metasploit | 58fa7103a6da18ad8039c901c10af971627efdfb77a27f55a950aa37f4d04dc8

Analysis

max time kernel
150s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-12-2024 10:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3a6663b8cb810e905ff5c7bed9ef67e_JaffaCakes118.exe
Size

476KB
MD5

f3a6663b8cb810e905ff5c7bed9ef67e
SHA1

8e832fbcd04fad6c103bc8753ad87863454830ac
SHA256

58fa7103a6da18ad8039c901c10af971627efdfb77a27f55a950aa37f4d04dc8
SHA512

986064204320e6b1100e9c83e4691ee1d3aad06cdda575a723e6f49de9ed0ea0c5862b0d87e665167f9e74896dd0cdeaa12de6e1bb6753e68c56387154f98095
SSDEEP

6144:jFeLlS5FZCAv2wFR24biJjWti/9q7R/ck6pSDy4N5q39dVdnNn1u9/TPr5P6uzPh:JD6AvTFgJVWt49y5YeE8RhpQetCO

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Executes dropped EXE 64 IoCs

pid	Process
2292	qjkcie.exe
4940	qjkcie.exe
4832	bizkrx.exe
2844	bizkrx.exe
3464	ltqoch.exe
4988	ltqoch.exe
220	vsfjas.exe
116	vsfjas.exe
5036	iygwtq.exe
1096	iygwtq.exe
1164	wioxck.exe
4896	wioxck.exe
2176	artxqf.exe
2192	artxqf.exe
4016	niyymz.exe
2284	niyymz.exe
2776	avrlyx.exe
1880	avrlyx.exe
4728	nblzrw.exe
2684	nblzrw.exe
544	dvsrge.exe
2196	dvsrge.exe
4308	qxaspq.exe
3556	qxaspq.exe
3280	ahzvha.exe
212	ahzvha.exe
4740	lhoqft.exe
1724	lhoqft.exe
2308	sawozu.exe
4504	sawozu.exe
4444	ycfpio.exe
1820	ycfpio.exe
1824	fccfiy.exe
1136	fccfiy.exe
4460	smsnrk.exe
2784	smsnrk.exe
1196	cehipd.exe
1132	cehipd.exe
2956	prawab.exe
3780	prawab.exe
688	ayomqh.exe
3724	ayomqh.exe
640	kmrulo.exe
2344	kmrulo.exe
4668	xaliwm.exe
1568	xaliwm.exe
872	nmralu.exe
1240	nmralu.exe
3716	drctdu.exe
452	drctdu.exe
632	hlszub.exe
2860	hlszub.exe
5108	ucwzqv.exe
4740	ucwzqv.exe
4976	kzhsav.exe
3684	kzhsav.exe
2864	ztfdpd.exe
4344	ztfdpd.exe
2888	pqqvzl.exe
4000	pqqvzl.exe
4288	fylblo.exe
5068	fylblo.exe
3008	uhhhgs.exe
3764	uhhhgs.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\pkvknp.exe	zbzeal.exe
File created	C:\Windows\SysWOW64\jjztyj.exe	umpboj.exe
File opened for modification	C:\Windows\SysWOW64\bizkrx.exe	qjkcie.exe
File opened for modification	C:\Windows\SysWOW64\ltqoch.exe	bizkrx.exe
File opened for modification	C:\Windows\SysWOW64\fccfiy.exe	ycfpio.exe
File created	C:\Windows\SysWOW64\xcwsdu.exe	klrsps.exe
File created	C:\Windows\SysWOW64\mxgvnf.exe	wplqtb.exe
File created	C:\Windows\SysWOW64\mzxfui.exe	fqcahe.exe
File created	C:\Windows\SysWOW64\wgsbra.exe	hyxdfw.exe
File opened for modification	C:\Windows\SysWOW64\sssuea.exe	cjxosw.exe
File created	C:\Windows\SysWOW64\wioxck.exe	iygwtq.exe
File opened for modification	C:\Windows\SysWOW64\bkquya.exe	tfgboa.exe
File created	C:\Windows\SysWOW64\piqgci.exe	wmpiuz.exe
File opened for modification	C:\Windows\SysWOW64\ijouma.exe	vpypvb.exe
File opened for modification	C:\Windows\SysWOW64\ahzvha.exe	qxaspq.exe
File opened for modification	C:\Windows\SysWOW64\kmrulo.exe	ayomqh.exe
File opened for modification	C:\Windows\SysWOW64\ytjtgj.exe	mkessp.exe
File created	C:\Windows\SysWOW64\dlrniu.exe	qrbzjn.exe
File created	C:\Windows\SysWOW64\xmuilw.exe	lvqhwc.exe
File created	C:\Windows\SysWOW64\amvotd.exe	nrfauw.exe
File created	C:\Windows\SysWOW64\ahzvha.exe	qxaspq.exe
File opened for modification	C:\Windows\SysWOW64\hqcjmv.exe	piqgci.exe
File created	C:\Windows\SysWOW64\bxxbnd.exe	wgsbra.exe
File opened for modification	C:\Windows\SysWOW64\gcevbe.exe	nfextv.exe
File opened for modification	C:\Windows\SysWOW64\fwduba.exe	tcngcb.exe
File created	C:\Windows\SysWOW64\kvvkbu.exe	umzepq.exe
File created	C:\Windows\SysWOW64\lsafkq.exe	wsmzxe.exe
File created	C:\Windows\SysWOW64\ndrghx.exe	amvotd.exe
File created	C:\Windows\SysWOW64\wmpiuz.exe	gdtkiv.exe
File created	C:\Windows\SysWOW64\rpcyss.exe	bsrfjt.exe
File opened for modification	C:\Windows\SysWOW64\xaliwm.exe	kmrulo.exe
File created	C:\Windows\SysWOW64\jpstsv.exe	wyoses.exe
File created	C:\Windows\SysWOW64\cikzrx.exe	ndrghx.exe
File created	C:\Windows\SysWOW64\kjefgg.exe	upfury.exe
File opened for modification	C:\Windows\SysWOW64\mzxfui.exe	fqcahe.exe
File opened for modification	C:\Windows\SysWOW64\dxdnsc.exe	ygynez.exe
File created	C:\Windows\SysWOW64\exfnec.exe	obvvuu.exe
File created	C:\Windows\SysWOW64\rokosw.exe	exfnec.exe
File opened for modification	C:\Windows\SysWOW64\kwrims.exe	fcjuvl.exe
File created	C:\Windows\SysWOW64\qxaspq.exe	dvsrge.exe
File opened for modification	C:\Windows\SysWOW64\ycfpio.exe	sawozu.exe
File opened for modification	C:\Windows\SysWOW64\hlszub.exe	drctdu.exe
File created	C:\Windows\SysWOW64\wplqtb.exe	kvvkbu.exe
File created	C:\Windows\SysWOW64\ihbora.exe	dfkoig.exe
File opened for modification	C:\Windows\SysWOW64\vpypvb.exe	fnzboy.exe
File created	C:\Windows\SysWOW64\dxdnsc.exe	ygynez.exe
File opened for modification	C:\Windows\SysWOW64\wplqtb.exe	kvvkbu.exe
File opened for modification	C:\Windows\SysWOW64\ecjmxl.exe	rhbhge.exe
File created	C:\Windows\SysWOW64\tqbgst.exe	dlrniu.exe
File opened for modification	C:\Windows\SysWOW64\lyxkne.exe	vtnrvw.exe
File created	C:\Windows\SysWOW64\qdcajh.exe	agshzh.exe
File opened for modification	C:\Windows\SysWOW64\dfkoig.exe	qdcajh.exe
File opened for modification	C:\Windows\SysWOW64\tnfzqj.exe	bqebia.exe
File created	C:\Windows\SysWOW64\qpircs.exe	ihnlqo.exe
File created	C:\Windows\SysWOW64\dvsrge.exe	nblzrw.exe
File created	C:\Windows\SysWOW64\hlszub.exe	drctdu.exe
File opened for modification	C:\Windows\SysWOW64\kipgxl.exe	xcwsdu.exe
File opened for modification	C:\Windows\SysWOW64\oralkp.exe	bxkytq.exe
File created	C:\Windows\SysWOW64\djertk.exe	nemyjd.exe
File created	C:\Windows\SysWOW64\mkwzwh.exe	wfmofh.exe
File created	C:\Windows\SysWOW64\rhbhge.exe	ccroxf.exe
File opened for modification	C:\Windows\SysWOW64\agoxqo.exe	kjefgg.exe
File opened for modification	C:\Windows\SysWOW64\rpcyss.exe	bsrfjt.exe
File created	C:\Windows\SysWOW64\grrspp.exe	qjwucl.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 2860 set thread context of 2256	2860	f3a6663b8cb810e905ff5c7bed9ef67e_JaffaCakes118.exe	83
PID 2292 set thread context of 4940	2292	qjkcie.exe	85
PID 4832 set thread context of 2844	4832	bizkrx.exe	87
PID 3464 set thread context of 4988	3464	ltqoch.exe	89
PID 220 set thread context of 116	220	vsfjas.exe	91
PID 5036 set thread context of 1096	5036	iygwtq.exe	93
PID 1164 set thread context of 4896	1164	wioxck.exe	95
PID 2176 set thread context of 2192	2176	artxqf.exe	97
PID 4016 set thread context of 2284	4016	niyymz.exe	101
PID 2776 set thread context of 1880	2776	avrlyx.exe	105
PID 4728 set thread context of 2684	4728	nblzrw.exe	107
PID 544 set thread context of 2196	544	dvsrge.exe	109
PID 4308 set thread context of 3556	4308	qxaspq.exe	112
PID 3280 set thread context of 212	3280	ahzvha.exe	114
PID 4740 set thread context of 1724	4740	lhoqft.exe	116
PID 2308 set thread context of 4504	2308	sawozu.exe	120
PID 4444 set thread context of 1820	4444	ycfpio.exe	122
PID 1824 set thread context of 1136	1824	fccfiy.exe	124
PID 4460 set thread context of 2784	4460	smsnrk.exe	126
PID 1196 set thread context of 1132	1196	cehipd.exe	128
PID 2956 set thread context of 3780	2956	prawab.exe	130
PID 688 set thread context of 3724	688	ayomqh.exe	132
PID 640 set thread context of 2344	640	kmrulo.exe	134
PID 4668 set thread context of 1568	4668	xaliwm.exe	136
PID 872 set thread context of 1240	872	nmralu.exe	138
PID 3716 set thread context of 452	3716	drctdu.exe	140
PID 632 set thread context of 2860	632	hlszub.exe	142
PID 5108 set thread context of 4740	5108	ucwzqv.exe	145
PID 4976 set thread context of 3684	4976	kzhsav.exe	147
PID 2864 set thread context of 4344	2864	ztfdpd.exe	149
PID 2888 set thread context of 4000	2888	pqqvzl.exe	152
PID 4288 set thread context of 5068	4288	fylblo.exe	154
PID 3008 set thread context of 3764	3008	uhhhgs.exe	156
PID 3676 set thread context of 1196	3676	klrsps.exe	158
PID 3412 set thread context of 3576	3412	xcwsdu.exe	160
PID 3752 set thread context of 4488	3752	kipgxl.exe	162
PID 5076 set thread context of 4772	5076	okftor.exe	164
PID 4800 set thread context of 684	4800	ehpmxr.exe	166
PID 4920 set thread context of 2544	4920	umzepq.exe	168
PID 2492 set thread context of 2848	2492	kvvkbu.exe	170
PID 4308 set thread context of 4524	4308	wplqtb.exe	172
PID 2432 set thread context of 2280	2432	mxgvnf.exe	174
PID 3604 set thread context of 2228	3604	ccroxf.exe	176
PID 4976 set thread context of 520	4976	rhbhge.exe	178
PID 1976 set thread context of 1400	1976	ecjmxl.exe	180
PID 4428 set thread context of 1992	4428	mkessp.exe	182
PID 3128 set thread context of 3180	3128	ytjtgj.exe	184
PID 2260 set thread context of 2348	2260	usmbpg.exe	186
PID 1788 set thread context of 3308	1788	jpwuyg.exe	188
PID 2464 set thread context of 4376	2464	wsmzxe.exe	190
PID 2992 set thread context of 3544	2992	lsafkq.exe	192
PID 2816 set thread context of 3384	2816	bxkytq.exe	194
PID 2976 set thread context of 4060	2976	oralkp.exe	196
PID 5088 set thread context of 4920	5088	gobbsy.exe	198
PID 544 set thread context of 2492	544	tfgboa.exe	200
PID 2900 set thread context of 632	2900	bkquya.exe	202
PID 2716 set thread context of 2432	2716	obvvuu.exe	204
PID 2108 set thread context of 884	2108	exfnec.exe	206
PID 2204 set thread context of 1752	2204	rokosw.exe	208
PID 2308 set thread context of 1976	2308	dfoooz.exe	210
PID 3536 set thread context of 220	3536	tkzhyy.exe	212
PID 2912 set thread context of 5048	2912	gfpnpx.exe	214
PID 2216 set thread context of 3180	2216	wyoses.exe	216
PID 4732 set thread context of 1384	4732	jpstsv.exe	218

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	artxqf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	drctdu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	obvvuu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gcevbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kwrims.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	prawab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xmuilw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yufmen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yufmen.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dvsrge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nmralu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kipgxl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ltqoch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fqcahe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fwduba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avrlyx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ehpmxr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fkrljs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxdnsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fcjuvl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ijouma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vboeki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qxaspq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smsnrk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tqbgst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	piqgci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	piqgci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gobbsy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	exfnec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ghnfpq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cjxosw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eetvcx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grrspp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nfextv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ygynez.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mxgvnf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	usmbpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bkquya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rokosw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hyxdfw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mkessp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qdcajh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ttjwpz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sssuea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sawozu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wplqtb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wyoses.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fqcahe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gxeowe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hlszub.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kvvkbu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	agshzh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ndrghx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ulibte.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	liivww.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vpypvb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sssuea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	niyymz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vyfpfu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ktezgh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmpiuz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wgsbra.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tnfzqj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gxeowe.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 2256	2860	f3a6663b8cb810e905ff5c7bed9ef67e_JaffaCakes118.exe	83
PID 2860 wrote to memory of 2256	2860	f3a6663b8cb810e905ff5c7bed9ef67e_JaffaCakes118.exe	83
PID 2860 wrote to memory of 2256	2860	f3a6663b8cb810e905ff5c7bed9ef67e_JaffaCakes118.exe	83
PID 2860 wrote to memory of 2256	2860	f3a6663b8cb810e905ff5c7bed9ef67e_JaffaCakes118.exe	83
PID 2860 wrote to memory of 2256	2860	f3a6663b8cb810e905ff5c7bed9ef67e_JaffaCakes118.exe	83
PID 2860 wrote to memory of 2256	2860	f3a6663b8cb810e905ff5c7bed9ef67e_JaffaCakes118.exe	83
PID 2860 wrote to memory of 2256	2860	f3a6663b8cb810e905ff5c7bed9ef67e_JaffaCakes118.exe	83
PID 2860 wrote to memory of 2256	2860	f3a6663b8cb810e905ff5c7bed9ef67e_JaffaCakes118.exe	83
PID 2860 wrote to memory of 2256	2860	f3a6663b8cb810e905ff5c7bed9ef67e_JaffaCakes118.exe	83
PID 2256 wrote to memory of 2292	2256	f3a6663b8cb810e905ff5c7bed9ef67e_JaffaCakes118.exe	84
PID 2256 wrote to memory of 2292	2256	f3a6663b8cb810e905ff5c7bed9ef67e_JaffaCakes118.exe	84
PID 2256 wrote to memory of 2292	2256	f3a6663b8cb810e905ff5c7bed9ef67e_JaffaCakes118.exe	84
PID 2292 wrote to memory of 4940	2292	qjkcie.exe	85
PID 2292 wrote to memory of 4940	2292	qjkcie.exe	85
PID 2292 wrote to memory of 4940	2292	qjkcie.exe	85
PID 2292 wrote to memory of 4940	2292	qjkcie.exe	85
PID 2292 wrote to memory of 4940	2292	qjkcie.exe	85
PID 2292 wrote to memory of 4940	2292	qjkcie.exe	85
PID 2292 wrote to memory of 4940	2292	qjkcie.exe	85
PID 2292 wrote to memory of 4940	2292	qjkcie.exe	85
PID 2292 wrote to memory of 4940	2292	qjkcie.exe	85
PID 4940 wrote to memory of 4832	4940	qjkcie.exe	86
PID 4940 wrote to memory of 4832	4940	qjkcie.exe	86
PID 4940 wrote to memory of 4832	4940	qjkcie.exe	86
PID 4832 wrote to memory of 2844	4832	bizkrx.exe	87
PID 4832 wrote to memory of 2844	4832	bizkrx.exe	87
PID 4832 wrote to memory of 2844	4832	bizkrx.exe	87
PID 4832 wrote to memory of 2844	4832	bizkrx.exe	87
PID 4832 wrote to memory of 2844	4832	bizkrx.exe	87
PID 4832 wrote to memory of 2844	4832	bizkrx.exe	87
PID 4832 wrote to memory of 2844	4832	bizkrx.exe	87
PID 4832 wrote to memory of 2844	4832	bizkrx.exe	87
PID 4832 wrote to memory of 2844	4832	bizkrx.exe	87
PID 2844 wrote to memory of 3464	2844	bizkrx.exe	88
PID 2844 wrote to memory of 3464	2844	bizkrx.exe	88
PID 2844 wrote to memory of 3464	2844	bizkrx.exe	88
PID 3464 wrote to memory of 4988	3464	ltqoch.exe	89
PID 3464 wrote to memory of 4988	3464	ltqoch.exe	89
PID 3464 wrote to memory of 4988	3464	ltqoch.exe	89
PID 3464 wrote to memory of 4988	3464	ltqoch.exe	89
PID 3464 wrote to memory of 4988	3464	ltqoch.exe	89
PID 3464 wrote to memory of 4988	3464	ltqoch.exe	89
PID 3464 wrote to memory of 4988	3464	ltqoch.exe	89
PID 3464 wrote to memory of 4988	3464	ltqoch.exe	89
PID 3464 wrote to memory of 4988	3464	ltqoch.exe	89
PID 4988 wrote to memory of 220	4988	ltqoch.exe	90
PID 4988 wrote to memory of 220	4988	ltqoch.exe	90
PID 4988 wrote to memory of 220	4988	ltqoch.exe	90
PID 220 wrote to memory of 116	220	vsfjas.exe	91
PID 220 wrote to memory of 116	220	vsfjas.exe	91
PID 220 wrote to memory of 116	220	vsfjas.exe	91
PID 220 wrote to memory of 116	220	vsfjas.exe	91
PID 220 wrote to memory of 116	220	vsfjas.exe	91
PID 220 wrote to memory of 116	220	vsfjas.exe	91
PID 220 wrote to memory of 116	220	vsfjas.exe	91
PID 220 wrote to memory of 116	220	vsfjas.exe	91
PID 220 wrote to memory of 116	220	vsfjas.exe	91
PID 116 wrote to memory of 5036	116	vsfjas.exe	92
PID 116 wrote to memory of 5036	116	vsfjas.exe	92
PID 116 wrote to memory of 5036	116	vsfjas.exe	92
PID 5036 wrote to memory of 1096	5036	iygwtq.exe	93
PID 5036 wrote to memory of 1096	5036	iygwtq.exe	93
PID 5036 wrote to memory of 1096	5036	iygwtq.exe	93
PID 5036 wrote to memory of 1096	5036	iygwtq.exe	93

C:\Users\Admin\AppData\Local\Temp\f3a6663b8cb810e905ff5c7bed9ef67e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f3a6663b8cb810e905ff5c7bed9ef67e_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Users\Admin\AppData\Local\Temp\f3a6663b8cb810e905ff5c7bed9ef67e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\f3a6663b8cb810e905ff5c7bed9ef67e_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Windows\SysWOW64\qjkcie.exe
    C:\Windows\system32\qjkcie.exe 1104 "C:\Users\Admin\AppData\Local\Temp\f3a6663b8cb810e905ff5c7bed9ef67e_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Windows\SysWOW64\qjkcie.exe
      C:\Windows\system32\qjkcie.exe 1104 "C:\Users\Admin\AppData\Local\Temp\f3a6663b8cb810e905ff5c7bed9ef67e_JaffaCakes118.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4940
    - - C:\Windows\SysWOW64\bizkrx.exe
        
        C:\Windows\system32\bizkrx.exe 1112 "C:\Windows\SysWOW64\qjkcie.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4832
      - C:\Windows\SysWOW64\bizkrx.exe
        
        C:\Windows\system32\bizkrx.exe 1112 "C:\Windows\SysWOW64\qjkcie.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SysWOW64\ltqoch.exe
        
        C:\Windows\system32\ltqoch.exe 988 "C:\Windows\SysWOW64\bizkrx.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Windows\SysWOW64\ltqoch.exe
        
        C:\Windows\system32\ltqoch.exe 988 "C:\Windows\SysWOW64\bizkrx.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\SysWOW64\vsfjas.exe
        
        C:\Windows\system32\vsfjas.exe 1000 "C:\Windows\SysWOW64\ltqoch.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\SysWOW64\vsfjas.exe
        
        C:\Windows\system32\vsfjas.exe 1000 "C:\Windows\SysWOW64\ltqoch.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\SysWOW64\iygwtq.exe
        
        C:\Windows\system32\iygwtq.exe 988 "C:\Windows\SysWOW64\vsfjas.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\iygwtq.exe
        
        C:\Windows\system32\iygwtq.exe 988 "C:\Windows\SysWOW64\vsfjas.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1096
        
        C:\Windows\SysWOW64\wioxck.exe
        
        C:\Windows\system32\wioxck.exe 996 "C:\Windows\SysWOW64\iygwtq.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1164
        
        C:\Windows\SysWOW64\wioxck.exe
        
        C:\Windows\system32\wioxck.exe 996 "C:\Windows\SysWOW64\iygwtq.exe"
        14⤵
        Executes dropped EXE
        
        PID:4896
        
        C:\Windows\SysWOW64\artxqf.exe
        
        C:\Windows\system32\artxqf.exe 988 "C:\Windows\SysWOW64\wioxck.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Windows\SysWOW64\artxqf.exe
        
        C:\Windows\system32\artxqf.exe 988 "C:\Windows\SysWOW64\wioxck.exe"
        16⤵
        Executes dropped EXE
        
        PID:2192
        
        C:\Windows\SysWOW64\niyymz.exe
        
        C:\Windows\system32\niyymz.exe 1004 "C:\Windows\SysWOW64\artxqf.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4016
        
        C:\Windows\SysWOW64\niyymz.exe
        
        C:\Windows\system32\niyymz.exe 1004 "C:\Windows\SysWOW64\artxqf.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2284
        
        C:\Windows\SysWOW64\avrlyx.exe
        
        C:\Windows\system32\avrlyx.exe 988 "C:\Windows\SysWOW64\niyymz.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2776
        
        C:\Windows\SysWOW64\avrlyx.exe
        
        C:\Windows\system32\avrlyx.exe 988 "C:\Windows\SysWOW64\niyymz.exe"
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1880
        
        C:\Windows\SysWOW64\nblzrw.exe
        
        C:\Windows\system32\nblzrw.exe 1012 "C:\Windows\SysWOW64\avrlyx.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4728
        
        C:\Windows\SysWOW64\nblzrw.exe
        
        C:\Windows\system32\nblzrw.exe 1012 "C:\Windows\SysWOW64\avrlyx.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2684
        
        C:\Windows\SysWOW64\dvsrge.exe
        
        C:\Windows\system32\dvsrge.exe 1004 "C:\Windows\SysWOW64\nblzrw.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:544
        
        C:\Windows\SysWOW64\dvsrge.exe
        
        C:\Windows\system32\dvsrge.exe 1004 "C:\Windows\SysWOW64\nblzrw.exe"
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\qxaspq.exe
        
        C:\Windows\system32\qxaspq.exe 1128 "C:\Windows\SysWOW64\dvsrge.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4308
        
        C:\Windows\SysWOW64\qxaspq.exe
        
        C:\Windows\system32\qxaspq.exe 1128 "C:\Windows\SysWOW64\dvsrge.exe"
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3556
        
        C:\Windows\SysWOW64\ahzvha.exe
        
        C:\Windows\system32\ahzvha.exe 1120 "C:\Windows\SysWOW64\qxaspq.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3280
        
        C:\Windows\SysWOW64\ahzvha.exe
        
        C:\Windows\system32\ahzvha.exe 1120 "C:\Windows\SysWOW64\qxaspq.exe"
        28⤵
        Executes dropped EXE
        
        PID:212
        
        C:\Windows\SysWOW64\lhoqft.exe
        
        C:\Windows\system32\lhoqft.exe 1052 "C:\Windows\SysWOW64\ahzvha.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4740
        
        C:\Windows\SysWOW64\lhoqft.exe
        
        C:\Windows\system32\lhoqft.exe 1052 "C:\Windows\SysWOW64\ahzvha.exe"
        30⤵
        Executes dropped EXE
        
        PID:1724
        
        C:\Windows\SysWOW64\sawozu.exe
        
        C:\Windows\system32\sawozu.exe 1000 "C:\Windows\SysWOW64\lhoqft.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Windows\SysWOW64\sawozu.exe
        
        C:\Windows\system32\sawozu.exe 1000 "C:\Windows\SysWOW64\lhoqft.exe"
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4504
        
        C:\Windows\SysWOW64\ycfpio.exe
        
        C:\Windows\system32\ycfpio.exe 1008 "C:\Windows\SysWOW64\sawozu.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4444
        
        C:\Windows\SysWOW64\ycfpio.exe
        
        C:\Windows\system32\ycfpio.exe 1008 "C:\Windows\SysWOW64\sawozu.exe"
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1820
        
        C:\Windows\SysWOW64\fccfiy.exe
        
        C:\Windows\system32\fccfiy.exe 1012 "C:\Windows\SysWOW64\ycfpio.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1824
        
        C:\Windows\SysWOW64\fccfiy.exe
        
        C:\Windows\system32\fccfiy.exe 1012 "C:\Windows\SysWOW64\ycfpio.exe"
        36⤵
        Executes dropped EXE
        
        PID:1136
        
        C:\Windows\SysWOW64\smsnrk.exe
        
        C:\Windows\system32\smsnrk.exe 964 "C:\Windows\SysWOW64\fccfiy.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4460
        
        C:\Windows\SysWOW64\smsnrk.exe
        
        C:\Windows\system32\smsnrk.exe 964 "C:\Windows\SysWOW64\fccfiy.exe"
        38⤵
        Executes dropped EXE
        
        PID:2784
        
        C:\Windows\SysWOW64\cehipd.exe
        
        C:\Windows\system32\cehipd.exe 1120 "C:\Windows\SysWOW64\smsnrk.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1196
        
        C:\Windows\SysWOW64\cehipd.exe
        
        C:\Windows\system32\cehipd.exe 1120 "C:\Windows\SysWOW64\smsnrk.exe"
        40⤵
        Executes dropped EXE
        
        PID:1132
        
        C:\Windows\SysWOW64\prawab.exe
        
        C:\Windows\system32\prawab.exe 988 "C:\Windows\SysWOW64\cehipd.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2956
        
        C:\Windows\SysWOW64\prawab.exe
        
        C:\Windows\system32\prawab.exe 988 "C:\Windows\SysWOW64\cehipd.exe"
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3780
        
        C:\Windows\SysWOW64\ayomqh.exe
        
        C:\Windows\system32\ayomqh.exe 988 "C:\Windows\SysWOW64\prawab.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:688
        
        C:\Windows\SysWOW64\ayomqh.exe
        
        C:\Windows\system32\ayomqh.exe 988 "C:\Windows\SysWOW64\prawab.exe"
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3724
        
        C:\Windows\SysWOW64\kmrulo.exe
        
        C:\Windows\system32\kmrulo.exe 1128 "C:\Windows\SysWOW64\ayomqh.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:640
        
        C:\Windows\SysWOW64\kmrulo.exe
        
        C:\Windows\system32\kmrulo.exe 1128 "C:\Windows\SysWOW64\ayomqh.exe"
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2344
        
        C:\Windows\SysWOW64\xaliwm.exe
        
        C:\Windows\system32\xaliwm.exe 1000 "C:\Windows\SysWOW64\kmrulo.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4668
        
        C:\Windows\SysWOW64\xaliwm.exe
        
        C:\Windows\system32\xaliwm.exe 1000 "C:\Windows\SysWOW64\kmrulo.exe"
        48⤵
        Executes dropped EXE
        
        PID:1568
        
        C:\Windows\SysWOW64\nmralu.exe
        
        C:\Windows\system32\nmralu.exe 1012 "C:\Windows\SysWOW64\xaliwm.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:872
        
        C:\Windows\SysWOW64\nmralu.exe
        
        C:\Windows\system32\nmralu.exe 1012 "C:\Windows\SysWOW64\xaliwm.exe"
        50⤵
        Executes dropped EXE
        
        PID:1240
        
        C:\Windows\SysWOW64\drctdu.exe
        
        C:\Windows\system32\drctdu.exe 1120 "C:\Windows\SysWOW64\nmralu.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3716
        
        C:\Windows\SysWOW64\drctdu.exe
        
        C:\Windows\system32\drctdu.exe 1120 "C:\Windows\SysWOW64\nmralu.exe"
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:452
        
        C:\Windows\SysWOW64\hlszub.exe
        
        C:\Windows\system32\hlszub.exe 988 "C:\Windows\SysWOW64\drctdu.exe"
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:632
        
        C:\Windows\SysWOW64\hlszub.exe
        
        C:\Windows\system32\hlszub.exe 988 "C:\Windows\SysWOW64\drctdu.exe"
        54⤵
        Executes dropped EXE
        
        PID:2860
        
        C:\Windows\SysWOW64\ucwzqv.exe
        
        C:\Windows\system32\ucwzqv.exe 988 "C:\Windows\SysWOW64\hlszub.exe"
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5108
        
        C:\Windows\SysWOW64\ucwzqv.exe
        
        C:\Windows\system32\ucwzqv.exe 988 "C:\Windows\SysWOW64\hlszub.exe"
        56⤵
        Executes dropped EXE
        
        PID:4740
        
        C:\Windows\SysWOW64\kzhsav.exe
        
        C:\Windows\system32\kzhsav.exe 988 "C:\Windows\SysWOW64\ucwzqv.exe"
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4976
        
        C:\Windows\SysWOW64\kzhsav.exe
        
        C:\Windows\system32\kzhsav.exe 988 "C:\Windows\SysWOW64\ucwzqv.exe"
        58⤵
        Executes dropped EXE
        
        PID:3684
        
        C:\Windows\SysWOW64\ztfdpd.exe
        
        C:\Windows\system32\ztfdpd.exe 988 "C:\Windows\SysWOW64\kzhsav.exe"
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2864
        
        C:\Windows\SysWOW64\ztfdpd.exe
        
        C:\Windows\system32\ztfdpd.exe 988 "C:\Windows\SysWOW64\kzhsav.exe"
        60⤵
        Executes dropped EXE
        
        PID:4344
        
        C:\Windows\SysWOW64\pqqvzl.exe
        
        C:\Windows\system32\pqqvzl.exe 988 "C:\Windows\SysWOW64\ztfdpd.exe"
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2888
        
        C:\Windows\SysWOW64\pqqvzl.exe
        
        C:\Windows\system32\pqqvzl.exe 988 "C:\Windows\SysWOW64\ztfdpd.exe"
        62⤵
        Executes dropped EXE
        
        PID:4000
        
        C:\Windows\SysWOW64\fylblo.exe
        
        C:\Windows\system32\fylblo.exe 1068 "C:\Windows\SysWOW64\pqqvzl.exe"
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4288
        
        C:\Windows\SysWOW64\fylblo.exe
        
        C:\Windows\system32\fylblo.exe 1068 "C:\Windows\SysWOW64\pqqvzl.exe"
        64⤵
        Executes dropped EXE
        
        PID:5068
        
        C:\Windows\SysWOW64\uhhhgs.exe
        
        C:\Windows\system32\uhhhgs.exe 1008 "C:\Windows\SysWOW64\fylblo.exe"
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3008
        
        C:\Windows\SysWOW64\uhhhgs.exe
        
        C:\Windows\system32\uhhhgs.exe 1008 "C:\Windows\SysWOW64\fylblo.exe"
        66⤵
        Executes dropped EXE
        
        PID:3764
        
        C:\Windows\SysWOW64\klrsps.exe
        
        C:\Windows\system32\klrsps.exe 988 "C:\Windows\SysWOW64\uhhhgs.exe"
        67⤵
        Suspicious use of SetThreadContext
        
        PID:3676
        
        C:\Windows\SysWOW64\klrsps.exe
        
        C:\Windows\system32\klrsps.exe 988 "C:\Windows\SysWOW64\uhhhgs.exe"
        68⤵
        Drops file in System32 directory
        
        PID:1196
        
        C:\Windows\SysWOW64\xcwsdu.exe
        
        C:\Windows\system32\xcwsdu.exe 1008 "C:\Windows\SysWOW64\klrsps.exe"
        69⤵
        Suspicious use of SetThreadContext
        
        PID:3412
        
        C:\Windows\SysWOW64\xcwsdu.exe
        
        C:\Windows\system32\xcwsdu.exe 1008 "C:\Windows\SysWOW64\klrsps.exe"
        70⤵
        Drops file in System32 directory
        
        PID:3576
        
        C:\Windows\SysWOW64\kipgxl.exe
        
        C:\Windows\system32\kipgxl.exe 1012 "C:\Windows\SysWOW64\xcwsdu.exe"
        71⤵
        Suspicious use of SetThreadContext
        
        PID:3752
        
        C:\Windows\SysWOW64\kipgxl.exe
        
        C:\Windows\system32\kipgxl.exe 1012 "C:\Windows\SysWOW64\xcwsdu.exe"
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:4488
        
        C:\Windows\SysWOW64\okftor.exe
        
        C:\Windows\system32\okftor.exe 1120 "C:\Windows\SysWOW64\kipgxl.exe"
        73⤵
        Suspicious use of SetThreadContext
        
        PID:5076
        
        C:\Windows\SysWOW64\okftor.exe
        
        C:\Windows\system32\okftor.exe 1120 "C:\Windows\SysWOW64\kipgxl.exe"
        74⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\ehpmxr.exe
        
        C:\Windows\system32\ehpmxr.exe 996 "C:\Windows\SysWOW64\okftor.exe"
        75⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4800
        
        C:\Windows\SysWOW64\ehpmxr.exe
        
        C:\Windows\system32\ehpmxr.exe 996 "C:\Windows\SysWOW64\okftor.exe"
        76⤵
        
        PID:684
        
        C:\Windows\SysWOW64\umzepq.exe
        
        C:\Windows\system32\umzepq.exe 1120 "C:\Windows\SysWOW64\ehpmxr.exe"
        77⤵
        Suspicious use of SetThreadContext
        
        PID:4920
        
        C:\Windows\SysWOW64\umzepq.exe
        
        C:\Windows\system32\umzepq.exe 1120 "C:\Windows\SysWOW64\ehpmxr.exe"
        78⤵
        Drops file in System32 directory
        
        PID:2544
        
        C:\Windows\SysWOW64\kvvkbu.exe
        
        C:\Windows\system32\kvvkbu.exe 1120 "C:\Windows\SysWOW64\umzepq.exe"
        79⤵
        Suspicious use of SetThreadContext
        
        PID:2492
        
        C:\Windows\SysWOW64\kvvkbu.exe
        
        C:\Windows\system32\kvvkbu.exe 1120 "C:\Windows\SysWOW64\umzepq.exe"
        80⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2848
        
        C:\Windows\SysWOW64\wplqtb.exe
        
        C:\Windows\system32\wplqtb.exe 1100 "C:\Windows\SysWOW64\kvvkbu.exe"
        81⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4308
        
        C:\Windows\SysWOW64\wplqtb.exe
        
        C:\Windows\system32\wplqtb.exe 1100 "C:\Windows\SysWOW64\kvvkbu.exe"
        82⤵
        Drops file in System32 directory
        
        PID:4524
        
        C:\Windows\SysWOW64\mxgvnf.exe
        
        C:\Windows\system32\mxgvnf.exe 1120 "C:\Windows\SysWOW64\wplqtb.exe"
        83⤵
        Suspicious use of SetThreadContext
        
        PID:2432
        
        C:\Windows\SysWOW64\mxgvnf.exe
        
        C:\Windows\system32\mxgvnf.exe 1120 "C:\Windows\SysWOW64\wplqtb.exe"
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Windows\SysWOW64\ccroxf.exe
        
        C:\Windows\system32\ccroxf.exe 1004 "C:\Windows\SysWOW64\mxgvnf.exe"
        85⤵
        Suspicious use of SetThreadContext
        
        PID:3604
        
        C:\Windows\SysWOW64\ccroxf.exe
        
        C:\Windows\system32\ccroxf.exe 1004 "C:\Windows\SysWOW64\mxgvnf.exe"
        86⤵
        Drops file in System32 directory
        
        PID:2228
        
        C:\Windows\SysWOW64\rhbhge.exe
        
        C:\Windows\system32\rhbhge.exe 988 "C:\Windows\SysWOW64\ccroxf.exe"
        87⤵
        Suspicious use of SetThreadContext
        
        PID:4976
        
        C:\Windows\SysWOW64\rhbhge.exe
        
        C:\Windows\system32\rhbhge.exe 988 "C:\Windows\SysWOW64\ccroxf.exe"
        88⤵
        Drops file in System32 directory
        
        PID:520
        
        C:\Windows\SysWOW64\ecjmxl.exe
        
        C:\Windows\system32\ecjmxl.exe 1120 "C:\Windows\SysWOW64\rhbhge.exe"
        89⤵
        Suspicious use of SetThreadContext
        
        PID:1976
        
        C:\Windows\SysWOW64\ecjmxl.exe
        
        C:\Windows\system32\ecjmxl.exe 1120 "C:\Windows\SysWOW64\rhbhge.exe"
        90⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\mkessp.exe
        
        C:\Windows\system32\mkessp.exe 996 "C:\Windows\SysWOW64\ecjmxl.exe"
        91⤵
        Suspicious use of SetThreadContext
        
        PID:4428
        
        C:\Windows\SysWOW64\mkessp.exe
        
        C:\Windows\system32\mkessp.exe 996 "C:\Windows\SysWOW64\ecjmxl.exe"
        92⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Windows\SysWOW64\ytjtgj.exe
        
        C:\Windows\system32\ytjtgj.exe 988 "C:\Windows\SysWOW64\mkessp.exe"
        93⤵
        Suspicious use of SetThreadContext
        
        PID:3128
        
        C:\Windows\SysWOW64\ytjtgj.exe
        
        C:\Windows\system32\ytjtgj.exe 988 "C:\Windows\SysWOW64\mkessp.exe"
        94⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\usmbpg.exe
        
        C:\Windows\system32\usmbpg.exe 1128 "C:\Windows\SysWOW64\ytjtgj.exe"
        95⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        C:\Windows\SysWOW64\usmbpg.exe
        
        C:\Windows\system32\usmbpg.exe 1128 "C:\Windows\SysWOW64\ytjtgj.exe"
        96⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\jpwuyg.exe
        
        C:\Windows\system32\jpwuyg.exe 1124 "C:\Windows\SysWOW64\usmbpg.exe"
        97⤵
        Suspicious use of SetThreadContext
        
        PID:1788
        
        C:\Windows\SysWOW64\jpwuyg.exe
        
        C:\Windows\system32\jpwuyg.exe 1124 "C:\Windows\SysWOW64\usmbpg.exe"
        98⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\wsmzxe.exe
        
        C:\Windows\system32\wsmzxe.exe 988 "C:\Windows\SysWOW64\jpwuyg.exe"
        99⤵
        Suspicious use of SetThreadContext
        
        PID:2464
        
        C:\Windows\SysWOW64\wsmzxe.exe
        
        C:\Windows\system32\wsmzxe.exe 988 "C:\Windows\SysWOW64\jpwuyg.exe"
        100⤵
        Drops file in System32 directory
        
        PID:4376
        
        C:\Windows\SysWOW64\lsafkq.exe
        
        C:\Windows\system32\lsafkq.exe 1008 "C:\Windows\SysWOW64\wsmzxe.exe"
        101⤵
        Suspicious use of SetThreadContext
        
        PID:2992
        
        C:\Windows\SysWOW64\lsafkq.exe
        
        C:\Windows\system32\lsafkq.exe 1008 "C:\Windows\SysWOW64\wsmzxe.exe"
        102⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\bxkytq.exe
        
        C:\Windows\system32\bxkytq.exe 1000 "C:\Windows\SysWOW64\lsafkq.exe"
        103⤵
        Suspicious use of SetThreadContext
        
        PID:2816
        
        C:\Windows\SysWOW64\bxkytq.exe
        
        C:\Windows\system32\bxkytq.exe 1000 "C:\Windows\SysWOW64\lsafkq.exe"
        104⤵
        Drops file in System32 directory
        
        PID:3384
        
        C:\Windows\SysWOW64\oralkp.exe
        
        C:\Windows\system32\oralkp.exe 1120 "C:\Windows\SysWOW64\bxkytq.exe"
        105⤵
        Suspicious use of SetThreadContext
        
        PID:2976
        
        C:\Windows\SysWOW64\oralkp.exe
        
        C:\Windows\system32\oralkp.exe 1120 "C:\Windows\SysWOW64\bxkytq.exe"
        106⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\gobbsy.exe
        
        C:\Windows\system32\gobbsy.exe 1000 "C:\Windows\SysWOW64\oralkp.exe"
        107⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5088
        
        C:\Windows\SysWOW64\gobbsy.exe
        
        C:\Windows\system32\gobbsy.exe 1000 "C:\Windows\SysWOW64\oralkp.exe"
        108⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\tfgboa.exe
        
        C:\Windows\system32\tfgboa.exe 1004 "C:\Windows\SysWOW64\gobbsy.exe"
        109⤵
        Suspicious use of SetThreadContext
        
        PID:544
        
        C:\Windows\SysWOW64\tfgboa.exe
        
        C:\Windows\system32\tfgboa.exe 1004 "C:\Windows\SysWOW64\gobbsy.exe"
        110⤵
        Drops file in System32 directory
        
        PID:2492
        
        C:\Windows\SysWOW64\bkquya.exe
        
        C:\Windows\system32\bkquya.exe 1128 "C:\Windows\SysWOW64\tfgboa.exe"
        111⤵
        Suspicious use of SetThreadContext
        
        PID:2900
        
        C:\Windows\SysWOW64\bkquya.exe
        
        C:\Windows\system32\bkquya.exe 1128 "C:\Windows\SysWOW64\tfgboa.exe"
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:632
        
        C:\Windows\SysWOW64\obvvuu.exe
        
        C:\Windows\system32\obvvuu.exe 1008 "C:\Windows\SysWOW64\bkquya.exe"
        113⤵
        Suspicious use of SetThreadContext
        
        PID:2716
        
        C:\Windows\SysWOW64\obvvuu.exe
        
        C:\Windows\system32\obvvuu.exe 1008 "C:\Windows\SysWOW64\bkquya.exe"
        114⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\exfnec.exe
        
        C:\Windows\system32\exfnec.exe 988 "C:\Windows\SysWOW64\obvvuu.exe"
        115⤵
        Suspicious use of SetThreadContext
        
        PID:2108
        
        C:\Windows\SysWOW64\exfnec.exe
        
        C:\Windows\system32\exfnec.exe 988 "C:\Windows\SysWOW64\obvvuu.exe"
        116⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:884
        
        C:\Windows\SysWOW64\rokosw.exe
        
        C:\Windows\system32\rokosw.exe 1120 "C:\Windows\SysWOW64\exfnec.exe"
        117⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\Windows\SysWOW64\rokosw.exe
        
        C:\Windows\system32\rokosw.exe 1120 "C:\Windows\SysWOW64\exfnec.exe"
        118⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\dfoooz.exe
        
        C:\Windows\system32\dfoooz.exe 1012 "C:\Windows\SysWOW64\rokosw.exe"
        119⤵
        Suspicious use of SetThreadContext
        
        PID:2308
        
        C:\Windows\SysWOW64\dfoooz.exe
        
        C:\Windows\system32\dfoooz.exe 1012 "C:\Windows\SysWOW64\rokosw.exe"
        120⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\tkzhyy.exe
        
        C:\Windows\system32\tkzhyy.exe 1128 "C:\Windows\SysWOW64\dfoooz.exe"
        121⤵
        Suspicious use of SetThreadContext
        
        PID:3536
        
        C:\Windows\SysWOW64\tkzhyy.exe
        
        C:\Windows\system32\tkzhyy.exe 1128 "C:\Windows\SysWOW64\dfoooz.exe"
        122⤵
        
        PID:220
        
        C:\Windows\SysWOW64\gfpnpx.exe
        
        C:\Windows\system32\gfpnpx.exe 1012 "C:\Windows\SysWOW64\tkzhyy.exe"
        123⤵
        Suspicious use of SetThreadContext
        
        PID:2912
        
        C:\Windows\SysWOW64\gfpnpx.exe
        
        C:\Windows\system32\gfpnpx.exe 1012 "C:\Windows\SysWOW64\tkzhyy.exe"
        124⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\wyoses.exe
        
        C:\Windows\system32\wyoses.exe 1120 "C:\Windows\SysWOW64\gfpnpx.exe"
        125⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Windows\SysWOW64\wyoses.exe
        
        C:\Windows\system32\wyoses.exe 1120 "C:\Windows\SysWOW64\gfpnpx.exe"
        126⤵
        Drops file in System32 directory
        
        PID:3180
        
        C:\Windows\SysWOW64\jpstsv.exe
        
        C:\Windows\system32\jpstsv.exe 996 "C:\Windows\SysWOW64\wyoses.exe"
        127⤵
        Suspicious use of SetThreadContext
        
        PID:4732
        
        C:\Windows\SysWOW64\jpstsv.exe
        
        C:\Windows\system32\jpstsv.exe 996 "C:\Windows\SysWOW64\wyoses.exe"
        128⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\vgxtgp.exe
        
        C:\Windows\system32\vgxtgp.exe 1120 "C:\Windows\SysWOW64\jpstsv.exe"
        129⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\vgxtgp.exe
        
        C:\Windows\system32\vgxtgp.exe 1120 "C:\Windows\SysWOW64\jpstsv.exe"
        130⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\bmrhan.exe
        
        C:\Windows\system32\bmrhan.exe 1008 "C:\Windows\SysWOW64\vgxtgp.exe"
        131⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\bmrhan.exe
        
        C:\Windows\system32\bmrhan.exe 1008 "C:\Windows\SysWOW64\vgxtgp.exe"
        132⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\qrbzjn.exe
        
        C:\Windows\system32\qrbzjn.exe 1124 "C:\Windows\SysWOW64\bmrhan.exe"
        133⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\qrbzjn.exe
        
        C:\Windows\system32\qrbzjn.exe 1124 "C:\Windows\SysWOW64\bmrhan.exe"
        134⤵
        Drops file in System32 directory
        
        PID:3212
        
        C:\Windows\SysWOW64\dlrniu.exe
        
        C:\Windows\system32\dlrniu.exe 992 "C:\Windows\SysWOW64\qrbzjn.exe"
        135⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\dlrniu.exe
        
        C:\Windows\system32\dlrniu.exe 992 "C:\Windows\SysWOW64\qrbzjn.exe"
        136⤵
        Drops file in System32 directory
        
        PID:1608
        
        C:\Windows\SysWOW64\tqbgst.exe
        
        C:\Windows\system32\tqbgst.exe 1000 "C:\Windows\SysWOW64\dlrniu.exe"
        137⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\tqbgst.exe
        
        C:\Windows\system32\tqbgst.exe 1000 "C:\Windows\SysWOW64\dlrniu.exe"
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:4536
        
        C:\Windows\SysWOW64\fkrljs.exe
        
        C:\Windows\system32\fkrljs.exe 992 "C:\Windows\SysWOW64\tqbgst.exe"
        139⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\fkrljs.exe
        
        C:\Windows\system32\fkrljs.exe 992 "C:\Windows\SysWOW64\tqbgst.exe"
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:4492
        
        C:\Windows\SysWOW64\vtnrvw.exe
        
        C:\Windows\system32\vtnrvw.exe 996 "C:\Windows\SysWOW64\fkrljs.exe"
        141⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\vtnrvw.exe
        
        C:\Windows\system32\vtnrvw.exe 996 "C:\Windows\SysWOW64\fkrljs.exe"
        142⤵
        Drops file in System32 directory
        
        PID:3556
        
        C:\Windows\SysWOW64\lyxkne.exe
        
        C:\Windows\system32\lyxkne.exe 1120 "C:\Windows\SysWOW64\vtnrvw.exe"
        143⤵
        
        PID:876
        
        C:\Windows\SysWOW64\lyxkne.exe
        
        C:\Windows\system32\lyxkne.exe 1120 "C:\Windows\SysWOW64\vtnrvw.exe"
        144⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\agshzh.exe
        
        C:\Windows\system32\agshzh.exe 1120 "C:\Windows\SysWOW64\lyxkne.exe"
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:4868
        
        C:\Windows\SysWOW64\agshzh.exe
        
        C:\Windows\system32\agshzh.exe 1120 "C:\Windows\SysWOW64\lyxkne.exe"
        146⤵
        Drops file in System32 directory
        
        PID:3772
        
        C:\Windows\SysWOW64\qdcajh.exe
        
        C:\Windows\system32\qdcajh.exe 1008 "C:\Windows\SysWOW64\agshzh.exe"
        147⤵
        System Location Discovery: System Language Discovery
        
        PID:4528
        
        C:\Windows\SysWOW64\qdcajh.exe
        
        C:\Windows\system32\qdcajh.exe 1008 "C:\Windows\SysWOW64\agshzh.exe"
        148⤵
        Drops file in System32 directory
        
        PID:516
        
        C:\Windows\SysWOW64\dfkoig.exe
        
        C:\Windows\system32\dfkoig.exe 1000 "C:\Windows\SysWOW64\qdcajh.exe"
        149⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\dfkoig.exe
        
        C:\Windows\system32\dfkoig.exe 1000 "C:\Windows\SysWOW64\qdcajh.exe"
        150⤵
        Drops file in System32 directory
        
        PID:972
        
        C:\Windows\SysWOW64\ihbora.exe
        
        C:\Windows\system32\ihbora.exe 1012 "C:\Windows\SysWOW64\dfkoig.exe"
        151⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\ihbora.exe
        
        C:\Windows\system32\ihbora.exe 1012 "C:\Windows\SysWOW64\dfkoig.exe"
        152⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\vyfpfu.exe
        
        C:\Windows\system32\vyfpfu.exe 996 "C:\Windows\SysWOW64\ihbora.exe"
        153⤵
        System Location Discovery: System Language Discovery
        
        PID:2496
        
        C:\Windows\SysWOW64\vyfpfu.exe
        
        C:\Windows\system32\vyfpfu.exe 996 "C:\Windows\SysWOW64\ihbora.exe"
        154⤵
        
        PID:736
        
        C:\Windows\SysWOW64\lvqhwc.exe
        
        C:\Windows\system32\lvqhwc.exe 1128 "C:\Windows\SysWOW64\vyfpfu.exe"
        155⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\lvqhwc.exe
        
        C:\Windows\system32\lvqhwc.exe 1128 "C:\Windows\SysWOW64\vyfpfu.exe"
        156⤵
        Drops file in System32 directory
        
        PID:4112
        
        C:\Windows\SysWOW64\xmuilw.exe
        
        C:\Windows\system32\xmuilw.exe 1052 "C:\Windows\SysWOW64\lvqhwc.exe"
        157⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\xmuilw.exe
        
        C:\Windows\system32\xmuilw.exe 1052 "C:\Windows\SysWOW64\lvqhwc.exe"
        158⤵
        System Location Discovery: System Language Discovery
        
        PID:644
        
        C:\Windows\SysWOW64\nrfauw.exe
        
        C:\Windows\system32\nrfauw.exe 1004 "C:\Windows\SysWOW64\xmuilw.exe"
        159⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\nrfauw.exe
        
        C:\Windows\system32\nrfauw.exe 1004 "C:\Windows\SysWOW64\xmuilw.exe"
        160⤵
        Drops file in System32 directory
        
        PID:3080
        
        C:\Windows\SysWOW64\amvotd.exe
        
        C:\Windows\system32\amvotd.exe 1128 "C:\Windows\SysWOW64\nrfauw.exe"
        161⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\amvotd.exe
        
        C:\Windows\system32\amvotd.exe 1128 "C:\Windows\SysWOW64\nrfauw.exe"
        162⤵
        Drops file in System32 directory
        
        PID:1112
        
        C:\Windows\SysWOW64\ndrghx.exe
        
        C:\Windows\system32\ndrghx.exe 992 "C:\Windows\SysWOW64\amvotd.exe"
        163⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\ndrghx.exe
        
        C:\Windows\system32\ndrghx.exe 992 "C:\Windows\SysWOW64\amvotd.exe"
        164⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1212
        
        C:\Windows\SysWOW64\cikzrx.exe
        
        C:\Windows\system32\cikzrx.exe 988 "C:\Windows\SysWOW64\ndrghx.exe"
        165⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cikzrx.exe
        
        C:\Windows\system32\cikzrx.exe 988 "C:\Windows\SysWOW64\ndrghx.exe"
        166⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\sqxflj.exe
        
        C:\Windows\system32\sqxflj.exe 1000 "C:\Windows\SysWOW64\cikzrx.exe"
        167⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\sqxflj.exe
        
        C:\Windows\system32\sqxflj.exe 1000 "C:\Windows\SysWOW64\cikzrx.exe"
        168⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\fzcfad.exe
        
        C:\Windows\system32\fzcfad.exe 1120 "C:\Windows\SysWOW64\sqxflj.exe"
        169⤵
        
        PID:872
        
        C:\Windows\SysWOW64\fzcfad.exe
        
        C:\Windows\system32\fzcfad.exe 1120 "C:\Windows\SysWOW64\sqxflj.exe"
        170⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\nemyjd.exe
        
        C:\Windows\system32\nemyjd.exe 988 "C:\Windows\SysWOW64\fzcfad.exe"
        171⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\nemyjd.exe
        
        C:\Windows\system32\nemyjd.exe 988 "C:\Windows\SysWOW64\fzcfad.exe"
        172⤵
        Drops file in System32 directory
        
        PID:2900
        
        C:\Windows\SysWOW64\djertk.exe
        
        C:\Windows\system32\djertk.exe 1012 "C:\Windows\SysWOW64\nemyjd.exe"
        173⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\djertk.exe
        
        C:\Windows\system32\djertk.exe 1012 "C:\Windows\SysWOW64\nemyjd.exe"
        174⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\upfury.exe
        
        C:\Windows\system32\upfury.exe 1000 "C:\Windows\SysWOW64\djertk.exe"
        175⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\upfury.exe
        
        C:\Windows\system32\upfury.exe 1000 "C:\Windows\SysWOW64\djertk.exe"
        176⤵
        Drops file in System32 directory
        
        PID:4664
        
        C:\Windows\SysWOW64\kjefgg.exe
        
        C:\Windows\system32\kjefgg.exe 1120 "C:\Windows\SysWOW64\upfury.exe"
        177⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\kjefgg.exe
        
        C:\Windows\system32\kjefgg.exe 1120 "C:\Windows\SysWOW64\upfury.exe"
        178⤵
        Drops file in System32 directory
        
        PID:3272
        
        C:\Windows\SysWOW64\agoxqo.exe
        
        C:\Windows\system32\agoxqo.exe 1128 "C:\Windows\SysWOW64\kjefgg.exe"
        179⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\agoxqo.exe
        
        C:\Windows\system32\agoxqo.exe 1128 "C:\Windows\SysWOW64\kjefgg.exe"
        180⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\pavifw.exe
        
        C:\Windows\system32\pavifw.exe 1000 "C:\Windows\SysWOW64\agoxqo.exe"
        181⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\pavifw.exe
        
        C:\Windows\system32\pavifw.exe 1000 "C:\Windows\SysWOW64\agoxqo.exe"
        182⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\fxfbpw.exe
        
        C:\Windows\system32\fxfbpw.exe 1000 "C:\Windows\SysWOW64\pavifw.exe"
        183⤵
        
        PID:816
        
        C:\Windows\SysWOW64\fxfbpw.exe
        
        C:\Windows\system32\fxfbpw.exe 1000 "C:\Windows\SysWOW64\pavifw.exe"
        184⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\urmlme.exe
        
        C:\Windows\system32\urmlme.exe 988 "C:\Windows\SysWOW64\fxfbpw.exe"
        185⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\urmlme.exe
        
        C:\Windows\system32\urmlme.exe 988 "C:\Windows\SysWOW64\fxfbpw.exe"
        186⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\mrqxxr.exe
        
        C:\Windows\system32\mrqxxr.exe 1000 "C:\Windows\SysWOW64\urmlme.exe"
        187⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\mrqxxr.exe
        
        C:\Windows\system32\mrqxxr.exe 1000 "C:\Windows\SysWOW64\urmlme.exe"
        188⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\fqcahe.exe
        
        C:\Windows\system32\fqcahe.exe 988 "C:\Windows\SysWOW64\mrqxxr.exe"
        189⤵
        System Location Discovery: System Language Discovery
        
        PID:3568
        
        C:\Windows\SysWOW64\fqcahe.exe
        
        C:\Windows\system32\fqcahe.exe 988 "C:\Windows\SysWOW64\mrqxxr.exe"
        190⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3412
        
        C:\Windows\SysWOW64\mzxfui.exe
        
        C:\Windows\system32\mzxfui.exe 1120 "C:\Windows\SysWOW64\fqcahe.exe"
        191⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\mzxfui.exe
        
        C:\Windows\system32\mzxfui.exe 1120 "C:\Windows\SysWOW64\fqcahe.exe"
        192⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\chtlgm.exe
        
        C:\Windows\system32\chtlgm.exe 1120 "C:\Windows\SysWOW64\mzxfui.exe"
        193⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\chtlgm.exe
        
        C:\Windows\system32\chtlgm.exe 1120 "C:\Windows\SysWOW64\mzxfui.exe"
        194⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\ulibte.exe
        
        C:\Windows\system32\ulibte.exe 988 "C:\Windows\SysWOW64\chtlgm.exe"
        195⤵
        System Location Discovery: System Language Discovery
        
        PID:3528
        
        C:\Windows\SysWOW64\ulibte.exe
        
        C:\Windows\system32\ulibte.exe 988 "C:\Windows\SysWOW64\chtlgm.exe"
        196⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\ktezgh.exe
        
        C:\Windows\system32\ktezgh.exe 996 "C:\Windows\SysWOW64\ulibte.exe"
        197⤵
        System Location Discovery: System Language Discovery
        
        PID:472
        
        C:\Windows\SysWOW64\ktezgh.exe
        
        C:\Windows\system32\ktezgh.exe 996 "C:\Windows\SysWOW64\ulibte.exe"
        198⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\zbzeal.exe
        
        C:\Windows\system32\zbzeal.exe 1120 "C:\Windows\SysWOW64\ktezgh.exe"
        199⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\zbzeal.exe
        
        C:\Windows\system32\zbzeal.exe 1120 "C:\Windows\SysWOW64\ktezgh.exe"
        200⤵
        Drops file in System32 directory
        
        PID:900
        
        C:\Windows\SysWOW64\pkvknp.exe
        
        C:\Windows\system32\pkvknp.exe 1008 "C:\Windows\SysWOW64\zbzeal.exe"
        201⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\pkvknp.exe
        
        C:\Windows\system32\pkvknp.exe 1008 "C:\Windows\SysWOW64\zbzeal.exe"
        202⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\eetvcx.exe
        
        C:\Windows\system32\eetvcx.exe 1012 "C:\Windows\SysWOW64\pkvknp.exe"
        203⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\eetvcx.exe
        
        C:\Windows\system32\eetvcx.exe 1012 "C:\Windows\SysWOW64\pkvknp.exe"
        204⤵
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Windows\SysWOW64\umpboj.exe
        
        C:\Windows\system32\umpboj.exe 1028 "C:\Windows\SysWOW64\eetvcx.exe"
        205⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\umpboj.exe
        
        C:\Windows\system32\umpboj.exe 1028 "C:\Windows\SysWOW64\eetvcx.exe"
        206⤵
        Drops file in System32 directory
        
        PID:3248
        
        C:\Windows\SysWOW64\jjztyj.exe
        
        C:\Windows\system32\jjztyj.exe 1124 "C:\Windows\SysWOW64\umpboj.exe"
        207⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\jjztyj.exe
        
        C:\Windows\system32\jjztyj.exe 1124 "C:\Windows\SysWOW64\umpboj.exe"
        208⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\zvgevr.exe
        
        C:\Windows\system32\zvgevr.exe 988 "C:\Windows\SysWOW64\jjztyj.exe"
        209⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\zvgevr.exe
        
        C:\Windows\system32\zvgevr.exe 988 "C:\Windows\SysWOW64\jjztyj.exe"
        210⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\gdtkiv.exe
        
        C:\Windows\system32\gdtkiv.exe 1000 "C:\Windows\SysWOW64\zvgevr.exe"
        211⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\gdtkiv.exe
        
        C:\Windows\system32\gdtkiv.exe 1000 "C:\Windows\SysWOW64\zvgevr.exe"
        212⤵
        Drops file in System32 directory
        
        PID:1928
        
        C:\Windows\SysWOW64\wmpiuz.exe
        
        C:\Windows\system32\wmpiuz.exe 956 "C:\Windows\SysWOW64\gdtkiv.exe"
        213⤵
        System Location Discovery: System Language Discovery
        
        PID:216
        
        C:\Windows\SysWOW64\wmpiuz.exe
        
        C:\Windows\system32\wmpiuz.exe 956 "C:\Windows\SysWOW64\gdtkiv.exe"
        214⤵
        Drops file in System32 directory
        
        PID:2888
        
        C:\Windows\SysWOW64\piqgci.exe
        
        C:\Windows\system32\piqgci.exe 1004 "C:\Windows\SysWOW64\wmpiuz.exe"
        215⤵
        System Location Discovery: System Language Discovery
        
        PID:3536
        
        C:\Windows\SysWOW64\piqgci.exe
        
        C:\Windows\system32\piqgci.exe 1004 "C:\Windows\SysWOW64\wmpiuz.exe"
        216⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3068
        
        C:\Windows\SysWOW64\hqcjmv.exe
        
        C:\Windows\system32\hqcjmv.exe 1012 "C:\Windows\SysWOW64\piqgci.exe"
        217⤵
        
        PID:772
        
        C:\Windows\SysWOW64\hqcjmv.exe
        
        C:\Windows\system32\hqcjmv.exe 1012 "C:\Windows\SysWOW64\piqgci.exe"
        218⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\wfmofh.exe
        
        C:\Windows\system32\wfmofh.exe 1120 "C:\Windows\SysWOW64\hqcjmv.exe"
        219⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\wfmofh.exe
        
        C:\Windows\system32\wfmofh.exe 1120 "C:\Windows\SysWOW64\hqcjmv.exe"
        220⤵
        Drops file in System32 directory
        
        PID:4020
        
        C:\Windows\SysWOW64\mkwzwh.exe
        
        C:\Windows\system32\mkwzwh.exe 1124 "C:\Windows\SysWOW64\wfmofh.exe"
        221⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\mkwzwh.exe
        
        C:\Windows\system32\mkwzwh.exe 1124 "C:\Windows\SysWOW64\wfmofh.exe"
        222⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\bsrfjt.exe
        
        C:\Windows\system32\bsrfjt.exe 1120 "C:\Windows\SysWOW64\mkwzwh.exe"
        223⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\bsrfjt.exe
        
        C:\Windows\system32\bsrfjt.exe 1120 "C:\Windows\SysWOW64\mkwzwh.exe"
        224⤵
        Drops file in System32 directory
        
        PID:3912
        
        C:\Windows\SysWOW64\rpcyss.exe
        
        C:\Windows\system32\rpcyss.exe 1156 "C:\Windows\SysWOW64\bsrfjt.exe"
        225⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\rpcyss.exe
        
        C:\Windows\system32\rpcyss.exe 1156 "C:\Windows\SysWOW64\bsrfjt.exe"
        226⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\hyxdfw.exe
        
        C:\Windows\system32\hyxdfw.exe 1004 "C:\Windows\SysWOW64\rpcyss.exe"
        227⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\hyxdfw.exe
        
        C:\Windows\system32\hyxdfw.exe 1004 "C:\Windows\SysWOW64\rpcyss.exe"
        228⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4472
        
        C:\Windows\SysWOW64\wgsbra.exe
        
        C:\Windows\system32\wgsbra.exe 1128 "C:\Windows\SysWOW64\hyxdfw.exe"
        229⤵
        System Location Discovery: System Language Discovery
        
        PID:4560
        
        C:\Windows\SysWOW64\wgsbra.exe
        
        C:\Windows\system32\wgsbra.exe 1128 "C:\Windows\SysWOW64\hyxdfw.exe"
        230⤵
        Drops file in System32 directory
        
        PID:4852
        
        C:\Windows\SysWOW64\bxxbnd.exe
        
        C:\Windows\system32\bxxbnd.exe 1120 "C:\Windows\SysWOW64\wgsbra.exe"
        231⤵
        
        PID:472
        
        C:\Windows\SysWOW64\bxxbnd.exe
        
        C:\Windows\system32\bxxbnd.exe 1120 "C:\Windows\SysWOW64\wgsbra.exe"
        232⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\qjwucl.exe
        
        C:\Windows\system32\qjwucl.exe 1124 "C:\Windows\SysWOW64\bxxbnd.exe"
        233⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\qjwucl.exe
        
        C:\Windows\system32\qjwucl.exe 1124 "C:\Windows\SysWOW64\bxxbnd.exe"
        234⤵
        Drops file in System32 directory
        
        PID:720
        
        C:\Windows\SysWOW64\grrspp.exe
        
        C:\Windows\system32\grrspp.exe 1120 "C:\Windows\SysWOW64\qjwucl.exe"
        235⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\grrspp.exe
        
        C:\Windows\system32\grrspp.exe 1120 "C:\Windows\SysWOW64\qjwucl.exe"
        236⤵
        System Location Discovery: System Language Discovery
        
        PID:4812
        
        C:\Windows\SysWOW64\znsqxy.exe
        
        C:\Windows\system32\znsqxy.exe 1028 "C:\Windows\SysWOW64\grrspp.exe"
        237⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\znsqxy.exe
        
        C:\Windows\system32\znsqxy.exe 1028 "C:\Windows\SysWOW64\grrspp.exe"
        238⤵
        
        PID:576
        
        C:\Windows\SysWOW64\liivww.exe
        
        C:\Windows\system32\liivww.exe 1120 "C:\Windows\SysWOW64\znsqxy.exe"
        239⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\liivww.exe
        
        C:\Windows\system32\liivww.exe 1120 "C:\Windows\SysWOW64\znsqxy.exe"
        240⤵
        System Location Discovery: System Language Discovery
        
        PID:5064
        
        C:\Windows\SysWOW64\bqebia.exe
        
        C:\Windows\system32\bqebia.exe 1000 "C:\Windows\SysWOW64\liivww.exe"
        241⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\bqebia.exe
        
        C:\Windows\system32\bqebia.exe 1000 "C:\Windows\SysWOW64\liivww.exe"
        242⤵
        Drops file in System32 directory
        
        PID:396
        
        C:\Windows\SysWOW64\tnfzqj.exe
        
        C:\Windows\system32\tnfzqj.exe 1008 "C:\Windows\SysWOW64\bqebia.exe"
        243⤵
        System Location Discovery: System Language Discovery
        
        PID:4972
        
        C:\Windows\SysWOW64\tnfzqj.exe
        
        C:\Windows\system32\tnfzqj.exe 1008 "C:\Windows\SysWOW64\bqebia.exe"
        244⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\ghnfpq.exe
        
        C:\Windows\system32\ghnfpq.exe 988 "C:\Windows\SysWOW64\tnfzqj.exe"
        245⤵
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Windows\SysWOW64\ghnfpq.exe
        
        C:\Windows\system32\ghnfpq.exe 988 "C:\Windows\SysWOW64\tnfzqj.exe"
        246⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\wmfxzq.exe
        
        C:\Windows\system32\wmfxzq.exe 1120 "C:\Windows\SysWOW64\ghnfpq.exe"
        247⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\wmfxzq.exe
        
        C:\Windows\system32\wmfxzq.exe 1120 "C:\Windows\SysWOW64\ghnfpq.exe"
        248⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\ihnlqo.exe
        
        C:\Windows\system32\ihnlqo.exe 988 "C:\Windows\SysWOW64\wmfxzq.exe"
        249⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\ihnlqo.exe
        
        C:\Windows\system32\ihnlqo.exe 988 "C:\Windows\SysWOW64\wmfxzq.exe"
        250⤵
        Drops file in System32 directory
        
        PID:4688
        
        C:\Windows\SysWOW64\qpircs.exe
        
        C:\Windows\system32\qpircs.exe 996 "C:\Windows\SysWOW64\ihnlqo.exe"
        251⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\qpircs.exe
        
        C:\Windows\system32\qpircs.exe 996 "C:\Windows\SysWOW64\ihnlqo.exe"
        252⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\gxeowe.exe
        
        C:\Windows\system32\gxeowe.exe 1128 "C:\Windows\SysWOW64\qpircs.exe"
        253⤵
        System Location Discovery: System Language Discovery
        
        PID:1472
        
        C:\Windows\SysWOW64\gxeowe.exe
        
        C:\Windows\system32\gxeowe.exe 1128 "C:\Windows\SysWOW64\qpircs.exe"
        254⤵
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\yufmen.exe
        
        C:\Windows\system32\yufmen.exe 1120 "C:\Windows\SysWOW64\gxeowe.exe"
        255⤵
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Windows\SysWOW64\yufmen.exe
        
        C:\Windows\system32\yufmen.exe 1120 "C:\Windows\SysWOW64\gxeowe.exe"
        256⤵
        System Location Discovery: System Language Discovery
        
        PID:3152
        
        C:\Windows\SysWOW64\nfextv.exe
        
        C:\Windows\system32\nfextv.exe 1120 "C:\Windows\SysWOW64\yufmen.exe"
        257⤵
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Windows\SysWOW64\nfextv.exe
        
        C:\Windows\system32\nfextv.exe 1120 "C:\Windows\SysWOW64\yufmen.exe"
        258⤵
        Drops file in System32 directory
        
        PID:640
        
        C:\Windows\SysWOW64\gcevbe.exe
        
        C:\Windows\system32\gcevbe.exe 1004 "C:\Windows\SysWOW64\nfextv.exe"
        259⤵
        System Location Discovery: System Language Discovery
        
        PID:5088
        
        C:\Windows\SysWOW64\gcevbe.exe
        
        C:\Windows\system32\gcevbe.exe 1004 "C:\Windows\SysWOW64\nfextv.exe"
        260⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\ttjwpz.exe
        
        C:\Windows\system32\ttjwpz.exe 1000 "C:\Windows\SysWOW64\gcevbe.exe"
        261⤵
        System Location Discovery: System Language Discovery
        
        PID:4436
        
        C:\Windows\SysWOW64\ttjwpz.exe
        
        C:\Windows\system32\ttjwpz.exe 1000 "C:\Windows\SysWOW64\gcevbe.exe"
        262⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\fnzboy.exe
        
        C:\Windows\system32\fnzboy.exe 1008 "C:\Windows\SysWOW64\ttjwpz.exe"
        263⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\fnzboy.exe
        
        C:\Windows\system32\fnzboy.exe 1008 "C:\Windows\SysWOW64\ttjwpz.exe"
        264⤵
        Drops file in System32 directory
        
        PID:4992
        
        C:\Windows\SysWOW64\vpypvb.exe
        
        C:\Windows\system32\vpypvb.exe 992 "C:\Windows\SysWOW64\fnzboy.exe"
        265⤵
        System Location Discovery: System Language Discovery
        
        PID:3716
        
        C:\Windows\SysWOW64\vpypvb.exe
        
        C:\Windows\system32\vpypvb.exe 992 "C:\Windows\SysWOW64\fnzboy.exe"
        266⤵
        Drops file in System32 directory
        
        PID:1140
        
        C:\Windows\SysWOW64\ijouma.exe
        
        C:\Windows\system32\ijouma.exe 988 "C:\Windows\SysWOW64\vpypvb.exe"
        267⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\ijouma.exe
        
        C:\Windows\system32\ijouma.exe 988 "C:\Windows\SysWOW64\vpypvb.exe"
        268⤵
        System Location Discovery: System Language Discovery
        
        PID:208
        
        C:\Windows\SysWOW64\ygynez.exe
        
        C:\Windows\system32\ygynez.exe 1128 "C:\Windows\SysWOW64\ijouma.exe"
        269⤵
        System Location Discovery: System Language Discovery
        
        PID:3176
        
        C:\Windows\SysWOW64\ygynez.exe
        
        C:\Windows\system32\ygynez.exe 1128 "C:\Windows\SysWOW64\ijouma.exe"
        270⤵
        Drops file in System32 directory
        
        PID:4928
        
        C:\Windows\SysWOW64\dxdnsc.exe
        
        C:\Windows\system32\dxdnsc.exe 1100 "C:\Windows\SysWOW64\ygynez.exe"
        271⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\dxdnsc.exe
        
        C:\Windows\system32\dxdnsc.exe 1100 "C:\Windows\SysWOW64\ygynez.exe"
        272⤵
        System Location Discovery: System Language Discovery
        
        PID:3844
        
        C:\Windows\SysWOW64\tcngcb.exe
        
        C:\Windows\system32\tcngcb.exe 1008 "C:\Windows\SysWOW64\dxdnsc.exe"
        273⤵
        
        PID:716
        
        C:\Windows\SysWOW64\tcngcb.exe
        
        C:\Windows\system32\tcngcb.exe 1008 "C:\Windows\SysWOW64\dxdnsc.exe"
        274⤵
        Drops file in System32 directory
        
        PID:1756
        
        C:\Windows\SysWOW64\fwduba.exe
        
        C:\Windows\system32\fwduba.exe 1008 "C:\Windows\SysWOW64\tcngcb.exe"
        275⤵
        System Location Discovery: System Language Discovery
        
        PID:1440
        
        C:\Windows\SysWOW64\fwduba.exe
        
        C:\Windows\system32\fwduba.exe 1008 "C:\Windows\SysWOW64\tcngcb.exe"
        276⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\vboeki.exe
        
        C:\Windows\system32\vboeki.exe 992 "C:\Windows\SysWOW64\fwduba.exe"
        277⤵
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\Windows\SysWOW64\vboeki.exe
        
        C:\Windows\system32\vboeki.exe 992 "C:\Windows\SysWOW64\fwduba.exe"
        278⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\lyyxuh.exe
        
        C:\Windows\system32\lyyxuh.exe 1004 "C:\Windows\SysWOW64\vboeki.exe"
        279⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\lyyxuh.exe
        
        C:\Windows\system32\lyyxuh.exe 1004 "C:\Windows\SysWOW64\vboeki.exe"
        280⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\xboltg.exe
        
        C:\Windows\system32\xboltg.exe 1000 "C:\Windows\SysWOW64\lyyxuh.exe"
        281⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\xboltg.exe
        
        C:\Windows\system32\xboltg.exe 1000 "C:\Windows\SysWOW64\lyyxuh.exe"
        282⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\nxyddo.exe
        
        C:\Windows\system32\nxyddo.exe 988 "C:\Windows\SysWOW64\xboltg.exe"
        283⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\nxyddo.exe
        
        C:\Windows\system32\nxyddo.exe 988 "C:\Windows\SysWOW64\xboltg.exe"
        284⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cjxosw.exe
        
        C:\Windows\system32\cjxosw.exe 1008 "C:\Windows\SysWOW64\nxyddo.exe"
        285⤵
        System Location Discovery: System Language Discovery
        
        PID:3704
        
        C:\Windows\SysWOW64\cjxosw.exe
        
        C:\Windows\system32\cjxosw.exe 1008 "C:\Windows\SysWOW64\nxyddo.exe"
        286⤵
        Drops file in System32 directory
        
        PID:1312
        
        C:\Windows\SysWOW64\sssuea.exe
        
        C:\Windows\system32\sssuea.exe 1128 "C:\Windows\SysWOW64\cjxosw.exe"
        287⤵
        System Location Discovery: System Language Discovery
        
        PID:4456
        
        C:\Windows\SysWOW64\sssuea.exe
        
        C:\Windows\system32\sssuea.exe 1128 "C:\Windows\SysWOW64\cjxosw.exe"
        288⤵
        System Location Discovery: System Language Discovery
        
        PID:4560
        
        C:\Windows\SysWOW64\fcjuvl.exe
        
        C:\Windows\system32\fcjuvl.exe 1128 "C:\Windows\SysWOW64\sssuea.exe"
        289⤵
        System Location Discovery: System Language Discovery
        
        PID:1696
        
        C:\Windows\SysWOW64\fcjuvl.exe
        
        C:\Windows\system32\fcjuvl.exe 1128 "C:\Windows\SysWOW64\sssuea.exe"
        290⤵
        Drops file in System32 directory
        
        PID:5084
        
        C:\Windows\SysWOW64\kwrims.exe
        
        C:\Windows\system32\kwrims.exe 1004 "C:\Windows\SysWOW64\fcjuvl.exe"
        291⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\kwrims.exe
        
        C:\Windows\system32\kwrims.exe 1004 "C:\Windows\SysWOW64\fcjuvl.exe"
        292⤵
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        C:\Windows\SysWOW64\abbaws.exe
        
        C:\Windows\system32\abbaws.exe 1120 "C:\Windows\SysWOW64\kwrims.exe"
        293⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\abbaws.exe
        
        C:\Windows\system32\abbaws.exe 1120 "C:\Windows\SysWOW64\kwrims.exe"
        294⤵
        
        PID:3304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\qjkcie.exe

Filesize
476KB

MD5
f3a6663b8cb810e905ff5c7bed9ef67e

SHA1
8e832fbcd04fad6c103bc8753ad87863454830ac

SHA256
58fa7103a6da18ad8039c901c10af971627efdfb77a27f55a950aa37f4d04dc8

SHA512
986064204320e6b1100e9c83e4691ee1d3aad06cdda575a723e6f49de9ed0ea0c5862b0d87e665167f9e74896dd0cdeaa12de6e1bb6753e68c56387154f98095

Download Submit
memory/116-62-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/212-163-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/220-56-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/544-135-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/544-512-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/632-286-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/640-254-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/688-245-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/872-751-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/872-270-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/876-647-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1096-73-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1112-608-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1164-78-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1196-223-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1448-671-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1460-631-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1724-174-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1788-464-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1812-592-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1824-201-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1880-119-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1976-432-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2108-536-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2176-90-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2176-84-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2192-96-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2196-141-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2204-544-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2212-727-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2216-576-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2256-14-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2256-1-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2256-3-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2256-5-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2260-456-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2284-107-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2292-19-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2308-552-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2308-179-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2432-408-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2464-472-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2492-392-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2496-687-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2500-743-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2684-130-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2716-528-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2732-759-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2776-112-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2816-488-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2844-41-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2844-33-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2860-4-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2860-0-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2864-311-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2888-320-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2888-315-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2900-520-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2912-568-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2956-234-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2976-496-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2992-480-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3008-336-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3128-448-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3280-157-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3412-352-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3464-45-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3472-600-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3536-560-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3556-152-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/3580-616-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3604-416-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3676-695-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3676-344-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3716-278-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3752-360-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4016-101-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4280-639-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4288-679-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4288-328-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4308-146-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4308-400-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4420-735-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4428-440-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4444-190-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4460-212-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4528-663-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4544-719-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4580-623-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4668-262-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4728-124-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4728-118-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4732-584-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4740-168-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4800-376-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4832-32-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4868-655-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4896-85-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4900-711-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4904-703-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4920-384-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4940-20-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4940-26-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4976-303-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4976-298-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4976-424-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4988-51-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/5036-67-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5076-368-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5088-504-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5108-294-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download