metasploit | 09a86ae227898e5193ff0b6ce5b69a264ae172018b84bda1f7f2b7f178c1d080

Analysis

max time kernel
150s
max time network
18s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
15-12-2024 00:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f176a160ef615d6a7b2fd43bd4394107_JaffaCakes118.exe
Size

105KB
MD5

f176a160ef615d6a7b2fd43bd4394107
SHA1

41c25402f03189d08f6a38c3036ee77addc59e02
SHA256

09a86ae227898e5193ff0b6ce5b69a264ae172018b84bda1f7f2b7f178c1d080
SHA512

b957795258af71352dfb2cc32e92723266b367d7b2023de8b6914ad9285695a8666ffb79e2f2d2dcedc780253e332ce3f4bfb14ec578490910a3e8a8e0210dc5
SSDEEP

3072:Mb6aHPq9QsKUBK0GaO4s6/pyu17Ys56zdD8:eaQsKYKLaRs6/Qs0e

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/fnstenv_mov

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Executes dropped EXE 64 IoCs

pid	Process
2876	msnnbtg.exe
3020	yiqqjbl.exe
2776	vnlqiiw.exe
2824	ptcllgl.exe
2180	hepltdl.exe
588	szivaym.exe
3064	ujhlsuu.exe
1444	rodlzjn.exe
1468	qgedtwx.exe
2464	vtxdmgb.exe
2288	supqijn.exe
560	xsmgwkm.exe
1668	rfrteqh.exe
524	jyalydr.exe
1088	yrxyirt.exe
2000	jjmenhv.exe
1168	ndumlzg.exe
1524	ynkjqph.exe
2988	iuohbop.exe
2204	pfvmyix.exe
972	xkfzpta.exe
2804	hmujcwo.exe
2768	uzezian.exe
2728	ezrpvlf.exe
2812	qtxegyj.exe
2192	qxjcdps.exe
2024	cnmelxx.exe
1972	qavurtw.exe
692	ucluqlo.exe
1536	ebqzakw.exe
2292	jgjhuma.exe
2252	mmpkjlc.exe
1992	bjxkvel.exe
704	gtgfmbr.exe
1836	syxhasc.exe
1572	velsqjd.exe
112	kyifzxf.exe
2036	rjhkoro.exe
1852	utyagnv.exe
2412	eozswie.exe
1156	ozodjll.exe
2652	rfdfzcm.exe
2840	bfhljbt.exe
1376	axivlwd.exe
2888	pxbiasl.exe
2752	zffflrt.exe
388	mviitry.exe
1736	oillosf.exe
3028	hqnytlg.exe
1172	ojmdimp.exe
2296	enmymrl.exe
2848	dztdjlc.exe
2308	iibyara.exe
2564	nnuglam.exe
2524	cjugxtw.exe
2520	fbudqpv.exe
1844	hlltild.exe
1540	ppwgzwo.exe
2160	wbulopw.exe
792	gayjhoe.exe
1052	lnsrayj.exe
2440	aulrzhm.exe
2676	navtvyx.exe
1240	xwwedty.exe

Loads dropped DLL 64 IoCs

pid	Process
2936	f176a160ef615d6a7b2fd43bd4394107_JaffaCakes118.exe
2936	f176a160ef615d6a7b2fd43bd4394107_JaffaCakes118.exe
2876	msnnbtg.exe
2876	msnnbtg.exe
3020	yiqqjbl.exe
3020	yiqqjbl.exe
2776	vnlqiiw.exe
2776	vnlqiiw.exe
2824	ptcllgl.exe
2824	ptcllgl.exe
2180	hepltdl.exe
2180	hepltdl.exe
588	szivaym.exe
588	szivaym.exe
3064	ujhlsuu.exe
3064	ujhlsuu.exe
1444	rodlzjn.exe
1444	rodlzjn.exe
1468	qgedtwx.exe
1468	qgedtwx.exe
2464	vtxdmgb.exe
2464	vtxdmgb.exe
2288	supqijn.exe
2288	supqijn.exe
560	xsmgwkm.exe
560	xsmgwkm.exe
1668	rfrteqh.exe
1668	rfrteqh.exe
524	jyalydr.exe
524	jyalydr.exe
1088	yrxyirt.exe
1088	yrxyirt.exe
2000	jjmenhv.exe
2000	jjmenhv.exe
1168	ndumlzg.exe
1168	ndumlzg.exe
1524	ynkjqph.exe
1524	ynkjqph.exe
2988	iuohbop.exe
2988	iuohbop.exe
2204	pfvmyix.exe
2204	pfvmyix.exe
972	xkfzpta.exe
972	xkfzpta.exe
2804	hmujcwo.exe
2804	hmujcwo.exe
2768	uzezian.exe
2768	uzezian.exe
2728	ezrpvlf.exe
2728	ezrpvlf.exe
2812	qtxegyj.exe
2812	qtxegyj.exe
2192	qxjcdps.exe
2192	qxjcdps.exe
2024	cnmelxx.exe
2024	cnmelxx.exe
1972	qavurtw.exe
1972	qavurtw.exe
692	ucluqlo.exe
692	ucluqlo.exe
1536	ebqzakw.exe
1536	ebqzakw.exe
2292	jgjhuma.exe
2292	jgjhuma.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\nvrxlzj.exe	dscnywv.exe
File created	C:\Windows\SysWOW64\yzdgdiy.exe	lbiduab.exe
File created	C:\Windows\SysWOW64\kqfrzfb.exe	aqttohb.exe
File opened for modification	C:\Windows\SysWOW64\hdjxcvc.exe	xexzkwc.exe
File created	C:\Windows\SysWOW64\lmazesn.exe	byzboti.exe
File opened for modification	C:\Windows\SysWOW64\xykprtm.exe	qqppxvd.exe
File opened for modification	C:\Windows\SysWOW64\mmpkjlc.exe	jgjhuma.exe
File created	C:\Windows\SysWOW64\gayjhoe.exe	wbulopw.exe
File opened for modification	C:\Windows\SysWOW64\clzsobq.exe	sbjibyk.exe
File created	C:\Windows\SysWOW64\dxxxjth.exe	qhdutlj.exe
File opened for modification	C:\Windows\SysWOW64\qteobhw.exe	jayjenf.exe
File created	C:\Windows\SysWOW64\iuohbop.exe	ynkjqph.exe
File created	C:\Windows\SysWOW64\wuugnzd.exe	jzkqhvw.exe
File opened for modification	C:\Windows\SysWOW64\btmamfa.exe	rnlcwyn.exe
File opened for modification	C:\Windows\SysWOW64\sedpgzq.exe	lwpouko.exe
File opened for modification	C:\Windows\SysWOW64\rczrgyz.exe	emeoqqb.exe
File created	C:\Windows\SysWOW64\sgumdgh.exe	ihioliz.exe
File opened for modification	C:\Windows\SysWOW64\xwwedty.exe	navtvyx.exe
File created	C:\Windows\SysWOW64\abhttgm.exe	pfgjlld.exe
File created	C:\Windows\SysWOW64\byzboti.exe	rczrgyz.exe
File created	C:\Windows\SysWOW64\mvmcaoh.exe	cvifpph.exe
File opened for modification	C:\Windows\SysWOW64\ppwgzwo.exe	hlltild.exe
File created	C:\Windows\SysWOW64\btddqjp.exe	rjotdoj.exe
File created	C:\Windows\SysWOW64\buzvign.exe	inwqdom.exe
File created	C:\Windows\SysWOW64\flvqevz.exe	buzvign.exe
File created	C:\Windows\SysWOW64\zwkidds.exe	mjbtxhl.exe
File opened for modification	C:\Windows\SysWOW64\dibawim.exe	tymqbfg.exe
File opened for modification	C:\Windows\SysWOW64\wazxqwi.exe	mbvafyb.exe
File created	C:\Windows\SysWOW64\lnsrayj.exe	gayjhoe.exe
File created	C:\Windows\SysWOW64\hamvmnx.exe	sstnfeu.exe
File created	C:\Windows\SysWOW64\pwfdicl.exe	ftqtvzf.exe
File created	C:\Windows\SysWOW64\ghucmcp.exe	wwfarzj.exe
File opened for modification	C:\Windows\SysWOW64\pkrvnub.exe	eoqkxaa.exe
File created	C:\Windows\SysWOW64\ohynulz.exe	hwaixrj.exe
File opened for modification	C:\Windows\SysWOW64\cwudnxv.exe	vlvyqdf.exe
File created	C:\Windows\SysWOW64\rxpoiol.exe	hmadvlf.exe
File opened for modification	C:\Windows\SysWOW64\nyhjrpc.exe	drclgqu.exe
File created	C:\Windows\SysWOW64\iltwtuf.exe	vfkbfdu.exe
File opened for modification	C:\Windows\SysWOW64\sguojof.exe	iltwtuf.exe
File opened for modification	C:\Windows\SysWOW64\nltiumy.exe	daeyhjk.exe
File created	C:\Windows\SysWOW64\pjlttbu.exe	cwudnxv.exe
File created	C:\Windows\SysWOW64\aetwzut.exe	mrkgtqu.exe
File opened for modification	C:\Windows\SysWOW64\gdkmdgc.exe	rnzexxy.exe
File opened for modification	C:\Windows\SysWOW64\ytybnho.exe	oqiqaei.exe
File created	C:\Windows\SysWOW64\ykckupg.exe	odymjqg.exe
File created	C:\Windows\SysWOW64\atkleym.exe	qykboel.exe
File opened for modification	C:\Windows\SysWOW64\fgcltne.exe	vvmbgjp.exe
File created	C:\Windows\SysWOW64\jkxrzcm.exe	zlttpdf.exe
File opened for modification	C:\Windows\SysWOW64\sgumdgh.exe	ihioliz.exe
File created	C:\Windows\SysWOW64\qclplgk.exe	edqmcyf.exe
File created	C:\Windows\SysWOW64\ealtgxh.exe	ubzvwza.exe
File opened for modification	C:\Windows\SysWOW64\aeflfjm.exe	qtqakgf.exe
File opened for modification	C:\Windows\SysWOW64\orxdpaz.exe	dklxfbr.exe
File opened for modification	C:\Windows\SysWOW64\lxljqus.exe	byzmfvt.exe
File opened for modification	C:\Windows\SysWOW64\tgqabmc.exe	jhecqnu.exe
File opened for modification	C:\Windows\SysWOW64\wkzchaa.exe	jtezysu.exe
File created	C:\Windows\SysWOW64\stpxsmv.exe	ixomcru.exe
File created	C:\Windows\SysWOW64\nebtrsr.exe	zrsdlpl.exe
File created	C:\Windows\SysWOW64\vhrkjby.exe	iuzudyz.exe
File created	C:\Windows\SysWOW64\rcitbbr.exe	hdwwrck.exe
File opened for modification	C:\Windows\SysWOW64\ogujofx.exe	atktiby.exe
File opened for modification	C:\Windows\SysWOW64\cyubxzy.exe	snfqkws.exe
File created	C:\Windows\SysWOW64\tyiuwlx.exe	igtosvv.exe
File opened for modification	C:\Windows\SysWOW64\ncsnniu.exe	iqzfuyp.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	syxhasc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pgttmux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	htjaksl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	metzgwd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tzmothi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xqlhyia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gtgfmbr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qclplgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vhvxint.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lnojrbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oillosf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dyyfmdg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vtxdmgb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebqzakw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	khmofnf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mdjfpoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qalfccx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fgcltne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psxmqtx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	veqerjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ohynulz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sucbdqx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lzuiikl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pfgjlld.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hmpwtkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bcwgkbt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dgylech.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tlfsrho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	frqzqna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sguojof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mvtnukb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nojraak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bamxvdg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ncbcfqf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	szivaym.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	exlvfuc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ompdoye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wwfarzj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	khvvtea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vsqbhmw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rmtoulm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	phezzkt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tajegfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kjupyqx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jbalgqh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hohfezn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fdntutj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yntklkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nlwfiba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uihclhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rnlcwyn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mxbuhac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kgmfgtp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	afayqac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rsrtkgw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lnsrayj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiujxnv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xgrdewy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pvajzms.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iloadtg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xwleeuv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	klhiaso.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ujsapiw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yakndlf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2876	2936	f176a160ef615d6a7b2fd43bd4394107_JaffaCakes118.exe	30
PID 2936 wrote to memory of 2876	2936	f176a160ef615d6a7b2fd43bd4394107_JaffaCakes118.exe	30
PID 2936 wrote to memory of 2876	2936	f176a160ef615d6a7b2fd43bd4394107_JaffaCakes118.exe	30
PID 2936 wrote to memory of 2876	2936	f176a160ef615d6a7b2fd43bd4394107_JaffaCakes118.exe	30
PID 2876 wrote to memory of 3020	2876	msnnbtg.exe	31
PID 2876 wrote to memory of 3020	2876	msnnbtg.exe	31
PID 2876 wrote to memory of 3020	2876	msnnbtg.exe	31
PID 2876 wrote to memory of 3020	2876	msnnbtg.exe	31
PID 3020 wrote to memory of 2776	3020	yiqqjbl.exe	32
PID 3020 wrote to memory of 2776	3020	yiqqjbl.exe	32
PID 3020 wrote to memory of 2776	3020	yiqqjbl.exe	32
PID 3020 wrote to memory of 2776	3020	yiqqjbl.exe	32
PID 2776 wrote to memory of 2824	2776	vnlqiiw.exe	33
PID 2776 wrote to memory of 2824	2776	vnlqiiw.exe	33
PID 2776 wrote to memory of 2824	2776	vnlqiiw.exe	33
PID 2776 wrote to memory of 2824	2776	vnlqiiw.exe	33
PID 2824 wrote to memory of 2180	2824	ptcllgl.exe	34
PID 2824 wrote to memory of 2180	2824	ptcllgl.exe	34
PID 2824 wrote to memory of 2180	2824	ptcllgl.exe	34
PID 2824 wrote to memory of 2180	2824	ptcllgl.exe	34
PID 2180 wrote to memory of 588	2180	hepltdl.exe	35
PID 2180 wrote to memory of 588	2180	hepltdl.exe	35
PID 2180 wrote to memory of 588	2180	hepltdl.exe	35
PID 2180 wrote to memory of 588	2180	hepltdl.exe	35
PID 588 wrote to memory of 3064	588	szivaym.exe	36
PID 588 wrote to memory of 3064	588	szivaym.exe	36
PID 588 wrote to memory of 3064	588	szivaym.exe	36
PID 588 wrote to memory of 3064	588	szivaym.exe	36
PID 3064 wrote to memory of 1444	3064	ujhlsuu.exe	37
PID 3064 wrote to memory of 1444	3064	ujhlsuu.exe	37
PID 3064 wrote to memory of 1444	3064	ujhlsuu.exe	37
PID 3064 wrote to memory of 1444	3064	ujhlsuu.exe	37
PID 1444 wrote to memory of 1468	1444	rodlzjn.exe	38
PID 1444 wrote to memory of 1468	1444	rodlzjn.exe	38
PID 1444 wrote to memory of 1468	1444	rodlzjn.exe	38
PID 1444 wrote to memory of 1468	1444	rodlzjn.exe	38
PID 1468 wrote to memory of 2464	1468	qgedtwx.exe	39
PID 1468 wrote to memory of 2464	1468	qgedtwx.exe	39
PID 1468 wrote to memory of 2464	1468	qgedtwx.exe	39
PID 1468 wrote to memory of 2464	1468	qgedtwx.exe	39
PID 2464 wrote to memory of 2288	2464	vtxdmgb.exe	40
PID 2464 wrote to memory of 2288	2464	vtxdmgb.exe	40
PID 2464 wrote to memory of 2288	2464	vtxdmgb.exe	40
PID 2464 wrote to memory of 2288	2464	vtxdmgb.exe	40
PID 2288 wrote to memory of 560	2288	supqijn.exe	41
PID 2288 wrote to memory of 560	2288	supqijn.exe	41
PID 2288 wrote to memory of 560	2288	supqijn.exe	41
PID 2288 wrote to memory of 560	2288	supqijn.exe	41
PID 560 wrote to memory of 1668	560	xsmgwkm.exe	42
PID 560 wrote to memory of 1668	560	xsmgwkm.exe	42
PID 560 wrote to memory of 1668	560	xsmgwkm.exe	42
PID 560 wrote to memory of 1668	560	xsmgwkm.exe	42
PID 1668 wrote to memory of 524	1668	rfrteqh.exe	43
PID 1668 wrote to memory of 524	1668	rfrteqh.exe	43
PID 1668 wrote to memory of 524	1668	rfrteqh.exe	43
PID 1668 wrote to memory of 524	1668	rfrteqh.exe	43
PID 524 wrote to memory of 1088	524	jyalydr.exe	44
PID 524 wrote to memory of 1088	524	jyalydr.exe	44
PID 524 wrote to memory of 1088	524	jyalydr.exe	44
PID 524 wrote to memory of 1088	524	jyalydr.exe	44
PID 1088 wrote to memory of 2000	1088	yrxyirt.exe	45
PID 1088 wrote to memory of 2000	1088	yrxyirt.exe	45
PID 1088 wrote to memory of 2000	1088	yrxyirt.exe	45
PID 1088 wrote to memory of 2000	1088	yrxyirt.exe	45

C:\Users\Admin\AppData\Local\Temp\f176a160ef615d6a7b2fd43bd4394107_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f176a160ef615d6a7b2fd43bd4394107_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\SysWOW64\msnnbtg.exe
  C:\Windows\system32\msnnbtg.exe 460 "C:\Users\Admin\AppData\Local\Temp\f176a160ef615d6a7b2fd43bd4394107_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\SysWOW64\yiqqjbl.exe
    C:\Windows\system32\yiqqjbl.exe 432 "C:\Windows\SysWOW64\msnnbtg.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3020
  - - C:\Windows\SysWOW64\vnlqiiw.exe
      C:\Windows\system32\vnlqiiw.exe 516 "C:\Windows\SysWOW64\yiqqjbl.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2776
    - - C:\Windows\SysWOW64\ptcllgl.exe
        
        C:\Windows\system32\ptcllgl.exe 436 "C:\Windows\SysWOW64\vnlqiiw.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2824
      - C:\Windows\SysWOW64\hepltdl.exe
        
        C:\Windows\system32\hepltdl.exe 524 "C:\Windows\SysWOW64\ptcllgl.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\SysWOW64\szivaym.exe
        
        C:\Windows\system32\szivaym.exe 440 "C:\Windows\SysWOW64\hepltdl.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:588
        
        C:\Windows\SysWOW64\ujhlsuu.exe
        
        C:\Windows\system32\ujhlsuu.exe 532 "C:\Windows\SysWOW64\szivaym.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\rodlzjn.exe
        
        C:\Windows\system32\rodlzjn.exe 444 "C:\Windows\SysWOW64\ujhlsuu.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\SysWOW64\qgedtwx.exe
        
        C:\Windows\system32\qgedtwx.exe 540 "C:\Windows\SysWOW64\rodlzjn.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\SysWOW64\vtxdmgb.exe
        
        C:\Windows\system32\vtxdmgb.exe 448 "C:\Windows\SysWOW64\qgedtwx.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\supqijn.exe
        
        C:\Windows\system32\supqijn.exe 500 "C:\Windows\SysWOW64\vtxdmgb.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\xsmgwkm.exe
        
        C:\Windows\system32\xsmgwkm.exe 492 "C:\Windows\SysWOW64\supqijn.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:560
        
        C:\Windows\SysWOW64\rfrteqh.exe
        
        C:\Windows\system32\rfrteqh.exe 560 "C:\Windows\SysWOW64\xsmgwkm.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\SysWOW64\jyalydr.exe
        
        C:\Windows\system32\jyalydr.exe 452 "C:\Windows\SysWOW64\rfrteqh.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:524
        
        C:\Windows\SysWOW64\yrxyirt.exe
        
        C:\Windows\system32\yrxyirt.exe 484 "C:\Windows\SysWOW64\jyalydr.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\SysWOW64\jjmenhv.exe
        
        C:\Windows\system32\jjmenhv.exe 568 "C:\Windows\SysWOW64\yrxyirt.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2000
        
        C:\Windows\SysWOW64\ndumlzg.exe
        
        C:\Windows\system32\ndumlzg.exe 520 "C:\Windows\SysWOW64\jjmenhv.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1168
        
        C:\Windows\SysWOW64\ynkjqph.exe
        
        C:\Windows\system32\ynkjqph.exe 576 "C:\Windows\SysWOW64\ndumlzg.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1524
        
        C:\Windows\SysWOW64\iuohbop.exe
        
        C:\Windows\system32\iuohbop.exe 580 "C:\Windows\SysWOW64\ynkjqph.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2988
        
        C:\Windows\SysWOW64\pfvmyix.exe
        
        C:\Windows\system32\pfvmyix.exe 456 "C:\Windows\SysWOW64\iuohbop.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2204
        
        C:\Windows\SysWOW64\xkfzpta.exe
        
        C:\Windows\system32\xkfzpta.exe 592 "C:\Windows\SysWOW64\pfvmyix.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:972
        
        C:\Windows\SysWOW64\hmujcwo.exe
        
        C:\Windows\system32\hmujcwo.exe 588 "C:\Windows\SysWOW64\xkfzpta.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2804
        
        C:\Windows\SysWOW64\uzezian.exe
        
        C:\Windows\system32\uzezian.exe 596 "C:\Windows\SysWOW64\hmujcwo.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2768
        
        C:\Windows\SysWOW64\ezrpvlf.exe
        
        C:\Windows\system32\ezrpvlf.exe 468 "C:\Windows\SysWOW64\uzezian.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2728
        
        C:\Windows\SysWOW64\qtxegyj.exe
        
        C:\Windows\system32\qtxegyj.exe 604 "C:\Windows\SysWOW64\ezrpvlf.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2812
        
        C:\Windows\SysWOW64\qxjcdps.exe
        
        C:\Windows\system32\qxjcdps.exe 488 "C:\Windows\SysWOW64\qtxegyj.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2192
        
        C:\Windows\SysWOW64\cnmelxx.exe
        
        C:\Windows\system32\cnmelxx.exe 612 "C:\Windows\SysWOW64\qxjcdps.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2024
        
        C:\Windows\SysWOW64\qavurtw.exe
        
        C:\Windows\system32\qavurtw.exe 616 "C:\Windows\SysWOW64\cnmelxx.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1972
        
        C:\Windows\SysWOW64\ucluqlo.exe
        
        C:\Windows\system32\ucluqlo.exe 620 "C:\Windows\SysWOW64\qavurtw.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:692
        
        C:\Windows\SysWOW64\ebqzakw.exe
        
        C:\Windows\system32\ebqzakw.exe 536 "C:\Windows\SysWOW64\ucluqlo.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1536
        
        C:\Windows\SysWOW64\jgjhuma.exe
        
        C:\Windows\system32\jgjhuma.exe 628 "C:\Windows\SysWOW64\ebqzakw.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2292
        
        C:\Windows\SysWOW64\mmpkjlc.exe
        
        C:\Windows\system32\mmpkjlc.exe 480 "C:\Windows\SysWOW64\jgjhuma.exe"
        33⤵
        Executes dropped EXE
        
        PID:2252
        
        C:\Windows\SysWOW64\bjxkvel.exe
        
        C:\Windows\system32\bjxkvel.exe 636 "C:\Windows\SysWOW64\mmpkjlc.exe"
        34⤵
        Executes dropped EXE
        
        PID:1992
        
        C:\Windows\SysWOW64\gtgfmbr.exe
        
        C:\Windows\system32\gtgfmbr.exe 476 "C:\Windows\SysWOW64\bjxkvel.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:704
        
        C:\Windows\SysWOW64\syxhasc.exe
        
        C:\Windows\system32\syxhasc.exe 644 "C:\Windows\SysWOW64\gtgfmbr.exe"
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1836
        
        C:\Windows\SysWOW64\velsqjd.exe
        
        C:\Windows\system32\velsqjd.exe 556 "C:\Windows\SysWOW64\syxhasc.exe"
        37⤵
        Executes dropped EXE
        
        PID:1572
        
        C:\Windows\SysWOW64\kyifzxf.exe
        
        C:\Windows\system32\kyifzxf.exe 652 "C:\Windows\SysWOW64\velsqjd.exe"
        38⤵
        Executes dropped EXE
        
        PID:112
        
        C:\Windows\SysWOW64\rjhkoro.exe
        
        C:\Windows\system32\rjhkoro.exe 464 "C:\Windows\SysWOW64\kyifzxf.exe"
        39⤵
        Executes dropped EXE
        
        PID:2036
        
        C:\Windows\SysWOW64\utyagnv.exe
        
        C:\Windows\system32\utyagnv.exe 660 "C:\Windows\SysWOW64\rjhkoro.exe"
        40⤵
        Executes dropped EXE
        
        PID:1852
        
        C:\Windows\SysWOW64\eozswie.exe
        
        C:\Windows\system32\eozswie.exe 648 "C:\Windows\SysWOW64\utyagnv.exe"
        41⤵
        Executes dropped EXE
        
        PID:2412
        
        C:\Windows\SysWOW64\ozodjll.exe
        
        C:\Windows\system32\ozodjll.exe 668 "C:\Windows\SysWOW64\eozswie.exe"
        42⤵
        Executes dropped EXE
        
        PID:1156
        
        C:\Windows\SysWOW64\rfdfzcm.exe
        
        C:\Windows\system32\rfdfzcm.exe 632 "C:\Windows\SysWOW64\ozodjll.exe"
        43⤵
        Executes dropped EXE
        
        PID:2652
        
        C:\Windows\SysWOW64\bfhljbt.exe
        
        C:\Windows\system32\bfhljbt.exe 676 "C:\Windows\SysWOW64\rfdfzcm.exe"
        44⤵
        Executes dropped EXE
        
        PID:2840
        
        C:\Windows\SysWOW64\axivlwd.exe
        
        C:\Windows\system32\axivlwd.exe 472 "C:\Windows\SysWOW64\bfhljbt.exe"
        45⤵
        Executes dropped EXE
        
        PID:1376
        
        C:\Windows\SysWOW64\pxbiasl.exe
        
        C:\Windows\system32\pxbiasl.exe 684 "C:\Windows\SysWOW64\axivlwd.exe"
        46⤵
        Executes dropped EXE
        
        PID:2888
        
        C:\Windows\SysWOW64\zffflrt.exe
        
        C:\Windows\system32\zffflrt.exe 688 "C:\Windows\SysWOW64\pxbiasl.exe"
        47⤵
        Executes dropped EXE
        
        PID:2752
        
        C:\Windows\SysWOW64\mviitry.exe
        
        C:\Windows\system32\mviitry.exe 692 "C:\Windows\SysWOW64\zffflrt.exe"
        48⤵
        Executes dropped EXE
        
        PID:388
        
        C:\Windows\SysWOW64\oillosf.exe
        
        C:\Windows\system32\oillosf.exe 496 "C:\Windows\SysWOW64\mviitry.exe"
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1736
        
        C:\Windows\SysWOW64\hqnytlg.exe
        
        C:\Windows\system32\hqnytlg.exe 700 "C:\Windows\SysWOW64\oillosf.exe"
        50⤵
        Executes dropped EXE
        
        PID:3028
        
        C:\Windows\SysWOW64\ojmdimp.exe
        
        C:\Windows\system32\ojmdimp.exe 720 "C:\Windows\SysWOW64\hqnytlg.exe"
        51⤵
        Executes dropped EXE
        
        PID:1172
        
        C:\Windows\SysWOW64\enmymrl.exe
        
        C:\Windows\system32\enmymrl.exe 704 "C:\Windows\SysWOW64\ojmdimp.exe"
        52⤵
        Executes dropped EXE
        
        PID:2296
        
        C:\Windows\SysWOW64\dztdjlc.exe
        
        C:\Windows\system32\dztdjlc.exe 712 "C:\Windows\SysWOW64\enmymrl.exe"
        53⤵
        Executes dropped EXE
        
        PID:2848
        
        C:\Windows\SysWOW64\iibyara.exe
        
        C:\Windows\system32\iibyara.exe 708 "C:\Windows\SysWOW64\dztdjlc.exe"
        54⤵
        Executes dropped EXE
        
        PID:2308
        
        C:\Windows\SysWOW64\nnuglam.exe
        
        C:\Windows\system32\nnuglam.exe 716 "C:\Windows\SysWOW64\iibyara.exe"
        55⤵
        Executes dropped EXE
        
        PID:2564
        
        C:\Windows\SysWOW64\cjugxtw.exe
        
        C:\Windows\system32\cjugxtw.exe 728 "C:\Windows\SysWOW64\nnuglam.exe"
        56⤵
        Executes dropped EXE
        
        PID:2524
        
        C:\Windows\SysWOW64\fbudqpv.exe
        
        C:\Windows\system32\fbudqpv.exe 508 "C:\Windows\SysWOW64\cjugxtw.exe"
        57⤵
        Executes dropped EXE
        
        PID:2520
        
        C:\Windows\SysWOW64\hlltild.exe
        
        C:\Windows\system32\hlltild.exe 736 "C:\Windows\SysWOW64\fbudqpv.exe"
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1844
        
        C:\Windows\SysWOW64\ppwgzwo.exe
        
        C:\Windows\system32\ppwgzwo.exe 584 "C:\Windows\SysWOW64\hlltild.exe"
        59⤵
        Executes dropped EXE
        
        PID:1540
        
        C:\Windows\SysWOW64\wbulopw.exe
        
        C:\Windows\system32\wbulopw.exe 744 "C:\Windows\SysWOW64\ppwgzwo.exe"
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2160
        
        C:\Windows\SysWOW64\gayjhoe.exe
        
        C:\Windows\system32\gayjhoe.exe 756 "C:\Windows\SysWOW64\wbulopw.exe"
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:792
        
        C:\Windows\SysWOW64\lnsrayj.exe
        
        C:\Windows\system32\lnsrayj.exe 740 "C:\Windows\SysWOW64\gayjhoe.exe"
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1052
        
        C:\Windows\SysWOW64\aulrzhm.exe
        
        C:\Windows\system32\aulrzhm.exe 572 "C:\Windows\SysWOW64\lnsrayj.exe"
        63⤵
        Executes dropped EXE
        
        PID:2440
        
        C:\Windows\SysWOW64\navtvyx.exe
        
        C:\Windows\system32\navtvyx.exe 752 "C:\Windows\SysWOW64\aulrzhm.exe"
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2676
        
        C:\Windows\SysWOW64\xwwedty.exe
        
        C:\Windows\system32\xwwedty.exe 760 "C:\Windows\SysWOW64\navtvyx.exe"
        65⤵
        Executes dropped EXE
        
        PID:1240
        
        C:\Windows\SysWOW64\hdibnsg.exe
        
        C:\Windows\system32\hdibnsg.exe 772 "C:\Windows\SysWOW64\xwwedty.exe"
        66⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\sybudmg.exe
        
        C:\Windows\system32\sybudmg.exe 776 "C:\Windows\SysWOW64\hdibnsg.exe"
        67⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cbqeqpn.exe
        
        C:\Windows\system32\cbqeqpn.exe 768 "C:\Windows\SysWOW64\sybudmg.exe"
        68⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\jfajzap.exe
        
        C:\Windows\system32\jfajzap.exe 748 "C:\Windows\SysWOW64\cbqeqpn.exe"
        69⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\whgztnc.exe
        
        C:\Windows\system32\whgztnc.exe 780 "C:\Windows\SysWOW64\jfajzap.exe"
        70⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\edqmcyf.exe
        
        C:\Windows\system32\edqmcyf.exe 784 "C:\Windows\SysWOW64\whgztnc.exe"
        71⤵
        Drops file in System32 directory
        
        PID:2748
        
        C:\Windows\SysWOW64\qclplgk.exe
        
        C:\Windows\system32\qclplgk.exe 788 "C:\Windows\SysWOW64\edqmcyf.exe"
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Windows\SysWOW64\vsqbhmw.exe
        
        C:\Windows\system32\vsqbhmw.exe 792 "C:\Windows\SysWOW64\qclplgk.exe"
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Windows\SysWOW64\imwrsya.exe
        
        C:\Windows\system32\imwrsya.exe 796 "C:\Windows\SysWOW64\vsqbhmw.exe"
        74⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\pqgejkd.exe
        
        C:\Windows\system32\pqgejkd.exe 800 "C:\Windows\SysWOW64\imwrsya.exe"
        75⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\csmmvwh.exe
        
        C:\Windows\system32\csmmvwh.exe 804 "C:\Windows\SysWOW64\pqgejkd.exe"
        76⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\jaamplq.exe
        
        C:\Windows\system32\jaamplq.exe 808 "C:\Windows\SysWOW64\csmmvwh.exe"
        77⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\xnrcvpp.exe
        
        C:\Windows\system32\xnrcvpp.exe 812 "C:\Windows\SysWOW64\jaamplq.exe"
        78⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\hmvzfox.exe
        
        C:\Windows\system32\hmvzfox.exe 680 "C:\Windows\SysWOW64\xnrcvpp.exe"
        79⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\ourraeg.exe
        
        C:\Windows\system32\ourraeg.exe 820 "C:\Windows\SysWOW64\hmvzfox.exe"
        80⤵
        
        PID:900
        
        C:\Windows\SysWOW64\ypskhyh.exe
        
        C:\Windows\system32\ypskhyh.exe 828 "C:\Windows\SysWOW64\ourraeg.exe"
        81⤵
        
        PID:236
        
        C:\Windows\SysWOW64\idshxfu.exe
        
        C:\Windows\system32\idshxfu.exe 836 "C:\Windows\SysWOW64\ypskhyh.exe"
        82⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\tvifcww.exe
        
        C:\Windows\system32\tvifcww.exe 848 "C:\Windows\SysWOW64\idshxfu.exe"
        83⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\dvmcuue.exe
        
        C:\Windows\system32\dvmcuue.exe 824 "C:\Windows\SysWOW64\tvifcww.exe"
        84⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\ihgkowi.exe
        
        C:\Windows\system32\ihgkowi.exe 552 "C:\Windows\SysWOW64\dvmcuue.exe"
        85⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\rvgheev.exe
        
        C:\Windows\system32\rvgheev.exe 844 "C:\Windows\SysWOW64\ihgkowi.exe"
        86⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\zsquvpy.exe
        
        C:\Windows\system32\zsquvpy.exe 840 "C:\Windows\SysWOW64\rvgheev.exe"
        87⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\picuugc.exe
        
        C:\Windows\system32\picuugc.exe 852 "C:\Windows\SysWOW64\zsquvpy.exe"
        88⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\wppvowl.exe
        
        C:\Windows\system32\wppvowl.exe 856 "C:\Windows\SysWOW64\picuugc.exe"
        89⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\ganfbzs.exe
        
        C:\Windows\system32\ganfbzs.exe 860 "C:\Windows\SysWOW64\wppvowl.exe"
        90⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\qzrcuxz.exe
        
        C:\Windows\system32\qzrcuxz.exe 864 "C:\Windows\SysWOW64\ganfbzs.exe"
        91⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\dmiszby.exe
        
        C:\Windows\system32\dmiszby.exe 868 "C:\Windows\SysWOW64\qzrcuxz.exe"
        92⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\xloixyl.exe
        
        C:\Windows\system32\xloixyl.exe 548 "C:\Windows\SysWOW64\dmiszby.exe"
        93⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\qkrnczf.exe
        
        C:\Windows\system32\qkrnczf.exe 876 "C:\Windows\SysWOW64\xloixyl.exe"
        94⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\xdxsrtv.exe
        
        C:\Windows\system32\xdxsrtv.exe 764 "C:\Windows\SysWOW64\qkrnczf.exe"
        95⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\hvnywjp.exe
        
        C:\Windows\system32\hvnywjp.exe 892 "C:\Windows\SysWOW64\xdxsrtv.exe"
        96⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\rurvpix.exe
        
        C:\Windows\system32\rurvpix.exe 884 "C:\Windows\SysWOW64\hvnywjp.exe"
        97⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cudszge.exe
        
        C:\Windows\system32\cudszge.exe 896 "C:\Windows\SysWOW64\rurvpix.exe"
        98⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\yyzsgox.exe
        
        C:\Windows\system32\yyzsgox.exe 504 "C:\Windows\SysWOW64\cudszge.exe"
        99⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\ookaeft.exe
        
        C:\Windows\system32\ookaeft.exe 900 "C:\Windows\SysWOW64\yyzsgox.exe"
        100⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\vzjfbzj.exe
        
        C:\Windows\system32\vzjfbzj.exe 904 "C:\Windows\SysWOW64\ookaeft.exe"
        101⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\ddtltkm.exe
        
        C:\Windows\system32\ddtltkm.exe 880 "C:\Windows\SysWOW64\vzjfbzj.exe"
        102⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\vlvyqdf.exe
        
        C:\Windows\system32\vlvyqdf.exe 916 "C:\Windows\SysWOW64\ddtltkm.exe"
        103⤵
        Drops file in System32 directory
        
        PID:2452
        
        C:\Windows\SysWOW64\cwudnxv.exe
        
        C:\Windows\system32\cwudnxv.exe 912 "C:\Windows\SysWOW64\vlvyqdf.exe"
        104⤵
        Drops file in System32 directory
        
        PID:2680
        
        C:\Windows\SysWOW64\pjlttbu.exe
        
        C:\Windows\system32\pjlttbu.exe 544 "C:\Windows\SysWOW64\cwudnxv.exe"
        105⤵
        
        PID:892
        
        C:\Windows\SysWOW64\uzqoppg.exe
        
        C:\Windows\system32\uzqoppg.exe 924 "C:\Windows\SysWOW64\pjlttbu.exe"
        106⤵
        
        PID:936
        
        C:\Windows\SysWOW64\hmadvlf.exe
        
        C:\Windows\system32\hmadvlf.exe 936 "C:\Windows\SysWOW64\uzqoppg.exe"
        107⤵
        Drops file in System32 directory
        
        PID:2240
        
        C:\Windows\SysWOW64\rxpoiol.exe
        
        C:\Windows\system32\rxpoiol.exe 928 "C:\Windows\SysWOW64\hmadvlf.exe"
        108⤵
        
        PID:884
        
        C:\Windows\SysWOW64\bzmydrz.exe
        
        C:\Windows\system32\bzmydrz.exe 932 "C:\Windows\SysWOW64\rxpoiol.exe"
        109⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\rpyyciv.exe
        
        C:\Windows\system32\rpyyciv.exe 956 "C:\Windows\SysWOW64\bzmydrz.exe"
        110⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\bsnixej.exe
        
        C:\Windows\system32\bsnixej.exe 940 "C:\Windows\SysWOW64\rpyyciv.exe"
        111⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\akobryt.exe
        
        C:\Windows\system32\akobryt.exe 528 "C:\Windows\SysWOW64\bsnixej.exe"
        112⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\ymjengp.exe
        
        C:\Windows\system32\ymjengp.exe 948 "C:\Windows\SysWOW64\akobryt.exe"
        113⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\drclgqu.exe
        
        C:\Windows\system32\drclgqu.exe 960 "C:\Windows\SysWOW64\ymjengp.exe"
        114⤵
        Drops file in System32 directory
        
        PID:568
        
        C:\Windows\SysWOW64\nyhjrpc.exe
        
        C:\Windows\system32\nyhjrpc.exe 732 "C:\Windows\SysWOW64\drclgqu.exe"
        115⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\ujnooik.exe
        
        C:\Windows\system32\ujnooik.exe 964 "C:\Windows\SysWOW64\nyhjrpc.exe"
        116⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\efgyvdl.exe
        
        C:\Windows\system32\efgyvdl.exe 968 "C:\Windows\SysWOW64\ujnooik.exe"
        117⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\rhmohhx.exe
        
        C:\Windows\system32\rhmohhx.exe 972 "C:\Windows\SysWOW64\efgyvdl.exe"
        118⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\wiujxnv.exe
        
        C:\Windows\system32\wiujxnv.exe 976 "C:\Windows\SysWOW64\rhmohhx.exe"
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:2456
        
        C:\Windows\SysWOW64\lfcjkfe.exe
        
        C:\Windows\system32\lfcjkfe.exe 996 "C:\Windows\SysWOW64\wiujxnv.exe"
        120⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\wadbrzf.exe
        
        C:\Windows\system32\wadbrzf.exe 988 "C:\Windows\SysWOW64\lfcjkfe.exe"
        121⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\jryeiik.exe
        
        C:\Windows\system32\jryeiik.exe 980 "C:\Windows\SysWOW64\wadbrzf.exe"
        122⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\ntoezav.exe
        
        C:\Windows\system32\ntoezav.exe 724 "C:\Windows\SysWOW64\jryeiik.exe"
        123⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\ajjhhaa.exe
        
        C:\Windows\system32\ajjhhaa.exe 992 "C:\Windows\SysWOW64\ntoezav.exe"
        124⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\ikihwpe.exe
        
        C:\Windows\system32\ikihwpe.exe 696 "C:\Windows\SysWOW64\ajjhhaa.exe"
        125⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\xvfugdg.exe
        
        C:\Windows\system32\xvfugdg.exe 1004 "C:\Windows\SysWOW64\ikihwpe.exe"
        126⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\cxncenz.exe
        
        C:\Windows\system32\cxncenz.exe 1008 "C:\Windows\SysWOW64\xvfugdg.exe"
        127⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\rcvxiaw.exe
        
        C:\Windows\system32\rcvxiaw.exe 1012 "C:\Windows\SysWOW64\cxncenz.exe"
        128⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\tajegfj.exe
        
        C:\Windows\system32\tajegfj.exe 664 "C:\Windows\SysWOW64\rcvxiaw.exe"
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\SysWOW64\malrdyd.exe
        
        C:\Windows\system32\malrdyd.exe 1020 "C:\Windows\SysWOW64\tajegfj.exe"
        130⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\ttkwast.exe
        
        C:\Windows\system32\ttkwast.exe 816 "C:\Windows\SysWOW64\malrdyd.exe"
        131⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\dsoulqs.exe
        
        C:\Windows\system32\dsoulqs.exe 1036 "C:\Windows\SysWOW64\ttkwast.exe"
        132⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\nopmalb.exe
        
        C:\Windows\system32\nopmalb.exe 1040 "C:\Windows\SysWOW64\dsoulqs.exe"
        133⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\yntklkb.exe
        
        C:\Windows\system32\yntklkb.exe 1032 "C:\Windows\SysWOW64\nopmalb.exe"
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Windows\SysWOW64\fuocxzk.exe
        
        C:\Windows\system32\fuocxzk.exe 1048 "C:\Windows\SysWOW64\yntklkb.exe"
        135⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\kwusqmp.exe
        
        C:\Windows\system32\kwusqmp.exe 1044 "C:\Windows\SysWOW64\fuocxzk.exe"
        136⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\usvcygx.exe
        
        C:\Windows\system32\usvcygx.exe 1060 "C:\Windows\SysWOW64\kwusqmp.exe"
        137⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\hiqfhgv.exe
        
        C:\Windows\system32\hiqfhgv.exe 1056 "C:\Windows\SysWOW64\usvcygx.exe"
        138⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\ocpkeil.exe
        
        C:\Windows\system32\ocpkeil.exe 1052 "C:\Windows\SysWOW64\hiqfhgv.exe"
        139⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\bpghjek.exe
        
        C:\Windows\system32\bpghjek.exe 1076 "C:\Windows\SysWOW64\ocpkeil.exe"
        140⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\lokfuds.exe
        
        C:\Windows\system32\lokfuds.exe 1064 "C:\Windows\SysWOW64\bpghjek.exe"
        141⤵
        
        PID:320
        
        C:\Windows\SysWOW64\vclukkf.exe
        
        C:\Windows\system32\vclukkf.exe 1068 "C:\Windows\SysWOW64\lokfuds.exe"
        142⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\gubaxaz.exe
        
        C:\Windows\system32\gubaxaz.exe 1088 "C:\Windows\SysWOW64\vclukkf.exe"
        143⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\lzuiikl.exe
        
        C:\Windows\system32\lzuiikl.exe 1072 "C:\Windows\SysWOW64\gubaxaz.exe"
        144⤵
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Windows\SysWOW64\sstnfeu.exe
        
        C:\Windows\system32\sstnfeu.exe 624 "C:\Windows\SysWOW64\lzuiikl.exe"
        145⤵
        Drops file in System32 directory
        
        PID:1128
        
        C:\Windows\SysWOW64\hamvmnx.exe
        
        C:\Windows\system32\hamvmnx.exe 1084 "C:\Windows\SysWOW64\sstnfeu.exe"
        146⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\ollajpf.exe
        
        C:\Windows\system32\ollajpf.exe 872 "C:\Windows\SysWOW64\hamvmnx.exe"
        147⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\exlvfuc.exe
        
        C:\Windows\system32\exlvfuc.exe 1096 "C:\Windows\SysWOW64\ollajpf.exe"
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:1612
        
        C:\Windows\SysWOW64\pwxsxtk.exe
        
        C:\Windows\system32\pwxsxtk.exe 1100 "C:\Windows\SysWOW64\exlvfuc.exe"
        149⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\yhndkwq.exe
        
        C:\Windows\system32\yhndkwq.exe 1104 "C:\Windows\SysWOW64\pwxsxtk.exe"
        150⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\ikcngze.exe
        
        C:\Windows\system32\ikcngze.exe 1108 "C:\Windows\SysWOW64\yhndkwq.exe"
        151⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\sjokqye.exe
        
        C:\Windows\system32\sjokqye.exe 1112 "C:\Windows\SysWOW64\ikcngze.exe"
        152⤵
        
        PID:856
        
        C:\Windows\SysWOW64\gwyawul.exe
        
        C:\Windows\system32\gwyawul.exe 1116 "C:\Windows\SysWOW64\sjokqye.exe"
        153⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\nainfnn.exe
        
        C:\Windows\system32\nainfnn.exe 1120 "C:\Windows\SysWOW64\gwyawul.exe"
        154⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\xlxyaqu.exe
        
        C:\Windows\system32\xlxyaqu.exe 888 "C:\Windows\SysWOW64\nainfnn.exe"
        155⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\hnniota.exe
        
        C:\Windows\system32\hnniota.exe 1132 "C:\Windows\SysWOW64\xlxyaqu.exe"
        156⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\rjotdoj.exe
        
        C:\Windows\system32\rjotdoj.exe 1144 "C:\Windows\SysWOW64\hnniota.exe"
        157⤵
        Drops file in System32 directory
        
        PID:1504
        
        C:\Windows\SysWOW64\btddqjp.exe
        
        C:\Windows\system32\btddqjp.exe 1128 "C:\Windows\SysWOW64\rjotdoj.exe"
        158⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\lspabix.exe
        
        C:\Windows\system32\lspabix.exe 1140 "C:\Windows\SysWOW64\btddqjp.exe"
        159⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\wstytge.exe
        
        C:\Windows\system32\wstytge.exe 1148 "C:\Windows\SysWOW64\lspabix.exe"
        160⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\gnuqbbf.exe
        
        C:\Windows\system32\gnuqbbf.exe 1152 "C:\Windows\SysWOW64\wstytge.exe"
        161⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\qykboel.exe
        
        C:\Windows\system32\qykboel.exe 1136 "C:\Windows\SysWOW64\gnuqbbf.exe"
        162⤵
        Drops file in System32 directory
        
        PID:2096
        
        C:\Windows\SysWOW64\atkleym.exe
        
        C:\Windows\system32\atkleym.exe 1156 "C:\Windows\SysWOW64\qykboel.exe"
        163⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\qbwtcqq.exe
        
        C:\Windows\system32\qbwtcqq.exe 1160 "C:\Windows\SysWOW64\atkleym.exe"
        164⤵
        
        PID:944
        
        C:\Windows\SysWOW64\xuvyzky.exe
        
        C:\Windows\system32\xuvyzky.exe 1164 "C:\Windows\SysWOW64\qbwtcqq.exe"
        165⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\khmofnf.exe
        
        C:\Windows\system32\khmofnf.exe 1168 "C:\Windows\SysWOW64\xuvyzky.exe"
        166⤵
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Windows\SysWOW64\mvpqaol.exe
        
        C:\Windows\system32\mvpqaol.exe 1172 "C:\Windows\SysWOW64\khmofnf.exe"
        167⤵
        
        PID:908
        
        C:\Windows\SysWOW64\fgcjilm.exe
        
        C:\Windows\system32\fgcjilm.exe 1176 "C:\Windows\SysWOW64\mvpqaol.exe"
        168⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\jzkqhvw.exe
        
        C:\Windows\system32\jzkqhvw.exe 1180 "C:\Windows\SysWOW64\fgcjilm.exe"
        169⤵
        Drops file in System32 directory
        
        PID:2120
        
        C:\Windows\SysWOW64\wuugnzd.exe
        
        C:\Windows\system32\wuugnzd.exe 1184 "C:\Windows\SysWOW64\jzkqhvw.exe"
        170⤵
        
        PID:396
        
        C:\Windows\SysWOW64\dgblctl.exe
        
        C:\Windows\system32\dgblctl.exe 1188 "C:\Windows\SysWOW64\wuugnzd.exe"
        171⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\qwvokbr.exe
        
        C:\Windows\system32\qwvokbr.exe 1196 "C:\Windows\SysWOW64\dgblctl.exe"
        172⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\drneyxp.exe
        
        C:\Windows\system32\drneyxp.exe 1192 "C:\Windows\SysWOW64\qwvokbr.exe"
        173⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\nucolaw.exe
        
        C:\Windows\system32\nucolaw.exe 1200 "C:\Windows\SysWOW64\drneyxp.exe"
        174⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\xthlwzd.exe
        
        C:\Windows\system32\xthlwzd.exe 1208 "C:\Windows\SysWOW64\nucolaw.exe"
        175⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\hdwwrck.exe
        
        C:\Windows\system32\hdwwrck.exe 1204 "C:\Windows\SysWOW64\xthlwzd.exe"
        176⤵
        Drops file in System32 directory
        
        PID:1608
        
        C:\Windows\SysWOW64\rcitbbr.exe
        
        C:\Windows\system32\rcitbbr.exe 1216 "C:\Windows\SysWOW64\hdwwrck.exe"
        177⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\ccmrmaz.exe
        
        C:\Windows\system32\ccmrmaz.exe 1212 "C:\Windows\SysWOW64\rcitbbr.exe"
        178⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\exnjbuz.exe
        
        C:\Windows\system32\exnjbuz.exe 1224 "C:\Windows\SysWOW64\ccmrmaz.exe"
        179⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\rwimkcf.exe
        
        C:\Windows\system32\rwimkcf.exe 1220 "C:\Windows\SysWOW64\exnjbuz.exe"
        180⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\bvujvbn.exe
        
        C:\Windows\system32\bvujvbn.exe 1236 "C:\Windows\SysWOW64\rwimkcf.exe"
        181⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\igtosvv.exe
        
        C:\Windows\system32\igtosvv.exe 1228 "C:\Windows\SysWOW64\bvujvbn.exe"
        182⤵
        Drops file in System32 directory
        
        PID:2220
        
        C:\Windows\SysWOW64\tyiuwlx.exe
        
        C:\Windows\system32\tyiuwlx.exe 1248 "C:\Windows\SysWOW64\igtosvv.exe"
        183⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\faobixb.exe
        
        C:\Windows\system32\faobixb.exe 1232 "C:\Windows\SysWOW64\tyiuwlx.exe"
        184⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\nlnpfrj.exe
        
        C:\Windows\system32\nlnpfrj.exe 1256 "C:\Windows\SysWOW64\faobixb.exe"
        185⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\xkzmpqr.exe
        
        C:\Windows\system32\xkzmpqr.exe 1244 "C:\Windows\SysWOW64\nlnpfrj.exe"
        186⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\kjupyqx.exe
        
        C:\Windows\system32\kjupyqx.exe 1240 "C:\Windows\SysWOW64\xkzmpqr.exe"
        187⤵
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Windows\SysWOW64\xwleeuv.exe
        
        C:\Windows\system32\xwleeuv.exe 1252 "C:\Windows\SysWOW64\kjupyqx.exe"
        188⤵
        System Location Discovery: System Language Discovery
        
        PID:1120
        
        C:\Windows\SysWOW64\zvsubzj.exe
        
        C:\Windows\system32\zvsubzj.exe 1260 "C:\Windows\SysWOW64\xwleeuv.exe"
        189⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\jueruxq.exe
        
        C:\Windows\system32\jueruxq.exe 1264 "C:\Windows\SysWOW64\zvsubzj.exe"
        190⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\ttipewq.exe
        
        C:\Windows\system32\ttipewq.exe 1272 "C:\Windows\SysWOW64\jueruxq.exe"
        191⤵
        
        PID:932
        
        C:\Windows\SysWOW64\ggzfkax.exe
        
        C:\Windows\system32\ggzfkax.exe 1268 "C:\Windows\SysWOW64\ttipewq.exe"
        192⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\qqppxvd.exe
        
        C:\Windows\system32\qqppxvd.exe 1292 "C:\Windows\SysWOW64\ggzfkax.exe"
        193⤵
        Drops file in System32 directory
        
        PID:2772
        
        C:\Windows\SysWOW64\xykprtm.exe
        
        C:\Windows\system32\xykprtm.exe 1280 "C:\Windows\SysWOW64\qqppxvd.exe"
        194⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\ixomcru.exe
        
        C:\Windows\system32\ixomcru.exe 1284 "C:\Windows\SysWOW64\xykprtm.exe"
        195⤵
        Drops file in System32 directory
        
        PID:2176
        
        C:\Windows\SysWOW64\stpxsmv.exe
        
        C:\Windows\system32\stpxsmv.exe 1276 "C:\Windows\SysWOW64\ixomcru.exe"
        196⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cvfhfpb.exe
        
        C:\Windows\system32\cvfhfpb.exe 1288 "C:\Windows\SysWOW64\stpxsmv.exe"
        197⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\mdjfpoj.exe
        
        C:\Windows\system32\mdjfpoj.exe 1296 "C:\Windows\SysWOW64\cvfhfpb.exe"
        198⤵
        System Location Discovery: System Language Discovery
        
        PID:2284
        
        C:\Windows\SysWOW64\wyjxfij.exe
        
        C:\Windows\system32\wyjxfij.exe 1300 "C:\Windows\SysWOW64\mdjfpoj.exe"
        199⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\gbzasdq.exe
        
        C:\Windows\system32\gbzasdq.exe 1304 "C:\Windows\SysWOW64\wyjxfij.exe"
        200⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\qalfccx.exe
        
        C:\Windows\system32\qalfccx.exe 908 "C:\Windows\SysWOW64\gbzasdq.exe"
        201⤵
        System Location Discovery: System Language Discovery
        
        PID:776
        
        C:\Windows\SysWOW64\evvvigw.exe
        
        C:\Windows\system32\evvvigw.exe 1316 "C:\Windows\SysWOW64\qalfccx.exe"
        202⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\lgtafam.exe
        
        C:\Windows\system32\lgtafam.exe 1320 "C:\Windows\SysWOW64\evvvigw.exe"
        203⤵
        
        PID:752
        
        C:\Windows\SysWOW64\ywwdoik.exe
        
        C:\Windows\system32\ywwdoik.exe 1324 "C:\Windows\SysWOW64\lgtafam.exe"
        204⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\ieaaghr.exe
        
        C:\Windows\system32\ieaaghr.exe 1328 "C:\Windows\SysWOW64\ywwdoik.exe"
        205⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\sgqktkg.exe
        
        C:\Windows\system32\sgqktkg.exe 1312 "C:\Windows\SysWOW64\ieaaghr.exe"
        206⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\fthazoe.exe
        
        C:\Windows\system32\fthazoe.exe 1332 "C:\Windows\SysWOW64\sgqktkg.exe"
        207⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\pslxkme.exe
        
        C:\Windows\system32\pslxkme.exe 1336 "C:\Windows\SysWOW64\fthazoe.exe"
        208⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\zdbifhs.exe
        
        C:\Windows\system32\zdbifhs.exe 1340 "C:\Windows\SysWOW64\pslxkme.exe"
        209⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\jcnfpga.exe
        
        C:\Windows\system32\jcnfpga.exe 1344 "C:\Windows\SysWOW64\zdbifhs.exe"
        210⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\rgxshzd.exe
        
        C:\Windows\system32\rgxshzd.exe 1348 "C:\Windows\SysWOW64\jcnfpga.exe"
        211⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\didiseh.exe
        
        C:\Windows\system32\didiseh.exe 1352 "C:\Windows\SysWOW64\rgxshzd.exe"
        212⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\inwqdom.exe
        
        C:\Windows\system32\inwqdom.exe 832 "C:\Windows\SysWOW64\didiseh.exe"
        213⤵
        Drops file in System32 directory
        
        PID:2900
        
        C:\Windows\SysWOW64\buzvign.exe
        
        C:\Windows\system32\buzvign.exe 1364 "C:\Windows\SysWOW64\inwqdom.exe"
        214⤵
        Drops file in System32 directory
        
        PID:1944
        
        C:\Windows\SysWOW64\flvqevz.exe
        
        C:\Windows\system32\flvqevz.exe 1360 "C:\Windows\SysWOW64\buzvign.exe"
        215⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\pkinptg.exe
        
        C:\Windows\system32\pkinptg.exe 1368 "C:\Windows\SysWOW64\flvqevz.exe"
        216⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\zrmlhko.exe
        
        C:\Windows\system32\zrmlhko.exe 1376 "C:\Windows\SysWOW64\pkinptg.exe"
        217⤵
        
        PID:592
        
        C:\Windows\SysWOW64\kmnvpnp.exe
        
        C:\Windows\system32\kmnvpnp.exe 1372 "C:\Windows\SysWOW64\zrmlhko.exe"
        218⤵
        
        PID:868
        
        C:\Windows\SysWOW64\ruivjcy.exe
        
        C:\Windows\system32\ruivjcy.exe 1388 "C:\Windows\SysWOW64\kmnvpnp.exe"
        219⤵
        
        PID:316
        
        C:\Windows\SysWOW64\btmttby.exe
        
        C:\Windows\system32\btmttby.exe 1384 "C:\Windows\SysWOW64\ruivjcy.exe"
        220⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\jbalgqh.exe
        
        C:\Windows\system32\jbalgqh.exe 1392 "C:\Windows\SysWOW64\btmttby.exe"
        221⤵
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Windows\SysWOW64\lwadvli.exe
        
        C:\Windows\system32\lwadvli.exe 1380 "C:\Windows\SysWOW64\jbalgqh.exe"
        222⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\vvmbgjp.exe
        
        C:\Windows\system32\vvmbgjp.exe 1396 "C:\Windows\SysWOW64\lwadvli.exe"
        223⤵
        Drops file in System32 directory
        
        PID:2316
        
        C:\Windows\SysWOW64\fgcltne.exe
        
        C:\Windows\system32\fgcltne.exe 1400 "C:\Windows\SysWOW64\vvmbgjp.exe"
        224⤵
        System Location Discovery: System Language Discovery
        
        PID:2324
        
        C:\Windows\SysWOW64\pfgjlld.exe
        
        C:\Windows\system32\pfgjlld.exe 1412 "C:\Windows\SysWOW64\fgcltne.exe"
        225⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2224
        
        C:\Windows\SysWOW64\abhttgm.exe
        
        C:\Windows\system32\abhttgm.exe 1404 "C:\Windows\SysWOW64\pfgjlld.exe"
        226⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\kalzdfm.exe
        
        C:\Windows\system32\kalzdfm.exe 920 "C:\Windows\SysWOW64\abhttgm.exe"
        227⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\uomobmz.exe
        
        C:\Windows\system32\uomobmz.exe 1420 "C:\Windows\SysWOW64\kalzdfm.exe"
        228⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\georkme.exe
        
        C:\Windows\system32\georkme.exe 1416 "C:\Windows\SysWOW64\uomobmz.exe"
        229⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\rmtoulm.exe
        
        C:\Windows\system32\rmtoulm.exe 1424 "C:\Windows\SysWOW64\georkme.exe"
        230⤵
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Windows\SysWOW64\bhtgkfm.exe
        
        C:\Windows\system32\bhtgkfm.exe 1432 "C:\Windows\SysWOW64\rmtoulm.exe"
        231⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\obzovsr.exe
        
        C:\Windows\system32\obzovsr.exe 1428 "C:\Windows\SysWOW64\bhtgkfm.exe"
        232⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\vfkbfdu.exe
        
        C:\Windows\system32\vfkbfdu.exe 1436 "C:\Windows\SysWOW64\obzovsr.exe"
        233⤵
        Drops file in System32 directory
        
        PID:1020
        
        C:\Windows\SysWOW64\iltwtuf.exe
        
        C:\Windows\system32\iltwtuf.exe 1440 "C:\Windows\SysWOW64\vfkbfdu.exe"
        234⤵
        Drops file in System32 directory
        
        PID:1968
        
        C:\Windows\SysWOW64\sguojof.exe
        
        C:\Windows\system32\sguojof.exe 1444 "C:\Windows\SysWOW64\iltwtuf.exe"
        235⤵
        System Location Discovery: System Language Discovery
        
        PID:780
        
        C:\Windows\SysWOW64\ccvzqjo.exe
        
        C:\Windows\system32\ccvzqjo.exe 1448 "C:\Windows\SysWOW64\sguojof.exe"
        236⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\nbzwbio.exe
        
        C:\Windows\system32\nbzwbio.exe 1456 "C:\Windows\SysWOW64\ccvzqjo.exe"
        237⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\wpzuzpb.exe
        
        C:\Windows\system32\wpzuzpb.exe 1452 "C:\Windows\SysWOW64\nbzwbio.exe"
        238⤵
        
        PID:984
        
        C:\Windows\SysWOW64\hhpzdfd.exe
        
        C:\Windows\system32\hhpzdfd.exe 1468 "C:\Windows\SysWOW64\wpzuzpb.exe"
        239⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\otoebzl.exe
        
        C:\Windows\system32\otoebzl.exe 1472 "C:\Windows\SysWOW64\hhpzdfd.exe"
        240⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\bgfugds.exe
        
        C:\Windows\system32\bgfugds.exe 1460 "C:\Windows\SysWOW64\otoebzl.exe"
        241⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\olxwvmv.exe
        
        C:\Windows\system32\olxwvmv.exe 1480 "C:\Windows\SysWOW64\bgfugds.exe"
        242⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\ykbufkc.exe
        
        C:\Windows\system32\ykbufkc.exe 1464 "C:\Windows\SysWOW64\olxwvmv.exe"
        243⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\irnrxjk.exe
        
        C:\Windows\system32\irnrxjk.exe 1476 "C:\Windows\SysWOW64\ykbufkc.exe"
        244⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\sqrpiis.exe
        
        C:\Windows\system32\sqrpiis.exe 1500 "C:\Windows\SysWOW64\irnrxjk.exe"
        245⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cmszpcs.exe
        
        C:\Windows\system32\cmszpcs.exe 1484 "C:\Windows\SysWOW64\sqrpiis.exe"
        246⤵
        
        PID:612
        
        C:\Windows\SysWOW64\nlwfiba.exe
        
        C:\Windows\system32\nlwfiba.exe 952 "C:\Windows\SysWOW64\cmszpcs.exe"
        247⤵
        System Location Discovery: System Language Discovery
        
        PID:308
        
        C:\Windows\SysWOW64\xwlpveg.exe
        
        C:\Windows\system32\xwlpveg.exe 1492 "C:\Windows\SysWOW64\nlwfiba.exe"
        248⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\hvxmfdo.exe
        
        C:\Windows\system32\hvxmfdo.exe 1496 "C:\Windows\SysWOW64\xwlpveg.exe"
        249⤵
        
        PID:840
        
        C:\Windows\SysWOW64\uihclhm.exe
        
        C:\Windows\system32\uihclhm.exe 1504 "C:\Windows\SysWOW64\hvxmfdo.exe"
        250⤵
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        C:\Windows\SysWOW64\bpcufww.exe
        
        C:\Windows\system32\bpcufww.exe 1508 "C:\Windows\SysWOW64\uihclhm.exe"
        251⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\orjkrba.exe
        
        C:\Windows\system32\orjkrba.exe 1512 "C:\Windows\SysWOW64\bpcufww.exe"
        252⤵
        
        PID:584
        
        C:\Windows\SysWOW64\ynjuyvb.exe
        
        C:\Windows\system32\ynjuyvb.exe 1516 "C:\Windows\SysWOW64\orjkrba.exe"
        253⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\iqzfuyp.exe
        
        C:\Windows\system32\iqzfuyp.exe 1520 "C:\Windows\SysWOW64\ynjuyvb.exe"
        254⤵
        Drops file in System32 directory
        
        PID:2236
        
        C:\Windows\SysWOW64\ncsnniu.exe
        
        C:\Windows\system32\ncsnniu.exe 1524 "C:\Windows\SysWOW64\iqzfuyp.exe"
        255⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\atnpwqa.exe
        
        C:\Windows\system32\atnpwqa.exe 1536 "C:\Windows\SysWOW64\ncsnniu.exe"
        256⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\kdcajlg.exe
        
        C:\Windows\system32\kdcajlg.exe 1544 "C:\Windows\SysWOW64\atnpwqa.exe"
        257⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\udpxtko.exe
        
        C:\Windows\system32\udpxtko.exe 1528 "C:\Windows\SysWOW64\kdcajlg.exe"
        258⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\htjaksl.exe
        
        C:\Windows\system32\htjaksl.exe 1540 "C:\Windows\SysWOW64\udpxtko.exe"
        259⤵
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\rpkkrnu.exe
        
        C:\Windows\system32\rpkkrnu.exe 1532 "C:\Windows\SysWOW64\htjaksl.exe"
        260⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\yijxghc.exe
        
        C:\Windows\system32\yijxghc.exe 1548 "C:\Windows\SysWOW64\rpkkrnu.exe"
        261⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\mvtnukb.exe
        
        C:\Windows\system32\mvtnukb.exe 1552 "C:\Windows\SysWOW64\yijxghc.exe"
        262⤵
        System Location Discovery: System Language Discovery
        
        PID:1696
        
        C:\Windows\SysWOW64\tcofgak.exe
        
        C:\Windows\system32\tcofgak.exe 984 "C:\Windows\SysWOW64\mvtnukb.exe"
        263⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\gtjipiq.exe
        
        C:\Windows\system32\gtjipiq.exe 1560 "C:\Windows\SysWOW64\tcofgak.exe"
        264⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\ieysklw.exe
        
        C:\Windows\system32\ieysklw.exe 1000 "C:\Windows\SysWOW64\gtjipiq.exe"
        265⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\sdkqvke.exe
        
        C:\Windows\system32\sdkqvke.exe 1568 "C:\Windows\SysWOW64\ieysklw.exe"
        266⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cylicef.exe
        
        C:\Windows\system32\cylicef.exe 1572 "C:\Windows\SysWOW64\sdkqvke.exe"
        267⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\mjbtxhl.exe
        
        C:\Windows\system32\mjbtxhl.exe 1576 "C:\Windows\SysWOW64\cylicef.exe"
        268⤵
        Drops file in System32 directory
        
        PID:1388
        
        C:\Windows\SysWOW64\zwkidds.exe
        
        C:\Windows\system32\zwkidds.exe 1584 "C:\Windows\SysWOW64\mjbtxhl.exe"
        269⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\jvwgocr.exe
        
        C:\Windows\system32\jvwgocr.exe 1580 "C:\Windows\SysWOW64\zwkidds.exe"
        270⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\tymqbfg.exe
        
        C:\Windows\system32\tymqbfg.exe 1596 "C:\Windows\SysWOW64\jvwgocr.exe"
        271⤵
        Drops file in System32 directory
        
        PID:2880
        
        C:\Windows\SysWOW64\dibawim.exe
        
        C:\Windows\system32\dibawim.exe 1588 "C:\Windows\SysWOW64\tymqbfg.exe"
        272⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\nhnyhht.exe
        
        C:\Windows\system32\nhnyhht.exe 1604 "C:\Windows\SysWOW64\dibawim.exe"
        273⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\ygrvrgt.exe
        
        C:\Windows\system32\ygrvrgt.exe 1592 "C:\Windows\SysWOW64\nhnyhht.exe"
        274⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\lbjlfka.exe
        
        C:\Windows\system32\lbjlfka.exe 1016 "C:\Windows\SysWOW64\ygrvrgt.exe"
        275⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\snhquei.exe
        
        C:\Windows\system32\snhquei.exe 1608 "C:\Windows\SysWOW64\lbjlfka.exe"
        276⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\zrsdlpl.exe
        
        C:\Windows\system32\zrsdlpl.exe 1632 "C:\Windows\SysWOW64\snhquei.exe"
        277⤵
        Drops file in System32 directory
        
        PID:2444
        
        C:\Windows\SysWOW64\nebtrsr.exe
        
        C:\Windows\system32\nebtrsr.exe 1616 "C:\Windows\SysWOW64\zrsdlpl.exe"
        278⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\xgrdewy.exe
        
        C:\Windows\system32\xgrdewy.exe 1628 "C:\Windows\SysWOW64\nebtrsr.exe"
        279⤵
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Windows\SysWOW64\groozze.exe
        
        C:\Windows\system32\groozze.exe 1612 "C:\Windows\SysWOW64\xgrdewy.exe"
        280⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\rmhyhtf.exe
        
        C:\Windows\system32\rmhyhtf.exe 944 "C:\Windows\SysWOW64\groozze.exe"
        281⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\bpwjuwt.exe
        
        C:\Windows\system32\bpwjuwt.exe 1624 "C:\Windows\SysWOW64\rmhyhtf.exe"
        282⤵
        
        PID:844
        
        C:\Windows\SysWOW64\lhmohmn.exe
        
        C:\Windows\system32\lhmohmn.exe 1652 "C:\Windows\SysWOW64\bpwjuwt.exe"
        283⤵
        
        PID:332
        
        C:\Windows\SysWOW64\vvmlxua.exe
        
        C:\Windows\system32\vvmlxua.exe 1636 "C:\Windows\SysWOW64\lhmohmn.exe"
        284⤵
        
        PID:760
        
        C:\Windows\SysWOW64\iiebdqz.exe
        
        C:\Windows\system32\iiebdqz.exe 1640 "C:\Windows\SysWOW64\vvmlxua.exe"
        285⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\sttmqtn.exe
        
        C:\Windows\system32\sttmqtn.exe 1644 "C:\Windows\SysWOW64\iiebdqz.exe"
        286⤵
        
        PID:980
        
        C:\Windows\SysWOW64\csxjjsn.exe
        
        C:\Windows\system32\csxjjsn.exe 1668 "C:\Windows\SysWOW64\sttmqtn.exe"
        287⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\mrkgtqu.exe
        
        C:\Windows\system32\mrkgtqu.exe 1648 "C:\Windows\SysWOW64\csxjjsn.exe"
        288⤵
        Drops file in System32 directory
        
        PID:2940
        
        C:\Windows\SysWOW64\aetwzut.exe
        
        C:\Windows\system32\aetwzut.exe 1656 "C:\Windows\SysWOW64\mrkgtqu.exe"
        289⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\hmpwtkd.exe
        
        C:\Windows\system32\hmpwtkd.exe 1660 "C:\Windows\SysWOW64\aetwzut.exe"
        290⤵
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Windows\SysWOW64\ukjzcsi.exe
        
        C:\Windows\system32\ukjzcsi.exe 1676 "C:\Windows\SysWOW64\hmpwtkd.exe"
        291⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\bvqermr.exe
        
        C:\Windows\system32\bvqermr.exe 1664 "C:\Windows\SysWOW64\ukjzcsi.exe"
        292⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\lvubjky.exe
        
        C:\Windows\system32\lvubjky.exe 1680 "C:\Windows\SysWOW64\bvqermr.exe"
        293⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\yimrpox.exe
        
        C:\Windows\system32\yimrpox.exe 1672 "C:\Windows\SysWOW64\lvubjky.exe"
        294⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\fbkwein.exe
        
        C:\Windows\system32\fbkwein.exe 1688 "C:\Windows\SysWOW64\yimrpox.exe"
        295⤵
        
        PID:960
        
        C:\Windows\SysWOW64\vjwelrj.exe
        
        C:\Windows\system32\vjwelrj.exe 1692 "C:\Windows\SysWOW64\fbkwein.exe"
        296⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\ihrhtao.exe
        
        C:\Windows\system32\ihrhtao.exe 1704 "C:\Windows\SysWOW64\vjwelrj.exe"
        297⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\psxmqtx.exe
        
        C:\Windows\system32\psxmqtx.exe 1684 "C:\Windows\SysWOW64\ihrhtao.exe"
        298⤵
        System Location Discovery: System Language Discovery
        
        PID:1204
        
        C:\Windows\SysWOW64\cfhcwxd.exe
        
        C:\Windows\system32\cfhcwxd.exe 1700 "C:\Windows\SysWOW64\psxmqtx.exe"
        299⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\metzgwd.exe
        
        C:\Windows\system32\metzgwd.exe 1696 "C:\Windows\SysWOW64\cfhcwxd.exe"
        300⤵
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        C:\Windows\SysWOW64\wsuxfdq.exe
        
        C:\Windows\system32\wsuxfdq.exe 1720 "C:\Windows\SysWOW64\metzgwd.exe"
        301⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\jfdmkzp.exe
        
        C:\Windows\system32\jfdmkzp.exe 1708 "C:\Windows\SysWOW64\wsuxfdq.exe"
        302⤵
        
        PID:324
        
        C:\Windows\SysWOW64\rnzexxy.exe
        
        C:\Windows\system32\rnzexxy.exe 1080 "C:\Windows\SysWOW64\jfdmkzp.exe"
        303⤵
        Drops file in System32 directory
        
        PID:2684
        
        C:\Windows\SysWOW64\gdkmdgc.exe
        
        C:\Windows\system32\gdkmdgc.exe 1716 "C:\Windows\SysWOW64\rnzexxy.exe"
        304⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\nojraak.exe
        
        C:\Windows\system32\nojraak.exe 1724 "C:\Windows\SysWOW64\gdkmdgc.exe"
        305⤵
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Windows\SysWOW64\bjahgej.exe
        
        C:\Windows\system32\bjahgej.exe 1728 "C:\Windows\SysWOW64\nojraak.exe"
        306⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\iuzudyz.exe
        
        C:\Windows\system32\iuzudyz.exe 672 "C:\Windows\SysWOW64\bjahgej.exe"
        307⤵
        Drops file in System32 directory
        
        PID:2208
        
        C:\Windows\SysWOW64\vhrkjby.exe
        
        C:\Windows\system32\vhrkjby.exe 1736 "C:\Windows\SysWOW64\iuzudyz.exe"
        308⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\xsguwee.exe
        
        C:\Windows\system32\xsguwee.exe 1740 "C:\Windows\SysWOW64\vhrkjby.exe"
        309⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\hohfezn.exe
        
        C:\Windows\system32\hohfezn.exe 1748 "C:\Windows\SysWOW64\xsguwee.exe"
        310⤵
        System Location Discovery: System Language Discovery
        
        PID:1216
        
        C:\Windows\SysWOW64\rnlcwyn.exe
        
        C:\Windows\system32\rnlcwyn.exe 1744 "C:\Windows\SysWOW64\hohfezn.exe"
        311⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Windows\SysWOW64\btmamfa.exe
        
        C:\Windows\system32\btmamfa.exe 1752 "C:\Windows\SysWOW64\rnlcwyn.exe"
        312⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\lonkuaa.exe
        
        C:\Windows\system32\lonkuaa.exe 1124 "C:\Windows\SysWOW64\btmamfa.exe"
        313⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\yqtanen.exe
        
        C:\Windows\system32\yqtanen.exe 1760 "C:\Windows\SysWOW64\lonkuaa.exe"
        314⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\immkvzo.exe
        
        C:\Windows\system32\immkvzo.exe 1620 "C:\Windows\SysWOW64\yqtanen.exe"
        315⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\sxbvicu.exe
        
        C:\Windows\system32\sxbvicu.exe 1768 "C:\Windows\SysWOW64\immkvzo.exe"
        316⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\dscnywv.exe
        
        C:\Windows\system32\dscnywv.exe 1784 "C:\Windows\SysWOW64\sxbvicu.exe"
        317⤵
        Drops file in System32 directory
        
        PID:836
        
        C:\Windows\SysWOW64\nvrxlzj.exe
        
        C:\Windows\system32\nvrxlzj.exe 1772 "C:\Windows\SysWOW64\dscnywv.exe"
        318⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\aijnrdi.exe
        
        C:\Windows\system32\aijnrdi.exe 1788 "C:\Windows\SysWOW64\nvrxlzj.exe"
        319⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\hbhsoxq.exe
        
        C:\Windows\system32\hbhsoxq.exe 1776 "C:\Windows\SysWOW64\aijnrdi.exe"
        320⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\rxidvrr.exe
        
        C:\Windows\system32\rxidvrr.exe 1308 "C:\Windows\SysWOW64\hbhsoxq.exe"
        321⤵
        
        PID:860
        
        C:\Windows\SysWOW64\bzynjuf.exe
        
        C:\Windows\system32\bzynjuf.exe 1796 "C:\Windows\SysWOW64\rxidvrr.exe"
        322⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\ompdoye.exe
        
        C:\Windows\system32\ompdoye.exe 1808 "C:\Windows\SysWOW64\bzynjuf.exe"
        323⤵
        System Location Discovery: System Language Discovery
        
        PID:3012
        
        C:\Windows\SysWOW64\yxfnkbk.exe
        
        C:\Windows\system32\yxfnkbk.exe 1792 "C:\Windows\SysWOW64\ompdoye.exe"
        324⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\izuyxxy.exe
        
        C:\Windows\system32\izuyxxy.exe 1356 "C:\Windows\SysWOW64\yxfnkbk.exe"
        325⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\sgyvpvy.exe
        
        C:\Windows\system32\sgyvpvy.exe 1804 "C:\Windows\SysWOW64\izuyxxy.exe"
        326⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\ftqtvzf.exe
        
        C:\Windows\system32\ftqtvzf.exe 1812 "C:\Windows\SysWOW64\sgyvpvy.exe"
        327⤵
        Drops file in System32 directory
        
        PID:2844
        
        C:\Windows\SysWOW64\pwfdicl.exe
        
        C:\Windows\system32\pwfdicl.exe 1816 "C:\Windows\SysWOW64\ftqtvzf.exe"
        328⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\asgnqxm.exe
        
        C:\Windows\system32\asgnqxm.exe 1820 "C:\Windows\SysWOW64\pwfdicl.exe"
        329⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\krkliwt.exe
        
        C:\Windows\system32\krkliwt.exe 1832 "C:\Windows\SysWOW64\asgnqxm.exe"
        330⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\ubzvwza.exe
        
        C:\Windows\system32\ubzvwza.exe 1828 "C:\Windows\SysWOW64\krkliwt.exe"
        331⤵
        Drops file in System32 directory
        
        PID:664
        
        C:\Windows\SysWOW64\ealtgxh.exe
        
        C:\Windows\system32\ealtgxh.exe 1824 "C:\Windows\SysWOW64\ubzvwza.exe"
        332⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\rnvimbg.exe
        
        C:\Windows\system32\rnvimbg.exe 1844 "C:\Windows\SysWOW64\ealtgxh.exe"
        333⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\bcwgkbt.exe
        
        C:\Windows\system32\bcwgkbt.exe 1836 "C:\Windows\SysWOW64\rnvimbg.exe"
        334⤵
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Windows\SysWOW64\lbiduab.exe
        
        C:\Windows\system32\lbiduab.exe 1840 "C:\Windows\SysWOW64\bcwgkbt.exe"
        335⤵
        Drops file in System32 directory
        
        PID:2624
        
        C:\Windows\SysWOW64\yzdgdiy.exe
        
        C:\Windows\system32\yzdgdiy.exe 1848 "C:\Windows\SysWOW64\lbiduab.exe"
        336⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\fdntutj.exe
        
        C:\Windows\system32\fdntutj.exe 1780 "C:\Windows\SysWOW64\yzdgdiy.exe"
        337⤵
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Windows\SysWOW64\vpkgepl.exe
        
        C:\Windows\system32\vpkgepl.exe 1856 "C:\Windows\SysWOW64\fdntutj.exe"
        338⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\ctutnao.exe
        
        C:\Windows\system32\ctutnao.exe 1860 "C:\Windows\SysWOW64\vpkgepl.exe"
        339⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\pvajzms.exe
        
        C:\Windows\system32\pvajzms.exe 1864 "C:\Windows\SysWOW64\ctutnao.exe"
        340⤵
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        C:\Windows\SysWOW64\aqttohb.exe
        
        C:\Windows\system32\aqttohb.exe 1880 "C:\Windows\SysWOW64\pvajzms.exe"
        341⤵
        Drops file in System32 directory
        
        PID:964
        
        C:\Windows\SysWOW64\kqfrzfb.exe
        
        C:\Windows\system32\kqfrzfb.exe 1868 "C:\Windows\SysWOW64\aqttohb.exe"
        342⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\rbdwwzr.exe
        
        C:\Windows\system32\rbdwwzr.exe 1872 "C:\Windows\SysWOW64\kqfrzfb.exe"
        343⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\ewvlbvq.exe
        
        C:\Windows\system32\ewvlbvq.exe 1876 "C:\Windows\SysWOW64\rbdwwzr.exe"
        344⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\lhuzrxy.exe
        
        C:\Windows\system32\lhuzrxy.exe 1408 "C:\Windows\SysWOW64\ewvlbvq.exe"
        345⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\yxobzxe.exe
        
        C:\Windows\system32\yxobzxe.exe 1888 "C:\Windows\SysWOW64\lhuzrxy.exe"
        346⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\itpmpre.exe
        
        C:\Windows\system32\itpmpre.exe 1896 "C:\Windows\SysWOW64\yxobzxe.exe"
        347⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\shqjfzr.exe
        
        C:\Windows\system32\shqjfzr.exe 1892 "C:\Windows\SysWOW64\itpmpre.exe"
        348⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cdrumts.exe
        
        C:\Windows\system32\cdrumts.exe 656 "C:\Windows\SysWOW64\shqjfzr.exe"
        349⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\ptmwdby.exe
        
        C:\Windows\system32\ptmwdby.exe 1904 "C:\Windows\SysWOW64\cdrumts.exe"
        350⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\wmkbsvo.exe
        
        C:\Windows\system32\wmkbsvo.exe 1916 "C:\Windows\SysWOW64\ptmwdby.exe"
        351⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\jdnebdm.exe
        
        C:\Windows\system32\jdnebdm.exe 1912 "C:\Windows\SysWOW64\wmkbsvo.exe"
        352⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\ucrbtct.exe
        
        C:\Windows\system32\ucrbtct.exe 1920 "C:\Windows\SysWOW64\jdnebdm.exe"
        353⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\ybmeccz.exe
        
        C:\Windows\system32\ybmeccz.exe 1908 "C:\Windows\SysWOW64\ucrbtct.exe"
        354⤵
        
        PID:948
        
        C:\Windows\SysWOW64\jaycmby.exe
        
        C:\Windows\system32\jaycmby.exe 1936 "C:\Windows\SysWOW64\ybmeccz.exe"
        355⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\tzczwag.exe
        
        C:\Windows\system32\tzczwag.exe 1924 "C:\Windows\SysWOW64\jaycmby.exe"
        356⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\dgoepzn.exe
        
        C:\Windows\system32\dgoepzn.exe 1940 "C:\Windows\SysWOW64\tzczwag.exe"
        357⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\niehccu.exe
        
        C:\Windows\system32\niehccu.exe 1928 "C:\Windows\SysWOW64\dgoepzn.exe"
        358⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\xexzkwc.exe
        
        C:\Windows\system32\xexzkwc.exe 1944 "C:\Windows\SysWOW64\niehccu.exe"
        359⤵
        Drops file in System32 directory
        
        PID:2188
        
        C:\Windows\SysWOW64\hdjxcvc.exe
        
        C:\Windows\system32\hdjxcvc.exe 1932 "C:\Windows\SysWOW64\xexzkwc.exe"
        360⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\royhpyq.exe
        
        C:\Windows\system32\royhpyq.exe 1964 "C:\Windows\SysWOW64\hdjxcvc.exe"
        361⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\ebqxvcp.exe
        
        C:\Windows\system32\ebqxvcp.exe 1948 "C:\Windows\SysWOW64\royhpyq.exe"
        362⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\mmocswx.exe
        
        C:\Windows\system32\mmocswx.exe 1952 "C:\Windows\SysWOW64\ebqxvcp.exe"
        363⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\ykjfbed.exe
        
        C:\Windows\system32\ykjfbed.exe 1956 "C:\Windows\SysWOW64\mmocswx.exe"
        364⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\mxbuhac.exe
        
        C:\Windows\system32\mxbuhac.exe 1960 "C:\Windows\SysWOW64\ykjfbed.exe"
        365⤵
        System Location Discovery: System Language Discovery
        
        PID:2544
        
        C:\Windows\SysWOW64\wwfarzj.exe
        
        C:\Windows\system32\wwfarzj.exe 1972 "C:\Windows\SysWOW64\mxbuhac.exe"
        366⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Windows\SysWOW64\ghucmcp.exe
        
        C:\Windows\system32\ghucmcp.exe 1968 "C:\Windows\SysWOW64\wwfarzj.exe"
        367⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\qgghxax.exe
        
        C:\Windows\system32\qgghxax.exe 1980 "C:\Windows\SysWOW64\ghucmcp.exe"
        368⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\aflfhzf.exe
        
        C:\Windows\system32\aflfhzf.exe 1988 "C:\Windows\SysWOW64\qgghxax.exe"
        369⤵
        
        PID:940
        
        C:\Windows\SysWOW64\kqapccl.exe
        
        C:\Windows\system32\kqapccl.exe 1976 "C:\Windows\SysWOW64\aflfhzf.exe"
        370⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\upmnnbs.exe
        
        C:\Windows\system32\upmnnbs.exe 1984 "C:\Windows\SysWOW64\kqapccl.exe"
        371⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\eoqkxaa.exe
        
        C:\Windows\system32\eoqkxaa.exe 1992 "C:\Windows\SysWOW64\upmnnbs.exe"
        372⤵
        Drops file in System32 directory
        
        PID:1092
        
        C:\Windows\SysWOW64\pkrvnub.exe
        
        C:\Windows\system32\pkrvnub.exe 1996 "C:\Windows\SysWOW64\eoqkxaa.exe"
        373⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\bamxvdg.exe
        
        C:\Windows\system32\bamxvdg.exe 2000 "C:\Windows\SysWOW64\pkrvnub.exe"
        374⤵
        System Location Discovery: System Language Discovery
        
        PID:3172
        
        C:\Windows\SysWOW64\mhydgbg.exe
        
        C:\Windows\system32\mhydgbg.exe 2004 "C:\Windows\SysWOW64\bamxvdg.exe"
        375⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\yytxocl.exe
        
        C:\Windows\system32\yytxocl.exe 2008 "C:\Windows\SysWOW64\mhydgbg.exe"
        376⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\jxxdhat.exe
        
        C:\Windows\system32\jxxdhat.exe 2020 "C:\Windows\SysWOW64\yytxocl.exe"
        377⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\thunudz.exe
        
        C:\Windows\system32\thunudz.exe 2016 "C:\Windows\SysWOW64\jxxdhat.exe"
        378⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\dgylech.exe
        
        C:\Windows\system32\dgylech.exe 2012 "C:\Windows\SysWOW64\thunudz.exe"
        379⤵
        System Location Discovery: System Language Discovery
        
        PID:3460
        
        C:\Windows\SysWOW64\qtqakgf.exe
        
        C:\Windows\system32\qtqakgf.exe 2024 "C:\Windows\SysWOW64\dgylech.exe"
        380⤵
        Drops file in System32 directory
        
        PID:3516
        
        C:\Windows\SysWOW64\aeflfjm.exe
        
        C:\Windows\system32\aeflfjm.exe 1556 "C:\Windows\SysWOW64\qtqakgf.exe"
        381⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\khvvtea.exe
        
        C:\Windows\system32\khvvtea.exe 2032 "C:\Windows\SysWOW64\aeflfjm.exe"
        382⤵
        System Location Discovery: System Language Discovery
        
        PID:3632
        
        C:\Windows\SysWOW64\xumlyiz.exe
        
        C:\Windows\system32\xumlyiz.exe 2036 "C:\Windows\SysWOW64\khvvtea.exe"
        383⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\hbqirhg.exe
        
        C:\Windows\system32\hbqirhg.exe 2044 "C:\Windows\SysWOW64\xumlyiz.exe"
        384⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\rdgtekn.exe
        
        C:\Windows\system32\rdgtekn.exe 2056 "C:\Windows\SysWOW64\hbqirhg.exe"
        385⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\ecjvnss.exe
        
        C:\Windows\system32\ecjvnss.exe 2040 "C:\Windows\SysWOW64\rdgtekn.exe"
        386⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\obntxrs.exe
        
        C:\Windows\system32\obntxrs.exe 1488 "C:\Windows\SysWOW64\ecjvnss.exe"
        387⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\yecdsug.exe
        
        C:\Windows\system32\yecdsug.exe 2060 "C:\Windows\SysWOW64\obntxrs.exe"
        388⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\iloadtg.exe
        
        C:\Windows\system32\iloadtg.exe 2064 "C:\Windows\SysWOW64\yecdsug.exe"
        389⤵
        System Location Discovery: System Language Discovery
        
        PID:4036
        
        C:\Windows\SysWOW64\sksyvkn.exe
        
        C:\Windows\system32\sksyvkn.exe 2072 "C:\Windows\SysWOW64\iloadtg.exe"
        390⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\fxkobom.exe
        
        C:\Windows\system32\fxkobom.exe 2080 "C:\Windows\SysWOW64\sksyvkn.exe"
        391⤵
        
        PID:896
        
        C:\Windows\SysWOW64\snfqkws.exe
        
        C:\Windows\system32\snfqkws.exe 2068 "C:\Windows\SysWOW64\fxkobom.exe"
        392⤵
        Drops file in System32 directory
        
        PID:3096
        
        C:\Windows\SysWOW64\cyubxzy.exe
        
        C:\Windows\system32\cyubxzy.exe 2076 "C:\Windows\SysWOW64\snfqkws.exe"
        393⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\popdfzd.exe
        
        C:\Windows\system32\popdfzd.exe 2084 "C:\Windows\SysWOW64\cyubxzy.exe"
        394⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\whwicbu.exe
        
        C:\Windows\system32\whwicbu.exe 2104 "C:\Windows\SysWOW64\popdfzd.exe"
        395⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\jufgixs.exe
        
        C:\Windows\system32\jufgixs.exe 2092 "C:\Windows\SysWOW64\whwicbu.exe"
        396⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\txujvaz.exe
        
        C:\Windows\system32\txujvaz.exe 2096 "C:\Windows\SysWOW64\jufgixs.exe"
        397⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\ywxleie.exe
        
        C:\Windows\system32\ywxleie.exe 2088 "C:\Windows\SysWOW64\txujvaz.exe"
        398⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\ivbjwhm.exe
        
        C:\Windows\system32\ivbjwhm.exe 2112 "C:\Windows\SysWOW64\ywxleie.exe"
        399⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\sxrtkks.exe
        
        C:\Windows\system32\sxrtkks.exe 2100 "C:\Windows\SysWOW64\ivbjwhm.exe"
        400⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\ctsmret.exe
        
        C:\Windows\system32\ctsmret.exe 2108 "C:\Windows\SysWOW64\sxrtkks.exe"
        401⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\mdhwmhz.exe
        
        C:\Windows\system32\mdhwmhz.exe 2116 "C:\Windows\SysWOW64\ctsmret.exe"
        402⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\zuczvhf.exe
        
        C:\Windows\system32\zuczvhf.exe 2124 "C:\Windows\SysWOW64\mdhwmhz.exe"
        403⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\jbowfgm.exe
        
        C:\Windows\system32\jbowfgm.exe 2120 "C:\Windows\SysWOW64\zuczvhf.exe"
        404⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\rxybxzp.exe
        
        C:\Windows\system32\rxybxzp.exe 2132 "C:\Windows\SysWOW64\jbowfgm.exe"
        405⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\ewtefav.exe
        
        C:\Windows\system32\ewtefav.exe 2128 "C:\Windows\SysWOW64\rxybxzp.exe"
        406⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\oyiotdb.exe
        
        C:\Windows\system32\oyiotdb.exe 2140 "C:\Windows\SysWOW64\ewtefav.exe"
        407⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\blaezga.exe
        
        C:\Windows\system32\blaezga.exe 2144 "C:\Windows\SysWOW64\oyiotdb.exe"
        408⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\lwpouko.exe
        
        C:\Windows\system32\lwpouko.exe 2148 "C:\Windows\SysWOW64\blaezga.exe"
        409⤵
        Drops file in System32 directory
        
        PID:3240
        
        C:\Windows\SysWOW64\sedpgzq.exe
        
        C:\Windows\system32\sedpgzq.exe 2160 "C:\Windows\SysWOW64\lwpouko.exe"
        410⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\fruemdw.exe
        
        C:\Windows\system32\fruemdw.exe 2136 "C:\Windows\SysWOW64\sedpgzq.exe"
        411⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\qqgcecw.exe
        
        C:\Windows\system32\qqgcecw.exe 2156 "C:\Windows\SysWOW64\fruemdw.exe"
        412⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\xjfhtvm.exe
        
        C:\Windows\system32\xjfhtvm.exe 2152 "C:\Windows\SysWOW64\qqgcecw.exe"
        413⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\hijemuu.exe
        
        C:\Windows\system32\hijemuu.exe 2176 "C:\Windows\SysWOW64\xjfhtvm.exe"
        414⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\uvbcrys.exe
        
        C:\Windows\system32\uvbcrys.exe 2184 "C:\Windows\SysWOW64\hijemuu.exe"
        415⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\egqmfbz.exe
        
        C:\Windows\system32\egqmfbz.exe 2164 "C:\Windows\SysWOW64\uvbcrys.exe"
        416⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\ofukpag.exe
        
        C:\Windows\system32\ofukpag.exe 2168 "C:\Windows\SysWOW64\egqmfbz.exe"
        417⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\yeghhro.exe
        
        C:\Windows\system32\yeghhro.exe 2172 "C:\Windows\SysWOW64\ofukpag.exe"
        418⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\idkfsqn.exe
        
        C:\Windows\system32\idkfsqn.exe 2200 "C:\Windows\SysWOW64\yeghhro.exe"
        419⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\snapftc.exe
        
        C:\Windows\system32\snapftc.exe 2192 "C:\Windows\SysWOW64\idkfsqn.exe"
        420⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\farflwa.exe
        
        C:\Windows\system32\farflwa.exe 2180 "C:\Windows\SysWOW64\snapftc.exe"
        421⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\plhpgah.exe
        
        C:\Windows\system32\plhpgah.exe 2188 "C:\Windows\SysWOW64\farflwa.exe"
        422⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\dyyfmdg.exe
        
        C:\Windows\system32\dyyfmdg.exe 2208 "C:\Windows\SysWOW64\plhpgah.exe"
        423⤵
        System Location Discovery: System Language Discovery
        
        PID:364
        
        C:\Windows\SysWOW64\kgmfgtp.exe
        
        C:\Windows\system32\kgmfgtp.exe 2196 "C:\Windows\SysWOW64\dyyfmdg.exe"
        424⤵
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Windows\SysWOW64\ufycrsx.exe
        
        C:\Windows\system32\ufycrsx.exe 1600 "C:\Windows\SysWOW64\kgmfgtp.exe"
        425⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\hvtfzac.exe
        
        C:\Windows\system32\hvtfzac.exe 2212 "C:\Windows\SysWOW64\ufycrsx.exe"
        426⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\oloxtpm.exe
        
        C:\Windows\system32\oloxtpm.exe 1732 "C:\Windows\SysWOW64\hvtfzac.exe"
        427⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\bfunfuq.exe
        
        C:\Windows\system32\bfunfuq.exe 2220 "C:\Windows\SysWOW64\oloxtpm.exe"
        428⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\leykpsy.exe
        
        C:\Windows\system32\leykpsy.exe 2224 "C:\Windows\SysWOW64\bfunfuq.exe"
        429⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\ydtnybv.exe
        
        C:\Windows\system32\ydtnybv.exe 2228 "C:\Windows\SysWOW64\leykpsy.exe"
        430⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\fkpfsqf.exe
        
        C:\Windows\system32\fkpfsqf.exe 2240 "C:\Windows\SysWOW64\ydtnybv.exe"
        431⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\sbjibyk.exe
        
        C:\Windows\system32\sbjibyk.exe 2236 "C:\Windows\SysWOW64\fkpfsqf.exe"
        432⤵
        Drops file in System32 directory
        
        PID:3552
        
        C:\Windows\SysWOW64\clzsobq.exe
        
        C:\Windows\system32\clzsobq.exe 2256 "C:\Windows\SysWOW64\sbjibyk.exe"
        433⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\mklqgay.exe
        
        C:\Windows\system32\mklqgay.exe 2232 "C:\Windows\SysWOW64\clzsobq.exe"
        434⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\axufmex.exe
        
        C:\Windows\system32\axufmex.exe 2244 "C:\Windows\SysWOW64\mklqgay.exe"
        435⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\hrbsbyf.exe
        
        C:\Windows\system32\hrbsbyf.exe 2248 "C:\Windows\SysWOW64\axufmex.exe"
        436⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\uelihum.exe
        
        C:\Windows\system32\uelihum.exe 2260 "C:\Windows\SysWOW64\hrbsbyf.exe"
        437⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\dklxfbr.exe
        
        C:\Windows\system32\dklxfbr.exe 2264 "C:\Windows\SysWOW64\uelihum.exe"
        438⤵
        Drops file in System32 directory
        
        PID:2716
        
        C:\Windows\SysWOW64\orxdpaz.exe
        
        C:\Windows\system32\orxdpaz.exe 2268 "C:\Windows\SysWOW64\dklxfbr.exe"
        439⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\ymqnxuz.exe
        
        C:\Windows\system32\ymqnxuz.exe 2252 "C:\Windows\SysWOW64\orxdpaz.exe"
        440⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\fumfrkj.exe
        
        C:\Windows\system32\fumfrkj.exe 2284 "C:\Windows\SysWOW64\ymqnxuz.exe"
        441⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\klhiaso.exe
        
        C:\Windows\system32\klhiaso.exe 2272 "C:\Windows\SysWOW64\fumfrkj.exe"
        442⤵
        System Location Discovery: System Language Discovery
        
        PID:3452
        
        C:\Windows\SysWOW64\uktgkrw.exe
        
        C:\Windows\system32\uktgkrw.exe 2288 "C:\Windows\SysWOW64\klhiaso.exe"
        443⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\frxldpd.exe
        
        C:\Windows\system32\frxldpd.exe 2292 "C:\Windows\SysWOW64\uktgkrw.exe"
        444⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\mvhqmbg.exe
        
        C:\Windows\system32\mvhqmbg.exe 2296 "C:\Windows\SysWOW64\frxldpd.exe"
        445⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\wulnezo.exe
        
        C:\Windows\system32\wulnezo.exe 2300 "C:\Windows\SysWOW64\mvhqmbg.exe"
        446⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\gxayscu.exe
        
        C:\Windows\system32\gxayscu.exe 2028 "C:\Windows\SysWOW64\wulnezo.exe"
        447⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\tksoxgt.exe
        
        C:\Windows\system32\tksoxgt.exe 2304 "C:\Windows\SysWOW64\gxayscu.exe"
        448⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\erwtifa.exe
        
        C:\Windows\system32\erwtifa.exe 2308 "C:\Windows\SysWOW64\tksoxgt.exe"
        449⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\oqiqaei.exe
        
        C:\Windows\system32\oqiqaei.exe 2316 "C:\Windows\SysWOW64\erwtifa.exe"
        450⤵
        Drops file in System32 directory
        
        PID:3888
        
        C:\Windows\SysWOW64\ytybnho.exe
        
        C:\Windows\system32\ytybnho.exe 2280 "C:\Windows\SysWOW64\oqiqaei.exe"
        451⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\lrsewhu.exe
        
        C:\Windows\system32\lrsewhu.exe 2312 "C:\Windows\SysWOW64\ytybnho.exe"
        452⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\sczjtjc.exe
        
        C:\Windows\system32\sczjtjc.exe 2324 "C:\Windows\SysWOW64\lrsewhu.exe"
        453⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\adyjaqg.exe
        
        C:\Windows\system32\adyjaqg.exe 2332 "C:\Windows\SysWOW64\sczjtjc.exe"
        454⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\kccgson.exe
        
        C:\Windows\system32\kccgson.exe 2320 "C:\Windows\SysWOW64\adyjaqg.exe"
        455⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\weiwebs.exe
        
        C:\Windows\system32\weiwebs.exe 2344 "C:\Windows\SysWOW64\kccgson.exe"
        456⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\emeoqqb.exe
        
        C:\Windows\system32\emeoqqb.exe 2328 "C:\Windows\SysWOW64\weiwebs.exe"
        457⤵
        Drops file in System32 directory
        
        PID:3372
        
        C:\Windows\SysWOW64\rczrgyz.exe
        
        C:\Windows\system32\rczrgyz.exe 2336 "C:\Windows\SysWOW64\emeoqqb.exe"
        458⤵
        Drops file in System32 directory
        
        PID:3380
        
        C:\Windows\SysWOW64\byzboti.exe
        
        C:\Windows\system32\byzboti.exe 1712 "C:\Windows\SysWOW64\rczrgyz.exe"
        459⤵
        Drops file in System32 directory
        
        PID:3680
        
        C:\Windows\SysWOW64\lmazesn.exe
        
        C:\Windows\system32\lmazesn.exe 2352 "C:\Windows\SysWOW64\byzboti.exe"
        460⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\veqerjp.exe
        
        C:\Windows\system32\veqerjp.exe 2356 "C:\Windows\SysWOW64\lmazesn.exe"
        461⤵
        System Location Discovery: System Language Discovery
        
        PID:3500
        
        C:\Windows\SysWOW64\fhfgemv.exe
        
        C:\Windows\system32\fhfgemv.exe 2348 "C:\Windows\SysWOW64\veqerjp.exe"
        462⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\pgjmokd.exe
        
        C:\Windows\system32\pgjmokd.exe 2360 "C:\Windows\SysWOW64\fhfgemv.exe"
        463⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\zqzwkor.exe
        
        C:\Windows\system32\zqzwkor.exe 2364 "C:\Windows\SysWOW64\pgjmokd.exe"
        464⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\kiouoel.exe
        
        C:\Windows\system32\kiouoel.exe 2388 "C:\Windows\SysWOW64\zqzwkor.exe"
        465⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\uharzcs.exe
        
        C:\Windows\system32\uharzcs.exe 2372 "C:\Windows\SysWOW64\kiouoel.exe"
        466⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\ehewrba.exe
        
        C:\Windows\system32\ehewrba.exe 1756 "C:\Windows\SysWOW64\uharzcs.exe"
        467⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\ogqucah.exe
        
        C:\Windows\system32\ogqucah.exe 2376 "C:\Windows\SysWOW64\ehewrba.exe"
        468⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\vzpzzuq.exe
        
        C:\Windows\system32\vzpzzuq.exe 2392 "C:\Windows\SysWOW64\ogqucah.exe"
        469⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\gytwjtx.exe
        
        C:\Windows\system32\gytwjtx.exe 2380 "C:\Windows\SysWOW64\vzpzzuq.exe"
        470⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\ngppvqh.exe
        
        C:\Windows\system32\ngppvqh.exe 1852 "C:\Windows\SysWOW64\gytwjtx.exe"
        471⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\atymjmg.exe
        
        C:\Windows\system32\atymjmg.exe 2404 "C:\Windows\SysWOW64\ngppvqh.exe"
        472⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\kskkuln.exe
        
        C:\Windows\system32\kskkuln.exe 2396 "C:\Windows\SysWOW64\atymjmg.exe"
        473⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\uzphejn.exe
        
        C:\Windows\system32\uzphejn.exe 2400 "C:\Windows\SysWOW64\kskkuln.exe"
        474⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\fybfwiu.exe
        
        C:\Windows\system32\fybfwiu.exe 2420 "C:\Windows\SysWOW64\uzphejn.exe"
        475⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\oaqpkla.exe
        
        C:\Windows\system32\oaqpkla.exe 2412 "C:\Windows\SysWOW64\fybfwiu.exe"
        476⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\cvifpph.exe
        
        C:\Windows\system32\cvifpph.exe 2416 "C:\Windows\SysWOW64\oaqpkla.exe"
        477⤵
        Drops file in System32 directory
        
        PID:4028
        
        C:\Windows\SysWOW64\mvmcaoh.exe
        
        C:\Windows\system32\mvmcaoh.exe 2408 "C:\Windows\SysWOW64\cvifpph.exe"
        478⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\tgkhxix.exe
        
        C:\Windows\system32\tgkhxix.exe 2428 "C:\Windows\SysWOW64\mvmcaoh.exe"
        479⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\giqxiub.exe
        
        C:\Windows\system32\giqxiub.exe 2424 "C:\Windows\SysWOW64\tgkhxix.exe"
        480⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\qhdutlj.exe
        
        C:\Windows\system32\qhdutlj.exe 2432 "C:\Windows\SysWOW64\giqxiub.exe"
        481⤵
        Drops file in System32 directory
        
        PID:3356
        
        C:\Windows\SysWOW64\dxxxjth.exe
        
        C:\Windows\system32\dxxxjth.exe 2444 "C:\Windows\SysWOW64\qhdutlj.exe"
        482⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\qspnpxn.exe
        
        C:\Windows\system32\qspnpxn.exe 2436 "C:\Windows\SysWOW64\dxxxjth.exe"
        483⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\artsawn.exe
        
        C:\Windows\system32\artsawn.exe 2448 "C:\Windows\SysWOW64\qspnpxn.exe"
        484⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\cuiunzb.exe
        
        C:\Windows\system32\cuiunzb.exe 2460 "C:\Windows\SysWOW64\artsawn.exe"
        485⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\mbvafyb.exe
        
        C:\Windows\system32\mbvafyb.exe 2468 "C:\Windows\SysWOW64\cuiunzb.exe"
        486⤵
        Drops file in System32 directory
        
        PID:3708
        
        C:\Windows\SysWOW64\wazxqwi.exe
        
        C:\Windows\system32\wazxqwi.exe 2456 "C:\Windows\SysWOW64\mbvafyb.exe"
        487⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\hwaixrj.exe
        
        C:\Windows\system32\hwaixrj.exe 2452 "C:\Windows\SysWOW64\wazxqwi.exe"
        488⤵
        Drops file in System32 directory
        
        PID:3960
        
        C:\Windows\SysWOW64\ohynulz.exe
        
        C:\Windows\system32\ohynulz.exe 2464 "C:\Windows\SysWOW64\hwaixrj.exe"
        489⤵
        System Location Discovery: System Language Discovery
        
        PID:4084
        
        C:\Windows\SysWOW64\bftqdtf.exe
        
        C:\Windows\system32\bftqdtf.exe 2440 "C:\Windows\SysWOW64\ohynulz.exe"
        490⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\lffnnke.exe
        
        C:\Windows\system32\lffnnke.exe 2472 "C:\Windows\SysWOW64\bftqdtf.exe"
        491⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\vhvxint.exe
        
        C:\Windows\system32\vhvxint.exe 2476 "C:\Windows\SysWOW64\lffnnke.exe"
        492⤵
        System Location Discovery: System Language Discovery
        
        PID:3532
        
        C:\Windows\SysWOW64\fzkdndn.exe
        
        C:\Windows\system32\fzkdndn.exe 2480 "C:\Windows\SysWOW64\vhvxint.exe"
        493⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\pnladka.exe
        
        C:\Windows\system32\pnladka.exe 2484 "C:\Windows\SysWOW64\fzkdndn.exe"
        494⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\afayqac.exe
        
        C:\Windows\system32\afayqac.exe 2488 "C:\Windows\SysWOW64\pnladka.exe"
        495⤵
        System Location Discovery: System Language Discovery
        
        PID:3412
        
        C:\Windows\SysWOW64\mzgnbng.exe
        
        C:\Windows\system32\mzgnbng.exe 2492 "C:\Windows\SysWOW64\afayqac.exe"
        496⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\tlfsrho.exe
        
        C:\Windows\system32\tlfsrho.exe 1900 "C:\Windows\SysWOW64\mzgnbng.exe"
        497⤵
        System Location Discovery: System Language Discovery
        
        PID:3932
        
        C:\Windows\SysWOW64\dsrqjfw.exe
        
        C:\Windows\system32\dsrqjfw.exe 2504 "C:\Windows\SysWOW64\tlfsrho.exe"
        498⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\qimssob.exe
        
        C:\Windows\system32\qimssob.exe 2508 "C:\Windows\SysWOW64\dsrqjfw.exe"
        499⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\benlzic.exe
        
        C:\Windows\system32\benlzic.exe 2500 "C:\Windows\SysWOW64\qimssob.exe"
        500⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\ipmqwcs.exe
        
        C:\Windows\system32\ipmqwcs.exe 2516 "C:\Windows\SysWOW64\benlzic.exe"
        501⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\ybmlahp.exe
        
        C:\Windows\system32\ybmlahp.exe 2512 "C:\Windows\SysWOW64\ipmqwcs.exe"
        502⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\ibyilgp.exe
        
        C:\Windows\system32\ibyilgp.exe 2540 "C:\Windows\SysWOW64\ybmlahp.exe"
        503⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\slntyjd.exe
        
        C:\Windows\system32\slntyjd.exe 2520 "C:\Windows\SysWOW64\ibyilgp.exe"
        504⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\cksqqil.exe
        
        C:\Windows\system32\cksqqil.exe 2528 "C:\Windows\SysWOW64\slntyjd.exe"
        505⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\mjeobhk.exe
        
        C:\Windows\system32\mjeobhk.exe 2524 "C:\Windows\SysWOW64\cksqqil.exe"
        506⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\urrovwu.exe
        
        C:\Windows\system32\urrovwu.exe 2532 "C:\Windows\SysWOW64\mjeobhk.exe"
        507⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\gquidez.exe
        
        C:\Windows\system32\gquidez.exe 2544 "C:\Windows\SysWOW64\urrovwu.exe"
        508⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\qsjtrhg.exe
        
        C:\Windows\system32\qsjtrhg.exe 2552 "C:\Windows\SysWOW64\gquidez.exe"
        509⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\boclycg.exe
        
        C:\Windows\system32\boclycg.exe 2548 "C:\Windows\SysWOW64\qsjtrhg.exe"
        510⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\lnojrbo.exe
        
        C:\Windows\system32\lnojrbo.exe 2556 "C:\Windows\SysWOW64\boclycg.exe"
        511⤵
        System Location Discovery: System Language Discovery
        
        PID:3400
        
        C:\Windows\SysWOW64\sucbdqx.exe
        
        C:\Windows\system32\sucbdqx.exe 2536 "C:\Windows\SysWOW64\lnojrbo.exe"
        512⤵
        System Location Discovery: System Language Discovery
        
        PID:4008
        
        C:\Windows\SysWOW64\ccogvpf.exe
        
        C:\Windows\system32\ccogvpf.exe 2560 "C:\Windows\SysWOW64\sucbdqx.exe"
        513⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\qpxwbte.exe
        
        C:\Windows\system32\qpxwbte.exe 2564 "C:\Windows\SysWOW64\ccogvpf.exe"
        514⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\aojtmrl.exe
        
        C:\Windows\system32\aojtmrl.exe 1564 "C:\Windows\SysWOW64\qpxwbte.exe"
        515⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\mqqjxeq.exe
        
        C:\Windows\system32\mqqjxeq.exe 2572 "C:\Windows\SysWOW64\aojtmrl.exe"
        516⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\xpugpvx.exe
        
        C:\Windows\system32\xpugpvx.exe 2576 "C:\Windows\SysWOW64\mqqjxeq.exe"
        517⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\hogeatf.exe
        
        C:\Windows\system32\hogeatf.exe 2580 "C:\Windows\SysWOW64\xpugpvx.exe"
        518⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\tqmulgj.exe
        
        C:\Windows\system32\tqmulgj.exe 2584 "C:\Windows\SysWOW64\hogeatf.exe"
        519⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\byzmfvt.exe
        
        C:\Windows\system32\byzmfvt.exe 2588 "C:\Windows\SysWOW64\tqmulgj.exe"
        520⤵
        Drops file in System32 directory
        
        PID:4004
        
        C:\Windows\SysWOW64\lxljqus.exe
        
        C:\Windows\system32\lxljqus.exe 2592 "C:\Windows\SysWOW64\byzmfvt.exe"
        521⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\ykvzwyz.exe
        
        C:\Windows\system32\ykvzwyz.exe 2596 "C:\Windows\SysWOW64\lxljqus.exe"
        522⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\frqzqna.exe
        
        C:\Windows\system32\frqzqna.exe 2600 "C:\Windows\SysWOW64\ykvzwyz.exe"
        523⤵
        System Location Discovery: System Language Discovery
        
        PID:3692
        
        C:\Windows\SysWOW64\sqlcywg.exe
        
        C:\Windows\system32\sqlcywg.exe 2608 "C:\Windows\SysWOW64\frqzqna.exe"
        524⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\cpxzjun.exe
        
        C:\Windows\system32\cpxzjun.exe 2612 "C:\Windows\SysWOW64\sqlcywg.exe"
        525⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\msnjwxu.exe
        
        C:\Windows\system32\msnjwxu.exe 2616 "C:\Windows\SysWOW64\cpxzjun.exe"
        526⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\uhacqnd.exe
        
        C:\Windows\system32\uhacqnd.exe 1028 "C:\Windows\SysWOW64\msnjwxu.exe"
        527⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\egmzbml.exe
        
        C:\Windows\system32\egmzbml.exe 2632 "C:\Windows\SysWOW64\uhacqnd.exe"
        528⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\jtwphpk.exe
        
        C:\Windows\system32\jtwphpk.exe 2636 "C:\Windows\SysWOW64\egmzbml.exe"
        529⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\tsiuzor.exe
        
        C:\Windows\system32\tsiuzor.exe 2620 "C:\Windows\SysWOW64\jtwphpk.exe"
        530⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\drmsjnz.exe
        
        C:\Windows\system32\drmsjnz.exe 2640 "C:\Windows\SysWOW64\tsiuzor.exe"
        531⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\ncbcfqf.exe
        
        C:\Windows\system32\ncbcfqf.exe 2624 "C:\Windows\SysWOW64\drmsjnz.exe"
        532⤵
        System Location Discovery: System Language Discovery
        
        PID:3312
        
        C:\Windows\SysWOW64\xbozphm.exe
        
        C:\Windows\system32\xbozphm.exe 2628 "C:\Windows\SysWOW64\ncbcfqf.exe"
        533⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\lofpvll.exe
        
        C:\Windows\system32\lofpvll.exe 2644 "C:\Windows\SysWOW64\xbozphm.exe"
        534⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\vvjmfkt.exe
        
        C:\Windows\system32\vvjmfkt.exe 2648 "C:\Windows\SysWOW64\lofpvll.exe"
        535⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\funkyis.exe
        
        C:\Windows\system32\funkyis.exe 2652 "C:\Windows\SysWOW64\vvjmfkt.exe"
        536⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\mgupncj.exe
        
        C:\Windows\system32\mgupncj.exe 2656 "C:\Windows\SysWOW64\funkyis.exe"
        537⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\ztensgh.exe
        
        C:\Windows\system32\ztensgh.exe 2660 "C:\Windows\SysWOW64\mgupncj.exe"
        538⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\jhecqnu.exe
        
        C:\Windows\system32\jhecqnu.exe 2668 "C:\Windows\SysWOW64\ztensgh.exe"
        539⤵
        Drops file in System32 directory
        
        PID:3464
        
        C:\Windows\SysWOW64\tgqabmc.exe
        
        C:\Windows\system32\tgqabmc.exe 2664 "C:\Windows\SysWOW64\jhecqnu.exe"
        540⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\gbaxhqb.exe
        
        C:\Windows\system32\gbaxhqb.exe 2672 "C:\Windows\SysWOW64\tgqabmc.exe"
        541⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\qamvrpa.exe
        
        C:\Windows\system32\qamvrpa.exe 2676 "C:\Windows\SysWOW64\gbaxhqb.exe"
        542⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\azqskgi.exe
        
        C:\Windows\system32\azqskgi.exe 2680 "C:\Windows\SysWOW64\qamvrpa.exe"
        543⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\lyupuep.exe
        
        C:\Windows\system32\lyupuep.exe 2684 "C:\Windows\SysWOW64\azqskgi.exe"
        544⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\ujsapiw.exe
        
        C:\Windows\system32\ujsapiw.exe 2696 "C:\Windows\SysWOW64\lyupuep.exe"
        545⤵
        System Location Discovery: System Language Discovery
        
        PID:3668
        
        C:\Windows\SysWOW64\iwbqvlc.exe
        
        C:\Windows\system32\iwbqvlc.exe 2688 "C:\Windows\SysWOW64\ujsapiw.exe"
        546⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\ryraioj.exe
        
        C:\Windows\system32\ryraioj.exe 1884 "C:\Windows\SysWOW64\iwbqvlc.exe"
        547⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\curkqjk.exe
        
        C:\Windows\system32\curkqjk.exe 2700 "C:\Windows\SysWOW64\ryraioj.exe"
        548⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\mehvlmq.exe
        
        C:\Windows\system32\mehvlmq.exe 2712 "C:\Windows\SysWOW64\curkqjk.exe"
        549⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\whwfype.exe
        
        C:\Windows\system32\whwfype.exe 2704 "C:\Windows\SysWOW64\mehvlmq.exe"
        550⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\jcoveld.exe
        
        C:\Windows\system32\jcoveld.exe 2708 "C:\Windows\SysWOW64\whwfype.exe"
        551⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\tfdfroj.exe
        
        C:\Windows\system32\tfdfroj.exe 2720 "C:\Windows\SysWOW64\jcoveld.exe"
        552⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\daeyhjk.exe
        
        C:\Windows\system32\daeyhjk.exe 2716 "C:\Windows\SysWOW64\tfdfroj.exe"
        553⤵
        Drops file in System32 directory
        
        PID:3752
        
        C:\Windows\SysWOW64\nltiumy.exe
        
        C:\Windows\system32\nltiumy.exe 2728 "C:\Windows\SysWOW64\daeyhjk.exe"
        554⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\uspaoji.exe
        
        C:\Windows\system32\uspaoji.exe 2740 "C:\Windows\SysWOW64\nltiumy.exe"
        555⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\ifyqufh.exe
        
        C:\Windows\system32\ifyqufh.exe 2732 "C:\Windows\SysWOW64\uspaoji.exe"
        556⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\sfknfeg.exe
        
        C:\Windows\system32\sfknfeg.exe 2744 "C:\Windows\SysWOW64\ifyqufh.exe"
        557⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\fvfqnmm.exe
        
        C:\Windows\system32\fvfqnmm.exe 2724 "C:\Windows\SysWOW64\sfknfeg.exe"
        558⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\moedkgc.exe
        
        C:\Windows\system32\moedkgc.exe 2748 "C:\Windows\SysWOW64\fvfqnmm.exe"
        559⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\wkfosad.exe
        
        C:\Windows\system32\wkfosad.exe 2752 "C:\Windows\SysWOW64\moedkgc.exe"
        560⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\essgmqm.exe
        
        C:\Windows\system32\essgmqm.exe 2756 "C:\Windows\SysWOW64\wkfosad.exe"
        561⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\tzmothi.exe
        
        C:\Windows\system32\tzmothi.exe 2760 "C:\Windows\SysWOW64\essgmqm.exe"
        562⤵
        System Location Discovery: System Language Discovery
        
        PID:3996
        
        C:\Windows\SysWOW64\atktiby.exe
        
        C:\Windows\system32\atktiby.exe 2764 "C:\Windows\SysWOW64\tzmothi.exe"
        563⤵
        Drops file in System32 directory
        
        PID:3488
        
        C:\Windows\SysWOW64\ogujofx.exe
        
        C:\Windows\system32\ogujofx.exe 2736 "C:\Windows\SysWOW64\atktiby.exe"
        564⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\yfgogde.exe
        
        C:\Windows\system32\yfgogde.exe 2216 "C:\Windows\SysWOW64\ogujofx.exe"
        565⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\ieklqce.exe
        
        C:\Windows\system32\ieklqce.exe 2776 "C:\Windows\SysWOW64\yfgogde.exe"
        566⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\slwjbbm.exe
        
        C:\Windows\system32\slwjbbm.exe 2780 "C:\Windows\SysWOW64\ieklqce.exe"
        567⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\zwvoyvc.exe
        
        C:\Windows\system32\zwvoyvc.exe 2788 "C:\Windows\SysWOW64\slwjbbm.exe"
        568⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\jvzliub.exe
        
        C:\Windows\system32\jvzliub.exe 2772 "C:\Windows\SysWOW64\zwvoyvc.exe"
        569⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\zlttpdf.exe
        
        C:\Windows\system32\zlttpdf.exe 2800 "C:\Windows\SysWOW64\jvzliub.exe"
        570⤵
        Drops file in System32 directory
        
        PID:3972
        
        C:\Windows\SysWOW64\jkxrzcm.exe
        
        C:\Windows\system32\jkxrzcm.exe 2792 "C:\Windows\SysWOW64\zlttpdf.exe"
        571⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\tnmbvft.exe
        
        C:\Windows\system32\tnmbvft.exe 2808 "C:\Windows\SysWOW64\jkxrzcm.exe"
        572⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\vuyzfea.exe
        
        C:\Windows\system32\vuyzfea.exe 1092 "C:\Windows\SysWOW64\tnmbvft.exe"
        573⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\ihioliz.exe
        
        C:\Windows\system32\ihioliz.exe 2804 "C:\Windows\SysWOW64\vuyzfea.exe"
        574⤵
        Drops file in System32 directory
        
        PID:3216
        
        C:\Windows\SysWOW64\sgumdgh.exe
        
        C:\Windows\system32\sgumdgh.exe 2796 "C:\Windows\SysWOW64\ihioliz.exe"
        575⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\crjwrcn.exe
        
        C:\Windows\system32\crjwrcn.exe 2812 "C:\Windows\SysWOW64\sgumdgh.exe"
        576⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\phezzkt.exe
        
        C:\Windows\system32\phezzkt.exe 2820 "C:\Windows\SysWOW64\crjwrcn.exe"
        577⤵
        System Location Discovery: System Language Discovery
        
        PID:3588
        
        C:\Windows\SysWOW64\zgqwkia.exe
        
        C:\Windows\system32\zgqwkia.exe 2832 "C:\Windows\SysWOW64\phezzkt.exe"
        578⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\jnuccha.exe
        
        C:\Windows\system32\jnuccha.exe 2816 "C:\Windows\SysWOW64\zgqwkia.exe"
        579⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\tqkepko.exe
        
        C:\Windows\system32\tqkepko.exe 2824 "C:\Windows\SysWOW64\jnuccha.exe"
        580⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\hdbcvon.exe
        
        C:\Windows\system32\hdbcvon.exe 2840 "C:\Windows\SysWOW64\tqkepko.exe"
        581⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\qnrmqrt.exe
        
        C:\Windows\system32\qnrmqrt.exe 2844 "C:\Windows\SysWOW64\hdbcvon.exe"
        582⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\aqgodmz.exe
        
        C:\Windows\system32\aqgodmz.exe 2828 "C:\Windows\SysWOW64\qnrmqrt.exe"
        583⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\odymjqg.exe
        
        C:\Windows\system32\odymjqg.exe 2836 "C:\Windows\SysWOW64\aqgodmz.exe"
        584⤵
        Drops file in System32 directory
        
        PID:3836
        
        C:\Windows\SysWOW64\ykckupg.exe
        
        C:\Windows\system32\ykckupg.exe 2848 "C:\Windows\SysWOW64\odymjqg.exe"
        585⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\ijohmon.exe
        
        C:\Windows\system32\ijohmon.exe 2852 "C:\Windows\SysWOW64\ykckupg.exe"
        586⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\sisexnv.exe
        
        C:\Windows\system32\sisexnv.exe 2856 "C:\Windows\SysWOW64\ijohmon.exe"
        587⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\fznhfva.exe
        
        C:\Windows\system32\fznhfva.exe 2864 "C:\Windows\SysWOW64\sisexnv.exe"
        588⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\pjcrayh.exe
        
        C:\Windows\system32\pjcrayh.exe 2868 "C:\Windows\SysWOW64\fznhfva.exe"
        589⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\zmacotn.exe
        
        C:\Windows\system32\zmacotn.exe 2860 "C:\Windows\SysWOW64\pjcrayh.exe"
        590⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\jtezysu.exe
        
        C:\Windows\system32\jtezysu.exe 2872 "C:\Windows\SysWOW64\zmacotn.exe"
        591⤵
        Drops file in System32 directory
        
        PID:3204
        
        C:\Windows\SysWOW64\wkzchaa.exe
        
        C:\Windows\system32\wkzchaa.exe 2876 "C:\Windows\SysWOW64\jtezysu.exe"
        592⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\gjlzzzi.exe
        
        C:\Windows\system32\gjlzzzi.exe 2884 "C:\Windows\SysWOW64\wkzchaa.exe"
        593⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\qqpxjyh.exe
        
        C:\Windows\system32\qqpxjyh.exe 2888 "C:\Windows\SysWOW64\gjlzzzi.exe"
        594⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\ddgnpbg.exe
        
        C:\Windows\system32\ddgnpbg.exe 2900 "C:\Windows\SysWOW64\qqpxjyh.exe"
        595⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\nfwxkfu.exe
        
        C:\Windows\system32\nfwxkfu.exe 2892 "C:\Windows\SysWOW64\ddgnpbg.exe"
        596⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\xqlhyia.exe
        
        C:\Windows\system32\xqlhyia.exe 2896 "C:\Windows\SysWOW64\nfwxkfu.exe"
        597⤵
        System Location Discovery: System Language Discovery
        
        PID:3896
        
        C:\Windows\SysWOW64\kddxdez.exe
        
        C:\Windows\system32\kddxdez.exe 2880 "C:\Windows\SysWOW64\xqlhyia.exe"
        598⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\robkaxq.exe
        
        C:\Windows\system32\robkaxq.exe 2912 "C:\Windows\SysWOW64\kddxdez.exe"
        599⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\ebtagbo.exe
        
        C:\Windows\system32\ebtagbo.exe 2908 "C:\Windows\SysWOW64\robkaxq.exe"
        600⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\raodpju.exe
        
        C:\Windows\system32\raodpju.exe 2916 "C:\Windows\SysWOW64\ebtagbo.exe"
        601⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\bcdncma.exe
        
        C:\Windows\system32\bcdncma.exe 2904 "C:\Windows\SysWOW64\raodpju.exe"
        602⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\myexkhb.exe
        
        C:\Windows\system32\myexkhb.exe 2924 "C:\Windows\SysWOW64\bcdncma.exe"
        603⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\yakndlf.exe
        
        C:\Windows\system32\yakndlf.exe 2928 "C:\Windows\SysWOW64\myexkhb.exe"
        604⤵
        System Location Discovery: System Language Discovery
        
        PID:3088
        
        C:\Windows\SysWOW64\fljssnw.exe
        
        C:\Windows\system32\fljssnw.exe 2920 "C:\Windows\SysWOW64\yakndlf.exe"
        605⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\qsvqlmv.exe
        
        C:\Windows\system32\qsvqlmv.exe 2936 "C:\Windows\SysWOW64\fljssnw.exe"
        606⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\dfefqic.exe
        
        C:\Windows\system32\dfefqic.exe 2932 "C:\Windows\SysWOW64\qsvqlmv.exe"
        607⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\niuqeli.exe
        
        C:\Windows\system32\niuqeli.exe 2940 "C:\Windows\SysWOW64\dfefqic.exe"
        608⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\xdvilfj.exe
        
        C:\Windows\system32\xdvilfj.exe 2952 "C:\Windows\SysWOW64\niuqeli.exe"
        609⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\kcpduno.exe
        
        C:\Windows\system32\kcpduno.exe 2948 "C:\Windows\SysWOW64\xdvilfj.exe"
        610⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\rnwqrhx.exe
        
        C:\Windows\system32\rnwqrhx.exe 2956 "C:\Windows\SysWOW64\kcpduno.exe"
        611⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\bmanbge.exe
        
        C:\Windows\system32\bmanbge.exe 2944 "C:\Windows\SysWOW64\rnwqrhx.exe"
        612⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\olvqkok.exe
        
        C:\Windows\system32\olvqkok.exe 2960 "C:\Windows\SysWOW64\bmanbge.exe"
        613⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\ykhncnr.exe
        
        C:\Windows\system32\ykhncnr.exe 2964 "C:\Windows\SysWOW64\olvqkok.exe"
        614⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\ijllnmr.exe
        
        C:\Windows\system32\ijllnmr.exe 2972 "C:\Windows\SysWOW64\ykhncnr.exe"
        615⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\vhoovmw.exe
        
        C:\Windows\system32\vhoovmw.exe 2976 "C:\Windows\SysWOW64\ijllnmr.exe"
        616⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\fgslole.exe
        
        C:\Windows\system32\fgslole.exe 2988 "C:\Windows\SysWOW64\vhoovmw.exe"
        617⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\hjivbok.exe
        
        C:\Windows\system32\hjivbok.exe 2992 "C:\Windows\SysWOW64\fgslole.exe"
        618⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\vwzlhsj.exe
        
        C:\Windows\system32\vwzlhsj.exe 2984 "C:\Windows\SysWOW64\hjivbok.exe"
        619⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\fddirqr.exe
        
        C:\Windows\system32\fddirqr.exe 2968 "C:\Windows\SysWOW64\vwzlhsj.exe"
        620⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\pgttmux.exe
        
        C:\Windows\system32\pgttmux.exe 3016 "C:\Windows\SysWOW64\fddirqr.exe"
        621⤵
        System Location Discovery: System Language Discovery
        
        PID:1656
        
        C:\Windows\SysWOW64\zbuluog.exe
        
        C:\Windows\system32\zbuluog.exe 3004 "C:\Windows\SysWOW64\pgttmux.exe"
        622⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\jayjenf.exe
        
        C:\Windows\system32\jayjenf.exe 2980 "C:\Windows\SysWOW64\zbuluog.exe"
        623⤵
        Drops file in System32 directory
        
        PID:3124
        
        C:\Windows\SysWOW64\qteobhw.exe
        
        C:\Windows\system32\qteobhw.exe 3000 "C:\Windows\SysWOW64\jayjenf.exe"
        624⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\atilmfv.exe
        
        C:\Windows\system32\atilmfv.exe 3008 "C:\Windows\SysWOW64\qteobhw.exe"
        625⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\nvpbxkh.exe
        
        C:\Windows\system32\nvpbxkh.exe 2996 "C:\Windows\SysWOW64\atilmfv.exe"
        626⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\xqplnei.exe
        
        C:\Windows\system32\xqplnei.exe 3020 "C:\Windows\SysWOW64\nvpbxkh.exe"
        627⤵
        
        PID:596
        
        C:\Windows\SysWOW64\khkovmo.exe
        
        C:\Windows\system32\khkovmo.exe 3012 "C:\Windows\SysWOW64\xqplnei.exe"
        628⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\rsrtkgw.exe
        
        C:\Windows\system32\rsrtkgw.exe 2768 "C:\Windows\SysWOW64\khkovmo.exe"
        629⤵
        System Location Discovery: System Language Discovery
        
        PID:3396
        
        C:\Windows\SysWOW64\eqmwboc.exe
        
        C:\Windows\system32\eqmwboc.exe 3028 "C:\Windows\SysWOW64\rsrtkgw.exe"
        630⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\ppqtlnj.exe
        
        C:\Windows\system32\ppqtlnj.exe 3040 "C:\Windows\SysWOW64\eqmwboc.exe"
        631⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\cchrrri.exe
        
        C:\Windows\system32\cchrrri.exe 3044 "C:\Windows\SysWOW64\ppqtlnj.exe"
        632⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\mnxtfuo.exe
        
        C:\Windows\system32\mnxtfuo.exe 3036 "C:\Windows\SysWOW64\cchrrri.exe"
        633⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\yeswnuu.exe
        
        C:\Windows\system32\yeswnuu.exe 3048 "C:\Windows\SysWOW64\mnxtfuo.exe"
        634⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\gpyjkoc.exe
        
        C:\Windows\system32\gpyjkoc.exe 3032 "C:\Windows\SysWOW64\yeswnuu.exe"
        635⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\tkizqsb.exe
        
        C:\Windows\system32\tkizqsb.exe 3052 "C:\Windows\SysWOW64\gpyjkoc.exe"
        636⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\djuwiri.exe
        
        C:\Windows\system32\djuwiri.exe 3080 "C:\Windows\SysWOW64\tkizqsb.exe"
        637⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\qzpzrzo.exe
        
        C:\Windows\system32\qzpzrzo.exe 3056 "C:\Windows\SysWOW64\djuwiri.exe"
        638⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\xtnegtw.exe
        
        C:\Windows\system32\xtnegtw.exe 3076 "C:\Windows\SysWOW64\qzpzrzo.exe"
        639⤵
        
        PID:4604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\msnnbtg.exe

Filesize
105KB

MD5
f176a160ef615d6a7b2fd43bd4394107

SHA1
41c25402f03189d08f6a38c3036ee77addc59e02

SHA256
09a86ae227898e5193ff0b6ce5b69a264ae172018b84bda1f7f2b7f178c1d080

SHA512
b957795258af71352dfb2cc32e92723266b367d7b2023de8b6914ad9285695a8666ffb79e2f2d2dcedc780253e332ce3f4bfb14ec578490910a3e8a8e0210dc5

Download Submit
memory/524-217-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/524-205-0x00000000026D0000-0x00000000027CB000-memory.dmp

Filesize
1004KB

Download
memory/524-193-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/560-178-0x0000000002840000-0x000000000293B000-memory.dmp

Filesize
1004KB

Download
memory/560-181-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/588-97-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/588-93-0x0000000002720000-0x000000000281B000-memory.dmp

Filesize
1004KB

Download
memory/588-95-0x0000000002720000-0x000000000281B000-memory.dmp

Filesize
1004KB

Download
memory/692-348-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/692-337-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/692-336-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/972-277-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/1088-207-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/1088-228-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/1168-241-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/1444-124-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/1444-121-0x00000000027F0000-0x00000000028EB000-memory.dmp

Filesize
1004KB

Download
memory/1468-130-0x0000000002780000-0x000000000287B000-memory.dmp

Filesize
1004KB

Download
memory/1468-122-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/1468-139-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/1468-136-0x0000000002780000-0x000000000287B000-memory.dmp

Filesize
1004KB

Download
memory/1524-238-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/1524-248-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/1536-355-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/1668-179-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/1668-194-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/1972-338-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/1972-328-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/1992-381-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/1992-380-0x0000000002790000-0x000000000288B000-memory.dmp

Filesize
1004KB

Download
memory/2000-232-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2000-220-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2024-335-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2180-69-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2180-91-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2192-309-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2192-318-0x0000000002650000-0x000000000274B000-memory.dmp

Filesize
1004KB

Download
memory/2192-323-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2204-271-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2204-255-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2252-363-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2252-374-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2288-153-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2288-171-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2288-160-0x0000000002760000-0x000000000285B000-memory.dmp

Filesize
1004KB

Download
memory/2292-370-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2292-353-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2464-150-0x00000000026A0000-0x000000000279B000-memory.dmp

Filesize
1004KB

Download
memory/2464-137-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2464-151-0x00000000026A0000-0x000000000279B000-memory.dmp

Filesize
1004KB

Download
memory/2464-154-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2728-291-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2728-302-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2728-300-0x00000000026E0000-0x00000000027DB000-memory.dmp

Filesize
1004KB

Download
memory/2768-296-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2768-290-0x0000000002520000-0x000000000261B000-memory.dmp

Filesize
1004KB

Download
memory/2776-60-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2776-41-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2776-42-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2804-282-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2804-281-0x0000000002710000-0x000000000280B000-memory.dmp

Filesize
1004KB

Download
memory/2804-273-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2812-317-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2824-70-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2824-55-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2876-16-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2876-28-0x00000000027A0000-0x000000000289B000-memory.dmp

Filesize
1004KB

Download
memory/2876-15-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2876-35-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2936-1-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2936-2-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2936-13-0x0000000002630000-0x000000000272B000-memory.dmp

Filesize
1004KB

Download
memory/2936-0-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2936-17-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2988-246-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/2988-263-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/3020-43-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/3064-94-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download
memory/3064-108-0x0000000002720000-0x000000000281B000-memory.dmp

Filesize
1004KB

Download
memory/3064-119-0x0000000000400000-0x00000000004FB000-memory.dmp

Filesize
1004KB

Download