.exe
2768	egz.exe
1692	rtj.exe
744	bhj.exe
1852	rls.exe
2332	boh.exe
2020	omc.exe
1540	bdf.exe
2032	krx.exe
2608	xha.exe
2636	kgv.exe
2584	xwq.exe
624	kvs.exe
2960	uxi.exe
1012	hzo.exe
972	umf.exe
2748	dag.exe
320	rnq.exe
2664	aqf.exe
1984	odw.exe
1868	xrx.exe

Loads dropped DLL 64 IoCs

pid	Process
2184	e5d0650411b0b4c0e5989d62895a35af_JaffaCakes118.exe
2184	e5d0650411b0b4c0e5989d62895a35af_JaffaCakes118.exe
2272	ciu.exe
2272	ciu.exe
2696	kph.exe
2696	kph.exe
2580	wok.exe
2580	wok.exe
2700	jef.exe
2700	jef.exe
2992	ovk.exe
2992	ovk.exe
536	vcx.exe
536	vcx.exe
2764	gyy.exe
2764	gyy.exe
2812	qtz.exe
2812	qtz.exe
2240	vkw.exe
2240	vkw.exe
1916	fji.exe
1916	fji.exe
2872	nnk.exe
2872	nnk.exe
1884	zpq.exe
1884	zpq.exe
3024	hxl.exe
3024	hxl.exe
904	rpb.exe
904	rpb.exe
2196	ejh.exe
2196	ejh.exe
448	lrd.exe
448	lrd.exe
2024	lyq.exe
2024	lyq.exe
1568	xaw.exe
1568	xaw.exe
2236	kno.exe
2236	kno.exe
1976	xmi.exe
1976	xmi.exe
2300	iln.exe
2300	iln.exe
2896	rnk.exe
2896	rnk.exe
1584	byz.exe
1584	byz.exe
2952	opu.exe
2952	opu.exe
1532	bnp.exe
1532	bnp.exe
1680	lqm.exe
1680	lqm.exe
2884	ydw.exe
2884	ydw.exe
2520	lbz.exe
2520	lbz.exe
2592	vpr.exe
2592	vpr.exe
2716	igu.exe
2716	igu.exe
532	vte.exe
532	vte.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\vkw.exe	qtz.exe
File created	C:\Windows\SysWOW64\jth.exe	wyp.exe
File opened for modification	C:\Windows\SysWOW64\cvk.exe	pxp.exe
File opened for modification	C:\Windows\SysWOW64\uek.exe	hop.exe
File created	C:\Windows\SysWOW64\zio.exe	mvx.exe
File opened for modification	C:\Windows\SysWOW64\igu.exe	vpr.exe
File opened for modification	C:\Windows\SysWOW64\rpz.exe	eye.exe
File opened for modification	C:\Windows\SysWOW64\rch.exe	emn.exe
File created	C:\Windows\SysWOW64\rvi.exe	etc.exe
File opened for modification	C:\Windows\SysWOW64\xha.exe	krx.exe
File opened for modification	C:\Windows\SysWOW64\umf.exe	hzo.exe
File opened for modification	C:\Windows\SysWOW64\hop.exe	uxm.exe
File created	C:\Windows\SysWOW64\glw.exe	tvt.exe
File opened for modification	C:\Windows\SysWOW64\nlq.exe	amv.exe
File created	C:\Windows\SysWOW64\vte.exe	igu.exe
File opened for modification	C:\Windows\SysWOW64\ela.exe	rmx.exe
File opened for modification	C:\Windows\SysWOW64\jip.exe	zuw.exe
File opened for modification	C:\Windows\SysWOW64\voi.exe	iby.exe
File created	C:\Windows\SysWOW64\nlq.exe	amv.exe
File created	C:\Windows\SysWOW64\kph.exe	ciu.exe
File opened for modification	C:\Windows\SysWOW64\xwq.exe	kgv.exe
File created	C:\Windows\SysWOW64\zhc.exe	pfn.exe
File created	C:\Windows\SysWOW64\xpw.exe	kyc.exe
File opened for modification	C:\Windows\SysWOW64\gap.exe	tkm.exe
File opened for modification	C:\Windows\SysWOW64\hzr.exe	ylr.exe
File opened for modification	C:\Windows\SysWOW64\sgi.exe	fpf.exe
File created	C:\Windows\SysWOW64\jef.exe	wok.exe
File created	C:\Windows\SysWOW64\rmx.exe	ewc.exe
File opened for modification	C:\Windows\SysWOW64\eye.exe	raj.exe
File created	C:\Windows\SysWOW64\bgm.exe	oqr.exe
File opened for modification	C:\Windows\SysWOW64\jiy.exe	wvp.exe
File created	C:\Windows\SysWOW64\xaw.exe	lyq.exe
File opened for modification	C:\Windows\SysWOW64\srk.exe	gap.exe
File opened for modification	C:\Windows\SysWOW64\egz.exe	rhw.exe
File created	C:\Windows\SysWOW64\gfi.exe	xdt.exe
File created	C:\Windows\SysWOW64\dzb.exe	qiz.exe
File opened for modification	C:\Windows\SysWOW64\uma.exe	lgz.exe
File opened for modification	C:\Windows\SysWOW64\zwc.exe	qtn.exe
File created	C:\Windows\SysWOW64\abt.exe	nlq.exe
File created	C:\Windows\SysWOW64\gsc.exe	uyw.exe
File created	C:\Windows\SysWOW64\gbz.exe	tlw.exe
File opened for modification	C:\Windows\SysWOW64\mvx.exe	zwc.exe
File created	C:\Windows\SysWOW64\rls.exe	bhj.exe
File created	C:\Windows\SysWOW64\pdj.exe	ceh.exe
File opened for modification	C:\Windows\SysWOW64\amv.exe	nwb.exe
File created	C:\Windows\SysWOW64\ylr.exe	luw.exe
File created	C:\Windows\SysWOW64\uui.exe	sgi.exe
File opened for modification	C:\Windows\SysWOW64\lrd.exe	ejh.exe
File created	C:\Windows\SysWOW64\zjk.exe	pdj.exe
File opened for modification	C:\Windows\SysWOW64\gur.exe	wkc.exe
File opened for modification	C:\Windows\SysWOW64\zhc.exe	pfn.exe
File opened for modification	C:\Windows\SysWOW64\dic.exe	qji.exe
File created	C:\Windows\SysWOW64\gyy.exe	vcx.exe
File created	C:\Windows\SysWOW64\bdf.exe	omc.exe
File created	C:\Windows\SysWOW64\eia.exe	rvi.exe
File created	C:\Windows\SysWOW64\amv.exe	nwb.exe
File created	C:\Windows\SysWOW64\gyj.exe	tho.exe
File created	C:\Windows\SysWOW64\awi.exe	qpw.exe
File created	C:\Windows\SysWOW64\dyt.exe	qzy.exe
File opened for modification	C:\Windows\SysWOW64\dtm.exe	qcr.exe
File opened for modification	C:\Windows\SysWOW64\wok.exe	kph.exe
File created	C:\Windows\SysWOW64\ite.exe	vgm.exe
File opened for modification	C:\Windows\SysWOW64\rtj.exe	egz.exe
File created	C:\Windows\SysWOW64\xrx.exe	odw.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wzs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qyx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rmx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vhi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iyd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zwc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fyd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xaw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nwb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tlu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tyg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ovk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vkw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zpq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gqo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pxp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e5d0650411b0b4c0e5989d62895a35af_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vgm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	krx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iqo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	frp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wqt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ydw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nnk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ssl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rpz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zbw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xwq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	etc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tfe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fcr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iyd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rtj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ghk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wfr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dtm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	djv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vte.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sdw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hzr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uxm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zhc.exe

Runs net.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2272	2184	e5d0650411b0b4c0e5989d62895a35af_JaffaCakes118.exe	28
PID 2184 wrote to memory of 2272	2184	e5d0650411b0b4c0e5989d62895a35af_JaffaCakes118.exe	28
PID 2184 wrote to memory of 2272	2184	e5d0650411b0b4c0e5989d62895a35af_JaffaCakes118.exe	28
PID 2184 wrote to memory of 2272	2184	e5d0650411b0b4c0e5989d62895a35af_JaffaCakes118.exe	28
PID 2272 wrote to memory of 2696	2272	ciu.exe	29
PID 2272 wrote to memory of 2696	2272	ciu.exe	29
PID 2272 wrote to memory of 2696	2272	ciu.exe	29
PID 2272 wrote to memory of 2696	2272	ciu.exe	29
PID 2696 wrote to memory of 2580	2696	kph.exe	30
PID 2696 wrote to memory of 2580	2696	kph.exe	30
PID 2696 wrote to memory of 2580	2696	kph.exe	30
PID 2696 wrote to memory of 2580	2696	kph.exe	30
PID 2580 wrote to memory of 2700	2580	wok.exe	31
PID 2580 wrote to memory of 2700	2580	wok.exe	31
PID 2580 wrote to memory of 2700	2580	wok.exe	31
PID 2580 wrote to memory of 2700	2580	wok.exe	31
PID 2700 wrote to memory of 2992	2700	jef.exe	32
PID 2700 wrote to memory of 2992	2700	jef.exe	32
PID 2700 wrote to memory of 2992	2700	jef.exe	32
PID 2700 wrote to memory of 2992	2700	jef.exe	32
PID 2992 wrote to memory of 536	2992	ovk.exe	33
PID 2992 wrote to memory of 536	2992	ovk.exe	33
PID 2992 wrote to memory of 536	2992	ovk.exe	33
PID 2992 wrote to memory of 536	2992	ovk.exe	33
PID 536 wrote to memory of 2764	536	vcx.exe	34
PID 536 wrote to memory of 2764	536	vcx.exe	34
PID 536 wrote to memory of 2764	536	vcx.exe	34
PID 536 wrote to memory of 2764	536	vcx.exe	34
PID 2764 wrote to memory of 2812	2764	gyy.exe	35
PID 2764 wrote to memory of 2812	2764	gyy.exe	35
PID 2764 wrote to memory of 2812	2764	gyy.exe	35
PID 2764 wrote to memory of 2812	2764	gyy.exe	35
PID 2812 wrote to memory of 2240	2812	qtz.exe	36
PID 2812 wrote to memory of 2240	2812	qtz.exe	36
PID 2812 wrote to memory of 2240	2812	qtz.exe	36
PID 2812 wrote to memory of 2240	2812	qtz.exe	36
PID 2240 wrote to memory of 1916	2240	vkw.exe	37
PID 2240 wrote to memory of 1916	2240	vkw.exe	37
PID 2240 wrote to memory of 1916	2240	vkw.exe	37
PID 2240 wrote to memory of 1916	2240	vkw.exe	37
PID 1916 wrote to memory of 2872	1916	fji.exe	38
PID 1916 wrote to memory of 2872	1916	fji.exe	38
PID 1916 wrote to memory of 2872	1916	fji.exe	38
PID 1916 wrote to memory of 2872	1916	fji.exe	38
PID 2872 wrote to memory of 1884	2872	nnk.exe	39
PID 2872 wrote to memory of 1884	2872	nnk.exe	39
PID 2872 wrote to memory of 1884	2872	nnk.exe	39
PID 2872 wrote to memory of 1884	2872	nnk.exe	39
PID 1884 wrote to memory of 3024	1884	zpq.exe	40
PID 1884 wrote to memory of 3024	1884	zpq.exe	40
PID 1884 wrote to memory of 3024	1884	zpq.exe	40
PID 1884 wrote to memory of 3024	1884	zpq.exe	40
PID 3024 wrote to memory of 904	3024	hxl.exe	41
PID 3024 wrote to memory of 904	3024	hxl.exe	41
PID 3024 wrote to memory of 904	3024	hxl.exe	41
PID 3024 wrote to memory of 904	3024	hxl.exe	41
PID 904 wrote to memory of 2196	904	rpb.exe	42
PID 904 wrote to memory of 2196	904	rpb.exe	42
PID 904 wrote to memory of 2196	904	rpb.exe	42
PID 904 wrote to memory of 2196	904	rpb.exe	42
PID 2196 wrote to memory of 448	2196	ejh.exe	43
PID 2196 wrote to memory of 448	2196	ejh.exe	43
PID 2196 wrote to memory of 448	2196	ejh.exe	43
PID 2196 wrote to memory of 448	2196	ejh.exe	43

C:\Users\Admin\AppData\Local\Temp\e5d0650411b0b4c0e5989d62895a35af_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e5d0650411b0b4c0e5989d62895a35af_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\SysWOW64\ciu.exe
  C:\Windows\system32\ciu.exe 468 "C:\Users\Admin\AppData\Local\Temp\e5d0650411b0b4c0e5989d62895a35af_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Windows\SysWOW64\kph.exe
    C:\Windows\system32\kph.exe 532 "C:\Windows\SysWOW64\ciu.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\SysWOW64\wok.exe
      C:\Windows\system32\wok.exe 544 "C:\Windows\SysWOW64\kph.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2580
    - - C:\Windows\SysWOW64\jef.exe
        
        C:\Windows\system32\jef.exe 552 "C:\Windows\SysWOW64\wok.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2700
      - C:\Windows\SysWOW64\ovk.exe
        
        C:\Windows\system32\ovk.exe 536 "C:\Windows\SysWOW64\jef.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\vcx.exe
        
        C:\Windows\system32\vcx.exe 540 "C:\Windows\SysWOW64\ovk.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\gyy.exe
        
        C:\Windows\system32\gyy.exe 568 "C:\Windows\SysWOW64\vcx.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SysWOW64\qtz.exe
        
        C:\Windows\system32\qtz.exe 556 "C:\Windows\SysWOW64\gyy.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\SysWOW64\vkw.exe
        
        C:\Windows\system32\vkw.exe 548 "C:\Windows\SysWOW64\qtz.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\fji.exe
        
        C:\Windows\system32\fji.exe 560 "C:\Windows\SysWOW64\vkw.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\SysWOW64\nnk.exe
        
        C:\Windows\system32\nnk.exe 564 "C:\Windows\SysWOW64\fji.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\zpq.exe
        
        C:\Windows\system32\zpq.exe 572 "C:\Windows\SysWOW64\nnk.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\SysWOW64\hxl.exe
        
        C:\Windows\system32\hxl.exe 584 "C:\Windows\SysWOW64\zpq.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\SysWOW64\rpb.exe
        
        C:\Windows\system32\rpb.exe 576 "C:\Windows\SysWOW64\hxl.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:904
        
        C:\Windows\SysWOW64\ejh.exe
        
        C:\Windows\system32\ejh.exe 580 "C:\Windows\SysWOW64\rpb.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\lrd.exe
        
        C:\Windows\system32\lrd.exe 588 "C:\Windows\SysWOW64\ejh.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:448
        
        C:\Windows\SysWOW64\lyq.exe
        
        C:\Windows\system32\lyq.exe 592 "C:\Windows\SysWOW64\lrd.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2024
        
        C:\Windows\SysWOW64\xaw.exe
        
        C:\Windows\system32\xaw.exe 596 "C:\Windows\SysWOW64\lyq.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1568
        
        C:\Windows\SysWOW64\kno.exe
        
        C:\Windows\system32\kno.exe 600 "C:\Windows\SysWOW64\xaw.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2236
        
        C:\Windows\SysWOW64\xmi.exe
        
        C:\Windows\system32\xmi.exe 604 "C:\Windows\SysWOW64\kno.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1976
        
        C:\Windows\SysWOW64\iln.exe
        
        C:\Windows\system32\iln.exe 608 "C:\Windows\SysWOW64\xmi.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Windows\SysWOW64\rnk.exe
        
        C:\Windows\system32\rnk.exe 612 "C:\Windows\SysWOW64\iln.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2896
        
        C:\Windows\SysWOW64\byz.exe
        
        C:\Windows\system32\byz.exe 628 "C:\Windows\SysWOW64\rnk.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1584
        
        C:\Windows\SysWOW64\opu.exe
        
        C:\Windows\system32\opu.exe 616 "C:\Windows\SysWOW64\byz.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2952
        
        C:\Windows\SysWOW64\bnp.exe
        
        C:\Windows\system32\bnp.exe 620 "C:\Windows\SysWOW64\opu.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1532
        
        C:\Windows\SysWOW64\lqm.exe
        
        C:\Windows\system32\lqm.exe 632 "C:\Windows\SysWOW64\bnp.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1680
        
        C:\Windows\SysWOW64\ydw.exe
        
        C:\Windows\system32\ydw.exe 624 "C:\Windows\SysWOW64\lqm.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Windows\SysWOW64\lbz.exe
        
        C:\Windows\system32\lbz.exe 636 "C:\Windows\SysWOW64\ydw.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2520
        
        C:\Windows\SysWOW64\vpr.exe
        
        C:\Windows\system32\vpr.exe 640 "C:\Windows\SysWOW64\lbz.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2592
        
        C:\Windows\SysWOW64\igu.exe
        
        C:\Windows\system32\igu.exe 644 "C:\Windows\SysWOW64\vpr.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2716
        
        C:\Windows\SysWOW64\vte.exe
        
        C:\Windows\system32\vte.exe 648 "C:\Windows\SysWOW64\igu.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:532
        
        C:\Windows\SysWOW64\ehe.exe
        
        C:\Windows\system32\ehe.exe 652 "C:\Windows\SysWOW64\vte.exe"
        33⤵
        Executes dropped EXE
        
        PID:1404
        
        C:\Windows\SysWOW64\rxh.exe
        
        C:\Windows\system32\rxh.exe 656 "C:\Windows\SysWOW64\ehe.exe"
        34⤵
        Executes dropped EXE
        
        PID:2796
        
        C:\Windows\SysWOW64\ewc.exe
        
        C:\Windows\system32\ewc.exe 672 "C:\Windows\SysWOW64\rxh.exe"
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:640
        
        C:\Windows\SysWOW64\rmx.exe
        
        C:\Windows\system32\rmx.exe 660 "C:\Windows\SysWOW64\ewc.exe"
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:840
        
        C:\Windows\SysWOW64\ela.exe
        
        C:\Windows\system32\ela.exe 664 "C:\Windows\SysWOW64\rmx.exe"
        37⤵
        Executes dropped EXE
        
        PID:2484
        
        C:\Windows\SysWOW64\onp.exe
        
        C:\Windows\system32\onp.exe 684 "C:\Windows\SysWOW64\ela.exe"
        38⤵
        Executes dropped EXE
        
        PID:1992
        
        C:\Windows\SysWOW64\bek.exe
        
        C:\Windows\system32\bek.exe 668 "C:\Windows\SysWOW64\onp.exe"
        39⤵
        Executes dropped EXE
        
        PID:2660
        
        C:\Windows\SysWOW64\ocf.exe
        
        C:\Windows\system32\ocf.exe 676 "C:\Windows\SysWOW64\bek.exe"
        40⤵
        Executes dropped EXE
        
        PID:1860
        
        C:\Windows\SysWOW64\xqf.exe
        
        C:\Windows\system32\xqf.exe 680 "C:\Windows\SysWOW64\ocf.exe"
        41⤵
        Executes dropped EXE
        
        PID:3016
        
        C:\Windows\SysWOW64\ldx.exe
        
        C:\Windows\system32\ldx.exe 692 "C:\Windows\SysWOW64\xqf.exe"
        42⤵
        Executes dropped EXE
        
        PID:1840
        
        C:\Windows\SysWOW64\vgm.exe
        
        C:\Windows\system32\vgm.exe 696 "C:\Windows\SysWOW64\ldx.exe"
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\ite.exe
        
        C:\Windows\system32\ite.exe 704 "C:\Windows\SysWOW64\vgm.exe"
        44⤵
        Executes dropped EXE
        
        PID:2352
        
        C:\Windows\SysWOW64\rhw.exe
        
        C:\Windows\system32\rhw.exe 688 "C:\Windows\SysWOW64\ite.exe"
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1508
        
        C:\Windows\SysWOW64\egz.exe
        
        C:\Windows\system32\egz.exe 712 "C:\Windows\SysWOW64\rhw.exe"
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2768
        
        C:\Windows\SysWOW64\rtj.exe
        
        C:\Windows\system32\rtj.exe 700 "C:\Windows\SysWOW64\egz.exe"
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        C:\Windows\SysWOW64\bhj.exe
        
        C:\Windows\system32\bhj.exe 728 "C:\Windows\SysWOW64\rtj.exe"
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:744
        
        C:\Windows\SysWOW64\rls.exe
        
        C:\Windows\system32\rls.exe 708 "C:\Windows\SysWOW64\bhj.exe"
        49⤵
        Executes dropped EXE
        
        PID:1852
        
        C:\Windows\SysWOW64\boh.exe
        
        C:\Windows\system32\boh.exe 716 "C:\Windows\SysWOW64\rls.exe"
        50⤵
        Executes dropped EXE
        
        PID:2332
        
        C:\Windows\SysWOW64\omc.exe
        
        C:\Windows\system32\omc.exe 720 "C:\Windows\SysWOW64\boh.exe"
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2020
        
        C:\Windows\SysWOW64\bdf.exe
        
        C:\Windows\system32\bdf.exe 724 "C:\Windows\SysWOW64\omc.exe"
        52⤵
        Executes dropped EXE
        
        PID:1540
        
        C:\Windows\SysWOW64\krx.exe
        
        C:\Windows\system32\krx.exe 732 "C:\Windows\SysWOW64\bdf.exe"
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Windows\SysWOW64\xha.exe
        
        C:\Windows\system32\xha.exe 736 "C:\Windows\SysWOW64\krx.exe"
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2608
        
        C:\Windows\SysWOW64\kgv.exe
        
        C:\Windows\system32\kgv.exe 740 "C:\Windows\SysWOW64\xha.exe"
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2636
        
        C:\Windows\SysWOW64\xwq.exe
        
        C:\Windows\system32\xwq.exe 748 "C:\Windows\SysWOW64\kgv.exe"
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Windows\SysWOW64\kvs.exe
        
        C:\Windows\system32\kvs.exe 744 "C:\Windows\SysWOW64\xwq.exe"
        57⤵
        Executes dropped EXE
        
        PID:624
        
        C:\Windows\SysWOW64\uxi.exe
        
        C:\Windows\system32\uxi.exe 752 "C:\Windows\SysWOW64\kvs.exe"
        58⤵
        Executes dropped EXE
        
        PID:2960
        
        C:\Windows\SysWOW64\hzo.exe
        
        C:\Windows\system32\hzo.exe 756 "C:\Windows\SysWOW64\uxi.exe"
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1012
        
        C:\Windows\SysWOW64\umf.exe
        
        C:\Windows\system32\umf.exe 760 "C:\Windows\SysWOW64\hzo.exe"
        60⤵
        Executes dropped EXE
        
        PID:972
        
        C:\Windows\SysWOW64\dag.exe
        
        C:\Windows\system32\dag.exe 764 "C:\Windows\SysWOW64\umf.exe"
        61⤵
        Executes dropped EXE
        
        PID:2748
        
        C:\Windows\SysWOW64\rnq.exe
        
        C:\Windows\system32\rnq.exe 768 "C:\Windows\SysWOW64\dag.exe"
        62⤵
        Executes dropped EXE
        
        PID:320
        
        C:\Windows\SysWOW64\aqf.exe
        
        C:\Windows\system32\aqf.exe 776 "C:\Windows\SysWOW64\rnq.exe"
        63⤵
        Executes dropped EXE
        
        PID:2664
        
        C:\Windows\SysWOW64\odw.exe
        
        C:\Windows\system32\odw.exe 784 "C:\Windows\SysWOW64\aqf.exe"
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1984
        
        C:\Windows\SysWOW64\xrx.exe
        
        C:\Windows\system32\xrx.exe 788 "C:\Windows\SysWOW64\odw.exe"
        65⤵
        Executes dropped EXE
        
        PID:1868
        
        C:\Windows\SysWOW64\ceh.exe
        
        C:\Windows\system32\ceh.exe 780 "C:\Windows\SysWOW64\xrx.exe"
        66⤵
        Drops file in System32 directory
        
        PID:1748
        
        C:\Windows\SysWOW64\pdj.exe
        
        C:\Windows\system32\pdj.exe 800 "C:\Windows\SysWOW64\ceh.exe"
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Windows\SysWOW64\zjk.exe
        
        C:\Windows\system32\zjk.exe 772 "C:\Windows\SysWOW64\pdj.exe"
        68⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\meu.exe
        
        C:\Windows\system32\meu.exe 792 "C:\Windows\SysWOW64\zjk.exe"
        69⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\zuw.exe
        
        C:\Windows\system32\zuw.exe 820 "C:\Windows\SysWOW64\meu.exe"
        70⤵
        Drops file in System32 directory
        
        PID:3036
        
        C:\Windows\SysWOW64\jip.exe
        
        C:\Windows\system32\jip.exe 796 "C:\Windows\SysWOW64\zuw.exe"
        71⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\wzs.exe
        
        C:\Windows\system32\wzs.exe 804 "C:\Windows\SysWOW64\jip.exe"
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:1160
        
        C:\Windows\SysWOW64\iby.exe
        
        C:\Windows\system32\iby.exe 824 "C:\Windows\SysWOW64\wzs.exe"
        73⤵
        Drops file in System32 directory
        
        PID:1544
        
        C:\Windows\SysWOW64\voi.exe
        
        C:\Windows\system32\voi.exe 808 "C:\Windows\SysWOW64\iby.exe"
        74⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\iqo.exe
        
        C:\Windows\system32\iqo.exe 812 "C:\Windows\SysWOW64\voi.exe"
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\ssl.exe
        
        C:\Windows\system32\ssl.exe 816 "C:\Windows\SysWOW64\iqo.exe"
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:1208
        
        C:\Windows\SysWOW64\ifl.exe
        
        C:\Windows\system32\ifl.exe 828 "C:\Windows\SysWOW64\ssl.exe"
        77⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\shb.exe
        
        C:\Windows\system32\shb.exe 836 "C:\Windows\SysWOW64\ifl.exe"
        78⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\fyd.exe
        
        C:\Windows\system32\fyd.exe 832 "C:\Windows\SysWOW64\shb.exe"
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\SysWOW64\raj.exe
        
        C:\Windows\system32\raj.exe 840 "C:\Windows\SysWOW64\fyd.exe"
        80⤵
        Drops file in System32 directory
        
        PID:1368
        
        C:\Windows\SysWOW64\eye.exe
        
        C:\Windows\system32\eye.exe 844 "C:\Windows\SysWOW64\raj.exe"
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\rpz.exe
        
        C:\Windows\system32\rpz.exe 848 "C:\Windows\SysWOW64\eye.exe"
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:2588
        
        C:\Windows\SysWOW64\bda.exe
        
        C:\Windows\system32\bda.exe 852 "C:\Windows\SysWOW64\rpz.exe"
        83⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\oqr.exe
        
        C:\Windows\system32\oqr.exe 856 "C:\Windows\SysWOW64\bda.exe"
        84⤵
        Drops file in System32 directory
        
        PID:2480
        
        C:\Windows\SysWOW64\bgm.exe
        
        C:\Windows\system32\bgm.exe 860 "C:\Windows\SysWOW64\oqr.exe"
        85⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\lrb.exe
        
        C:\Windows\system32\lrb.exe 872 "C:\Windows\SysWOW64\bgm.exe"
        86⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\yli.exe
        
        C:\Windows\system32\yli.exe 864 "C:\Windows\SysWOW64\lrb.exe"
        87⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\lgz.exe
        
        C:\Windows\system32\lgz.exe 868 "C:\Windows\SysWOW64\yli.exe"
        88⤵
        Drops file in System32 directory
        
        PID:2800
        
        C:\Windows\SysWOW64\uma.exe
        
        C:\Windows\system32\uma.exe 876 "C:\Windows\SysWOW64\lgz.exe"
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\hzj.exe
        
        C:\Windows\system32\hzj.exe 880 "C:\Windows\SysWOW64\uma.exe"
        90⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\uym.exe
        
        C:\Windows\system32\uym.exe 884 "C:\Windows\SysWOW64\hzj.exe"
        91⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\emn.exe
        
        C:\Windows\system32\emn.exe 896 "C:\Windows\SysWOW64\uym.exe"
        92⤵
        Drops file in System32 directory
        
        PID:1880
        
        C:\Windows\SysWOW64\rch.exe
        
        C:\Windows\system32\rch.exe 888 "C:\Windows\SysWOW64\emn.exe"
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\SysWOW64\etc.exe
        
        C:\Windows\system32\etc.exe 912 "C:\Windows\SysWOW64\rch.exe"
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Windows\SysWOW64\rvi.exe
        
        C:\Windows\system32\rvi.exe 892 "C:\Windows\SysWOW64\etc.exe"
        95⤵
        Drops file in System32 directory
        
        PID:2160
        
        C:\Windows\SysWOW64\eia.exe
        
        C:\Windows\system32\eia.exe 904 "C:\Windows\SysWOW64\rvi.exe"
        96⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\nwb.exe
        
        C:\Windows\system32\nwb.exe 900 "C:\Windows\SysWOW64\eia.exe"
        97⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:892
        
        C:\Windows\SysWOW64\amv.exe
        
        C:\Windows\system32\amv.exe 908 "C:\Windows\SysWOW64\nwb.exe"
        98⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Windows\SysWOW64\nlq.exe
        
        C:\Windows\system32\nlq.exe 916 "C:\Windows\SysWOW64\amv.exe"
        99⤵
        Drops file in System32 directory
        
        PID:752
        
        C:\Windows\SysWOW64\abt.exe
        
        C:\Windows\system32\abt.exe 920 "C:\Windows\SysWOW64\nlq.exe"
        100⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\ndz.exe
        
        C:\Windows\system32\ndz.exe 924 "C:\Windows\SysWOW64\abt.exe"
        101⤵
        
        PID:832
        
        C:\Windows\SysWOW64\xgo.exe
        
        C:\Windows\system32\xgo.exe 928 "C:\Windows\SysWOW64\ndz.exe"
        102⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\nsp.exe
        
        C:\Windows\system32\nsp.exe 932 "C:\Windows\SysWOW64\xgo.exe"
        103⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\wyp.exe
        
        C:\Windows\system32\wyp.exe 936 "C:\Windows\SysWOW64\nsp.exe"
        104⤵
        Drops file in System32 directory
        
        PID:2552
        
        C:\Windows\SysWOW64\jth.exe
        
        C:\Windows\system32\jth.exe 940 "C:\Windows\SysWOW64\wyp.exe"
        105⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\wkc.exe
        
        C:\Windows\system32\wkc.exe 944 "C:\Windows\SysWOW64\jth.exe"
        106⤵
        Drops file in System32 directory
        
        PID:768
        
        C:\Windows\SysWOW64\gur.exe
        
        C:\Windows\system32\gur.exe 948 "C:\Windows\SysWOW64\wkc.exe"
        107⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\tlu.exe
        
        C:\Windows\system32\tlu.exe 952 "C:\Windows\SysWOW64\gur.exe"
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:1668
        
        C:\Windows\SysWOW64\doj.exe
        
        C:\Windows\system32\doj.exe 956 "C:\Windows\SysWOW64\tlu.exe"
        109⤵
        
        PID:900
        
        C:\Windows\SysWOW64\qme.exe
        
        C:\Windows\system32\qme.exe 960 "C:\Windows\SysWOW64\doj.exe"
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Windows\SysWOW64\ddh.exe
        
        C:\Windows\system32\ddh.exe 964 "C:\Windows\SysWOW64\qme.exe"
        111⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\pfn.exe
        
        C:\Windows\system32\pfn.exe 976 "C:\Windows\SysWOW64\ddh.exe"
        112⤵
        Drops file in System32 directory
        
        PID:1928
        
        C:\Windows\SysWOW64\zhc.exe
        
        C:\Windows\system32\zhc.exe 968 "C:\Windows\SysWOW64\pfn.exe"
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:800
        
        C:\Windows\SysWOW64\mgx.exe
        
        C:\Windows\system32\mgx.exe 972 "C:\Windows\SysWOW64\zhc.exe"
        114⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\zws.exe
        
        C:\Windows\system32\zws.exe 980 "C:\Windows\SysWOW64\mgx.exe"
        115⤵
        
        PID:344
        
        C:\Windows\SysWOW64\evv.exe
        
        C:\Windows\system32\evv.exe 984 "C:\Windows\SysWOW64\zws.exe"
        116⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\rlp.exe
        
        C:\Windows\system32\rlp.exe 996 "C:\Windows\SysWOW64\evv.exe"
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Windows\SysWOW64\bzq.exe
        
        C:\Windows\system32\bzq.exe 988 "C:\Windows\SysWOW64\rlp.exe"
        118⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\oql.exe
        
        C:\Windows\system32\oql.exe 992 "C:\Windows\SysWOW64\bzq.exe"
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Windows\SysWOW64\boo.exe
        
        C:\Windows\system32\boo.exe 1004 "C:\Windows\SysWOW64\oql.exe"
        120⤵
        
        PID:992
        
        C:\Windows\SysWOW64\niu.exe
        
        C:\Windows\system32\niu.exe 1000 "C:\Windows\SysWOW64\boo.exe"
        121⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\avd.exe
        
        C:\Windows\system32\avd.exe 1008 "C:\Windows\SysWOW64\niu.exe"
        122⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\kje.exe
        
        C:\Windows\system32\kje.exe 1012 "C:\Windows\SysWOW64\avd.exe"
        123⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\xih.exe
        
        C:\Windows\system32\xih.exe 1016 "C:\Windows\SysWOW64\kje.exe"
        124⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\kyc.exe
        
        C:\Windows\system32\kyc.exe 1028 "C:\Windows\SysWOW64\xih.exe"
        125⤵
        Drops file in System32 directory
        
        PID:1520
        
        C:\Windows\SysWOW64\xpw.exe
        
        C:\Windows\system32\xpw.exe 1020 "C:\Windows\SysWOW64\kyc.exe"
        126⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\knz.exe
        
        C:\Windows\system32\knz.exe 1032 "C:\Windows\SysWOW64\xpw.exe"
        127⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\wpf.exe
        
        C:\Windows\system32\wpf.exe 1036 "C:\Windows\SysWOW64\knz.exe"
        128⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\gsv.exe
        
        C:\Windows\system32\gsv.exe 1052 "C:\Windows\SysWOW64\wpf.exe"
        129⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\tfe.exe
        
        C:\Windows\system32\tfe.exe 1040 "C:\Windows\SysWOW64\gsv.exe"
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Windows\SysWOW64\ghk.exe
        
        C:\Windows\system32\ghk.exe 1044 "C:\Windows\SysWOW64\tfe.exe"
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Windows\SysWOW64\qji.exe
        
        C:\Windows\system32\qji.exe 1048 "C:\Windows\SysWOW64\ghk.exe"
        132⤵
        Drops file in System32 directory
        
        PID:2860
        
        C:\Windows\SysWOW64\dic.exe
        
        C:\Windows\system32\dic.exe 1056 "C:\Windows\SysWOW64\qji.exe"
        133⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\qyx.exe
        
        C:\Windows\system32\qyx.exe 528 "C:\Windows\SysWOW64\dic.exe"
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Windows\SysWOW64\cad.exe
        
        C:\Windows\system32\cad.exe 1068 "C:\Windows\SysWOW64\qyx.exe"
        135⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\mdt.exe
        
        C:\Windows\system32\mdt.exe 1080 "C:\Windows\SysWOW64\cad.exe"
        136⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\zbw.exe
        
        C:\Windows\system32\zbw.exe 1064 "C:\Windows\SysWOW64\mdt.exe"
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:1020
        
        C:\Windows\SysWOW64\msq.exe
        
        C:\Windows\system32\msq.exe 1072 "C:\Windows\SysWOW64\zbw.exe"
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Windows\SysWOW64\zql.exe
        
        C:\Windows\system32\zql.exe 1076 "C:\Windows\SysWOW64\msq.exe"
        139⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\mho.exe
        
        C:\Windows\system32\mho.exe 1084 "C:\Windows\SysWOW64\zql.exe"
        140⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\wvp.exe
        
        C:\Windows\system32\wvp.exe 1096 "C:\Windows\SysWOW64\mho.exe"
        141⤵
        Drops file in System32 directory
        
        PID:2304
        
        C:\Windows\SysWOW64\jiy.exe
        
        C:\Windows\system32\jiy.exe 1088 "C:\Windows\SysWOW64\wvp.exe"
        142⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\vke.exe
        
        C:\Windows\system32\vke.exe 1092 "C:\Windows\SysWOW64\jiy.exe"
        143⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\fnu.exe
        
        C:\Windows\system32\fnu.exe 1100 "C:\Windows\SysWOW64\vke.exe"
        144⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\sdw.exe
        
        C:\Windows\system32\sdw.exe 1104 "C:\Windows\SysWOW64\fnu.exe"
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Windows\SysWOW64\fcr.exe
        
        C:\Windows\system32\fcr.exe 1108 "C:\Windows\SysWOW64\sdw.exe"
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Windows\SysWOW64\sex.exe
        
        C:\Windows\system32\sex.exe 1112 "C:\Windows\SysWOW64\fcr.exe"
        147⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\frp.exe
        
        C:\Windows\system32\frp.exe 1136 "C:\Windows\SysWOW64\sex.exe"
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Windows\SysWOW64\pxp.exe
        
        C:\Windows\system32\pxp.exe 1116 "C:\Windows\SysWOW64\frp.exe"
        149⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2840
        
        C:\Windows\SysWOW64\cvk.exe
        
        C:\Windows\system32\cvk.exe 1120 "C:\Windows\SysWOW64\pxp.exe"
        150⤵
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        C:\Windows\SysWOW64\omf.exe
        
        C:\Windows\system32\omf.exe 1128 "C:\Windows\SysWOW64\cvk.exe"
        151⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\bki.exe
        
        C:\Windows\system32\bki.exe 1124 "C:\Windows\SysWOW64\omf.exe"
        152⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\oeo.exe
        
        C:\Windows\system32\oeo.exe 1132 "C:\Windows\SysWOW64\bki.exe"
        153⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\ypd.exe
        
        C:\Windows\system32\ypd.exe 1140 "C:\Windows\SysWOW64\oeo.exe"
        154⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\lfy.exe
        
        C:\Windows\system32\lfy.exe 1144 "C:\Windows\SysWOW64\ypd.exe"
        155⤵
        
        PID:408
        
        C:\Windows\SysWOW64\yet.exe
        
        C:\Windows\system32\yet.exe 1148 "C:\Windows\SysWOW64\lfy.exe"
        156⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\luw.exe
        
        C:\Windows\system32\luw.exe 1152 "C:\Windows\SysWOW64\yet.exe"
        157⤵
        Drops file in System32 directory
        
        PID:2268
        
        C:\Windows\SysWOW64\ylr.exe
        
        C:\Windows\system32\ylr.exe 1168 "C:\Windows\SysWOW64\luw.exe"
        158⤵
        Drops file in System32 directory
        
        PID:944
        
        C:\Windows\SysWOW64\hzr.exe
        
        C:\Windows\system32\hzr.exe 1156 "C:\Windows\SysWOW64\ylr.exe"
        159⤵
        System Location Discovery: System Language Discovery
        
        PID:1728
        
        C:\Windows\SysWOW64\uxm.exe
        
        C:\Windows\system32\uxm.exe 1176 "C:\Windows\SysWOW64\hzr.exe"
        160⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2544
        
        C:\Windows\SysWOW64\hop.exe
        
        C:\Windows\system32\hop.exe 1160 "C:\Windows\SysWOW64\uxm.exe"
        161⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Windows\SysWOW64\uek.exe
        
        C:\Windows\system32\uek.exe 1164 "C:\Windows\SysWOW64\hop.exe"
        162⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\hde.exe
        
        C:\Windows\system32\hde.exe 1172 "C:\Windows\SysWOW64\uek.exe"
        163⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\uth.exe
        
        C:\Windows\system32\uth.exe 1180 "C:\Windows\SysWOW64\hde.exe"
        164⤵
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Windows\SysWOW64\vhi.exe
        
        C:\Windows\system32\vhi.exe 1184 "C:\Windows\SysWOW64\uth.exe"
        165⤵
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Windows\SysWOW64\iyd.exe
        
        C:\Windows\system32\iyd.exe 1200 "C:\Windows\SysWOW64\vhi.exe"
        166⤵
        System Location Discovery: System Language Discovery
        
        PID:1912
        
        C:\Windows\SysWOW64\vaj.exe
        
        C:\Windows\system32\vaj.exe 1188 "C:\Windows\SysWOW64\iyd.exe"
        167⤵
        
        PID:380
        
        C:\Windows\SysWOW64\iyd.exe
        
        C:\Windows\system32\iyd.exe 1192 "C:\Windows\SysWOW64\vaj.exe"
        168⤵
        System Location Discovery: System Language Discovery
        
        PID:1660
        
        C:\Windows\SysWOW64\jib.exe
        
        C:\Windows\system32\jib.exe 1204 "C:\Windows\SysWOW64\iyd.exe"
        169⤵
        
        PID:348
        
        C:\Windows\SysWOW64\xdt.exe
        
        C:\Windows\system32\xdt.exe 1212 "C:\Windows\SysWOW64\jib.exe"
        170⤵
        Drops file in System32 directory
        
        PID:2308
        
        C:\Windows\SysWOW64\gfi.exe
        
        C:\Windows\system32\gfi.exe 1196 "C:\Windows\SysWOW64\xdt.exe"
        171⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\tho.exe
        
        C:\Windows\system32\tho.exe 1208 "C:\Windows\SysWOW64\gfi.exe"
        172⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Windows\SysWOW64\gyj.exe
        
        C:\Windows\system32\gyj.exe 1216 "C:\Windows\SysWOW64\tho.exe"
        173⤵
        
        PID:880
        
        C:\Windows\SysWOW64\qiz.exe
        
        C:\Windows\system32\qiz.exe 1220 "C:\Windows\SysWOW64\gyj.exe"
        174⤵
        Drops file in System32 directory
        
        PID:980
        
        C:\Windows\SysWOW64\dzb.exe
        
        C:\Windows\system32\dzb.exe 1228 "C:\Windows\SysWOW64\qiz.exe"
        175⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\qpw.exe
        
        C:\Windows\system32\qpw.exe 1224 "C:\Windows\SysWOW64\dzb.exe"
        176⤵
        Drops file in System32 directory
        
        PID:544
        
        C:\Windows\SysWOW64\awi.exe
        
        C:\Windows\system32\awi.exe 1256 "C:\Windows\SysWOW64\qpw.exe"
        177⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\nnd.exe
        
        C:\Windows\system32\nnd.exe 1232 "C:\Windows\SysWOW64\awi.exe"
        178⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\aly.exe
        
        C:\Windows\system32\aly.exe 1260 "C:\Windows\SysWOW64\nnd.exe"
        179⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\jrz.exe
        
        C:\Windows\system32\jrz.exe 1244 "C:\Windows\SysWOW64\aly.exe"
        180⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\wqt.exe
        
        C:\Windows\system32\wqt.exe 1236 "C:\Windows\SysWOW64\jrz.exe"
        181⤵
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Windows\SysWOW64\jgw.exe
        
        C:\Windows\system32\jgw.exe 1268 "C:\Windows\SysWOW64\wqt.exe"
        182⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\wfr.exe
        
        C:\Windows\system32\wfr.exe 1240 "C:\Windows\SysWOW64\jgw.exe"
        183⤵
        System Location Discovery: System Language Discovery
        
        PID:540
        
        C:\Windows\SysWOW64\jvm.exe
        
        C:\Windows\system32\jvm.exe 1272 "C:\Windows\SysWOW64\wfr.exe"
        184⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\tkm.exe
        
        C:\Windows\system32\tkm.exe 1264 "C:\Windows\SysWOW64\jvm.exe"
        185⤵
        Drops file in System32 directory
        
        PID:2652
        
        C:\Windows\SysWOW64\gap.exe
        
        C:\Windows\system32\gap.exe 1252 "C:\Windows\SysWOW64\tkm.exe"
        186⤵
        Drops file in System32 directory
        
        PID:1772
        
        C:\Windows\SysWOW64\srk.exe
        
        C:\Windows\system32\srk.exe 1276 "C:\Windows\SysWOW64\gap.exe"
        187⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\fpf.exe
        
        C:\Windows\system32\fpf.exe 1292 "C:\Windows\SysWOW64\srk.exe"
        188⤵
        Drops file in System32 directory
        
        PID:1640
        
        C:\Windows\SysWOW64\sgi.exe
        
        C:\Windows\system32\sgi.exe 1248 "C:\Windows\SysWOW64\fpf.exe"
        189⤵
        Drops file in System32 directory
        
        PID:2068
        
        C:\Windows\SysWOW64\uui.exe
        
        C:\Windows\system32\uui.exe 1280 "C:\Windows\SysWOW64\sgi.exe"
        190⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\hkd.exe
        
        C:\Windows\system32\hkd.exe 1284 "C:\Windows\SysWOW64\uui.exe"
        191⤵
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Windows\SysWOW64\ujy.exe
        
        C:\Windows\system32\ujy.exe 1288 "C:\Windows\SysWOW64\hkd.exe"
        192⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\gle.exe
        
        C:\Windows\system32\gle.exe 1296 "C:\Windows\SysWOW64\ujy.exe"
        193⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\uyw.exe
        
        C:\Windows\system32\uyw.exe 1060 "C:\Windows\SysWOW64\gle.exe"
        194⤵
        Drops file in System32 directory
        
        PID:2752
        
        C:\Windows\SysWOW64\gsc.exe
        
        C:\Windows\system32\gsc.exe 1304 "C:\Windows\SysWOW64\uyw.exe"
        195⤵
        System Location Discovery: System Language Discovery
        
        PID:1440
        
        C:\Windows\SysWOW64\qcr.exe
        
        C:\Windows\system32\qcr.exe 1312 "C:\Windows\SysWOW64\gsc.exe"
        196⤵
        Drops file in System32 directory
        
        PID:1896
        
        C:\Windows\SysWOW64\dtm.exe
        
        C:\Windows\system32\dtm.exe 1308 "C:\Windows\SysWOW64\qcr.exe"
        197⤵
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Windows\SysWOW64\qrp.exe
        
        C:\Windows\system32\qrp.exe 1320 "C:\Windows\SysWOW64\dtm.exe"
        198⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\dij.exe
        
        C:\Windows\system32\dij.exe 1324 "C:\Windows\SysWOW64\qrp.exe"
        199⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\nsz.exe
        
        C:\Windows\system32\nsz.exe 1332 "C:\Windows\SysWOW64\dij.exe"
        200⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\ajc.exe
        
        C:\Windows\system32\ajc.exe 1328 "C:\Windows\SysWOW64\nsz.exe"
        201⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\klr.exe
        
        C:\Windows\system32\klr.exe 1316 "C:\Windows\SysWOW64\ajc.exe"
        202⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\xgb.exe
        
        C:\Windows\system32\xgb.exe 1336 "C:\Windows\SysWOW64\klr.exe"
        203⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\gmb.exe
        
        C:\Windows\system32\gmb.exe 1340 "C:\Windows\SysWOW64\xgb.exe"
        204⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\tlw.exe
        
        C:\Windows\system32\tlw.exe 1344 "C:\Windows\SysWOW64\gmb.exe"
        205⤵
        Drops file in System32 directory
        
        PID:2224
        
        C:\Windows\SysWOW64\gbz.exe
        
        C:\Windows\system32\gbz.exe 1356 "C:\Windows\SysWOW64\tlw.exe"
        206⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\tau.exe
        
        C:\Windows\system32\tau.exe 1352 "C:\Windows\SysWOW64\gbz.exe"
        207⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\gqo.exe
        
        C:\Windows\system32\gqo.exe 1360 "C:\Windows\SysWOW64\tau.exe"
        208⤵
        System Location Discovery: System Language Discovery
        
        PID:1196
        
        C:\Windows\SysWOW64\tsc.exe
        
        C:\Windows\system32\tsc.exe 1348 "C:\Windows\SysWOW64\gqo.exe"
        209⤵
        System Location Discovery: System Language Discovery
        
        PID:1856
        
        C:\Windows\SysWOW64\dvs.exe
        
        C:\Windows\system32\dvs.exe 1364 "C:\Windows\SysWOW64\tsc.exe"
        210⤵
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Windows\SysWOW64\qtn.exe
        
        C:\Windows\system32\qtn.exe 1368 "C:\Windows\SysWOW64\dvs.exe"
        211⤵
        Drops file in System32 directory
        
        PID:2412
        
        C:\Windows\SysWOW64\zwc.exe
        
        C:\Windows\system32\zwc.exe 1376 "C:\Windows\SysWOW64\qtn.exe"
        212⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1704
        
        C:\Windows\SysWOW64\mvx.exe
        
        C:\Windows\system32\mvx.exe 1380 "C:\Windows\SysWOW64\zwc.exe"
        213⤵
        Drops file in System32 directory
        
        PID:584
        
        C:\Windows\SysWOW64\zio.exe
        
        C:\Windows\system32\zio.exe 1372 "C:\Windows\SysWOW64\mvx.exe"
        214⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\jke.exe
        
        C:\Windows\system32\jke.exe 1388 "C:\Windows\SysWOW64\zio.exe"
        215⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\tvt.exe
        
        C:\Windows\system32\tvt.exe 1384 "C:\Windows\SysWOW64\jke.exe"
        216⤵
        Drops file in System32 directory
        
        PID:2928
        
        C:\Windows\SysWOW64\glw.exe
        
        C:\Windows\system32\glw.exe 1396 "C:\Windows\SysWOW64\tvt.exe"
        217⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\tyg.exe
        
        C:\Windows\system32\tyg.exe 1412 "C:\Windows\SysWOW64\glw.exe"
        218⤵
        System Location Discovery: System Language Discovery
        
        PID:788
        
        C:\Windows\SysWOW64\djv.exe
        
        C:\Windows\system32\djv.exe 1400 "C:\Windows\SysWOW64\tyg.exe"
        219⤵
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        C:\Windows\SysWOW64\qzy.exe
        
        C:\Windows\system32\qzy.exe 1408 "C:\Windows\SysWOW64\djv.exe"
        220⤵
        Drops file in System32 directory
        
        PID:2492
        
        C:\Windows\SysWOW64\dyt.exe
        
        C:\Windows\system32\dyt.exe 1404 "C:\Windows\SysWOW64\qzy.exe"
        221⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\net.exe
        
        C:\Windows\system32\net.exe 1416 "C:\Windows\SysWOW64\dyt.exe"
        222⤵
        System Location Discovery: System Language Discovery
        
        PID:1872
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 1416 "C:\Windows\SysWOW64\dyt.exe"
        223⤵
        
        PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\ciu.exe

Filesize
377KB

MD5
e5d0650411b0b4c0e5989d62895a35af

SHA1
0307a3a8827743c27079b3db4abb541126564cd9

SHA256
eb168aaf39c4926770e387f1b34bda57823b6afe7a26779856bf9391573b2a37

SHA512
10666e2fc8739c7fc6e1d0e6b6ddf63780f8ce823d946f1d8727a126c8741fec676a233c6f12aaef2bfec64260f6aeb92418640ac924a39a1f7579bbe749dadd

Download Submit