metasploit | 2925a43bce9b41922ab001e421806ef21ae443d4f1eda68639a9b155d5dfb29e

Analysis

max time kernel
21s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2025, 06:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_98513d260023a0cb3667f2e8dac81c4f.exe
Size

1.4MB
MD5

98513d260023a0cb3667f2e8dac81c4f
SHA1

189be40083f151d30b3c588accdc23ea6c2f5075
SHA256

2925a43bce9b41922ab001e421806ef21ae443d4f1eda68639a9b155d5dfb29e
SHA512

6eb37009bd8f8145ad9378c87605a6f0195ceed56213bc7d17bef6a78ef6889900442b8f38fb9bd44f780beaa7d7e328b51a2885c141414810a91f0d930a3f27
SSDEEP

24576:TQ7ceaRuHmGB7h+4E42P/M2euPuKpxLD2DgDQj9VEH2nyYtLDwI9T9aA/gfsc5E+:6g0Jl+4E42c2euWKpxLD2UDG9Ve2yuIp

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	lfhrkod.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	djfrssv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	njhqema.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	JaffaCakes118_98513d260023a0cb3667f2e8dac81c4f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	vhbwxws.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	qoehdns.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	idcsndb.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	vjrccfe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	ssmadyt.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	itkjhwr.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	ibylydx.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	qnteltf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation	tgvgaau.exe

Executes dropped EXE 25 IoCs

pid	Process
1588	ibylydx.exe
4964	ibylydx.exe
3456	vhbwxws.exe
3904	vhbwxws.exe
5292	qnteltf.exe
5520	qnteltf.exe
648	qoehdns.exe
5200	qoehdns.exe
644	idcsndb.exe
680	idcsndb.exe
4736	tgvgaau.exe
4488	tgvgaau.exe
2788	lfhrkod.exe
2268	lfhrkod.exe
684	djfrssv.exe
2992	djfrssv.exe
5440	vjrccfe.exe
5492	vjrccfe.exe
5896	ssmadyt.exe
4888	ssmadyt.exe
4832	njhqema.exe
3192	njhqema.exe
2624	itkjhwr.exe
3932	itkjhwr.exe
4328	qbgptzc.exe

Drops file in System32 directory 26 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ibylydx.exe	JaffaCakes118_98513d260023a0cb3667f2e8dac81c4f.exe
File created	C:\Windows\SysWOW64\qnteltf.exe	vhbwxws.exe
File opened for modification	C:\Windows\SysWOW64\qnteltf.exe	vhbwxws.exe
File created	C:\Windows\SysWOW64\tgvgaau.exe	idcsndb.exe
File created	C:\Windows\SysWOW64\vjrccfe.exe	djfrssv.exe
File created	C:\Windows\SysWOW64\ssmadyt.exe	vjrccfe.exe
File created	C:\Windows\SysWOW64\qbgptzc.exe	itkjhwr.exe
File opened for modification	C:\Windows\SysWOW64\qbgptzc.exe	itkjhwr.exe
File opened for modification	C:\Windows\SysWOW64\tgvgaau.exe	idcsndb.exe
File created	C:\Windows\SysWOW64\lfhrkod.exe	tgvgaau.exe
File created	C:\Windows\SysWOW64\djfrssv.exe	lfhrkod.exe
File opened for modification	C:\Windows\SysWOW64\vjrccfe.exe	djfrssv.exe
File opened for modification	C:\Windows\SysWOW64\ssmadyt.exe	vjrccfe.exe
File created	C:\Windows\SysWOW64\itkjhwr.exe	njhqema.exe
File opened for modification	C:\Windows\SysWOW64\lfhrkod.exe	tgvgaau.exe
File created	C:\Windows\SysWOW64\vhbwxws.exe	ibylydx.exe
File opened for modification	C:\Windows\SysWOW64\qoehdns.exe	qnteltf.exe
File created	C:\Windows\SysWOW64\idcsndb.exe	qoehdns.exe
File opened for modification	C:\Windows\SysWOW64\idcsndb.exe	qoehdns.exe
File opened for modification	C:\Windows\SysWOW64\djfrssv.exe	lfhrkod.exe
File created	C:\Windows\SysWOW64\njhqema.exe	ssmadyt.exe
File opened for modification	C:\Windows\SysWOW64\ibylydx.exe	JaffaCakes118_98513d260023a0cb3667f2e8dac81c4f.exe
File opened for modification	C:\Windows\SysWOW64\vhbwxws.exe	ibylydx.exe
File created	C:\Windows\SysWOW64\qoehdns.exe	qnteltf.exe
File opened for modification	C:\Windows\SysWOW64\njhqema.exe	ssmadyt.exe
File opened for modification	C:\Windows\SysWOW64\itkjhwr.exe	njhqema.exe

Suspicious use of SetThreadContext 13 IoCs

description	pid	Process	procid_target
PID 5036 set thread context of 4184	5036	JaffaCakes118_98513d260023a0cb3667f2e8dac81c4f.exe	97
PID 1588 set thread context of 4964	1588	ibylydx.exe	104
PID 3456 set thread context of 3904	3456	vhbwxws.exe	110
PID 5292 set thread context of 5520	5292	qnteltf.exe	114
PID 648 set thread context of 5200	648	qoehdns.exe	118
PID 644 set thread context of 680	644	idcsndb.exe	122
PID 4736 set thread context of 4488	4736	tgvgaau.exe	126
PID 2788 set thread context of 2268	2788	lfhrkod.exe	130
PID 684 set thread context of 2992	684	djfrssv.exe	134
PID 5440 set thread context of 5492	5440	vjrccfe.exe	138
PID 5896 set thread context of 4888	5896	ssmadyt.exe	142
PID 4832 set thread context of 3192	4832	njhqema.exe	146
PID 2624 set thread context of 3932	2624	itkjhwr.exe	150

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3924	5036	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 40 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	itkjhwr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qnteltf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	idcsndb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	njhqema.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qoehdns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qbgptzc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_98513d260023a0cb3667f2e8dac81c4f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qoehdns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lfhrkod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lfhrkod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	djfrssv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	itkjhwr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vhbwxws.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tgvgaau.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	djfrssv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vjrccfe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vjrccfe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_98513d260023a0cb3667f2e8dac81c4f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	idcsndb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ibylydx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ibylydx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vhbwxws.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qnteltf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tgvgaau.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ssmadyt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	njhqema.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ssmadyt.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 5964	5036	JaffaCakes118_98513d260023a0cb3667f2e8dac81c4f.exe	95
PID 5036 wrote to memory of 5964	5036	JaffaCakes118_98513d260023a0cb3667f2e8dac81c4f.exe	95
PID 5036 wrote to memory of 5964	5036	JaffaCakes118_98513d260023a0cb3667f2e8dac81c4f.exe	95
PID 5036 wrote to memory of 4184	5036	JaffaCakes118_98513d260023a0cb3667f2e8dac81c4f.exe	97
PID 5036 wrote to memory of 4184	5036	JaffaCakes118_98513d260023a0cb3667f2e8dac81c4f.exe	97
PID 5036 wrote to memory of 4184	5036	JaffaCakes118_98513d260023a0cb3667f2e8dac81c4f.exe	97
PID 5036 wrote to memory of 4184	5036	JaffaCakes118_98513d260023a0cb3667f2e8dac81c4f.exe	97
PID 5036 wrote to memory of 4184	5036	JaffaCakes118_98513d260023a0cb3667f2e8dac81c4f.exe	97
PID 5036 wrote to memory of 4184	5036	JaffaCakes118_98513d260023a0cb3667f2e8dac81c4f.exe	97
PID 5036 wrote to memory of 4184	5036	JaffaCakes118_98513d260023a0cb3667f2e8dac81c4f.exe	97
PID 5036 wrote to memory of 4184	5036	JaffaCakes118_98513d260023a0cb3667f2e8dac81c4f.exe	97
PID 5036 wrote to memory of 4184	5036	JaffaCakes118_98513d260023a0cb3667f2e8dac81c4f.exe	97
PID 4184 wrote to memory of 1588	4184	JaffaCakes118_98513d260023a0cb3667f2e8dac81c4f.exe	100
PID 4184 wrote to memory of 1588	4184	JaffaCakes118_98513d260023a0cb3667f2e8dac81c4f.exe	100
PID 4184 wrote to memory of 1588	4184	JaffaCakes118_98513d260023a0cb3667f2e8dac81c4f.exe	100
PID 1588 wrote to memory of 5760	1588	ibylydx.exe	102
PID 1588 wrote to memory of 5760	1588	ibylydx.exe	102
PID 1588 wrote to memory of 5760	1588	ibylydx.exe	102
PID 1588 wrote to memory of 4964	1588	ibylydx.exe	104
PID 1588 wrote to memory of 4964	1588	ibylydx.exe	104
PID 1588 wrote to memory of 4964	1588	ibylydx.exe	104
PID 1588 wrote to memory of 4964	1588	ibylydx.exe	104
PID 1588 wrote to memory of 4964	1588	ibylydx.exe	104
PID 1588 wrote to memory of 4964	1588	ibylydx.exe	104
PID 1588 wrote to memory of 4964	1588	ibylydx.exe	104
PID 1588 wrote to memory of 4964	1588	ibylydx.exe	104
PID 1588 wrote to memory of 4964	1588	ibylydx.exe	104
PID 4964 wrote to memory of 3456	4964	ibylydx.exe	105
PID 4964 wrote to memory of 3456	4964	ibylydx.exe	105
PID 4964 wrote to memory of 3456	4964	ibylydx.exe	105
PID 3456 wrote to memory of 4180	3456	vhbwxws.exe	106
PID 3456 wrote to memory of 4180	3456	vhbwxws.exe	106
PID 3456 wrote to memory of 4180	3456	vhbwxws.exe	106
PID 3456 wrote to memory of 3904	3456	vhbwxws.exe	110
PID 3456 wrote to memory of 3904	3456	vhbwxws.exe	110
PID 3456 wrote to memory of 3904	3456	vhbwxws.exe	110
PID 3456 wrote to memory of 3904	3456	vhbwxws.exe	110
PID 3456 wrote to memory of 3904	3456	vhbwxws.exe	110
PID 3456 wrote to memory of 3904	3456	vhbwxws.exe	110
PID 3456 wrote to memory of 3904	3456	vhbwxws.exe	110
PID 3456 wrote to memory of 3904	3456	vhbwxws.exe	110
PID 3456 wrote to memory of 3904	3456	vhbwxws.exe	110
PID 3904 wrote to memory of 5292	3904	vhbwxws.exe	111
PID 3904 wrote to memory of 5292	3904	vhbwxws.exe	111
PID 3904 wrote to memory of 5292	3904	vhbwxws.exe	111
PID 5292 wrote to memory of 3696	5292	qnteltf.exe	112
PID 5292 wrote to memory of 3696	5292	qnteltf.exe	112
PID 5292 wrote to memory of 3696	5292	qnteltf.exe	112
PID 5292 wrote to memory of 5520	5292	qnteltf.exe	114
PID 5292 wrote to memory of 5520	5292	qnteltf.exe	114
PID 5292 wrote to memory of 5520	5292	qnteltf.exe	114
PID 5292 wrote to memory of 5520	5292	qnteltf.exe	114
PID 5292 wrote to memory of 5520	5292	qnteltf.exe	114
PID 5292 wrote to memory of 5520	5292	qnteltf.exe	114
PID 5292 wrote to memory of 5520	5292	qnteltf.exe	114
PID 5292 wrote to memory of 5520	5292	qnteltf.exe	114
PID 5292 wrote to memory of 5520	5292	qnteltf.exe	114
PID 5520 wrote to memory of 648	5520	qnteltf.exe	115
PID 5520 wrote to memory of 648	5520	qnteltf.exe	115
PID 5520 wrote to memory of 648	5520	qnteltf.exe	115
PID 648 wrote to memory of 472	648	qoehdns.exe	116
PID 648 wrote to memory of 472	648	qoehdns.exe	116
PID 648 wrote to memory of 472	648	qoehdns.exe	116
PID 648 wrote to memory of 5200	648	qoehdns.exe	118

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98513d260023a0cb3667f2e8dac81c4f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98513d260023a0cb3667f2e8dac81c4f.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\shlap.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5964
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98513d260023a0cb3667f2e8dac81c4f.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98513d260023a0cb3667f2e8dac81c4f.exe
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4184
- - C:\Windows\SysWOW64\ibylydx.exe
    C:\Windows\system32\ibylydx.exe 1000 "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_98513d260023a0cb3667f2e8dac81c4f.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1588
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nvtfu.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:5760
  - - C:\Windows\SysWOW64\ibylydx.exe
      C:\Windows\SysWOW64\ibylydx.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4964
    - - C:\Windows\SysWOW64\vhbwxws.exe
        
        C:\Windows\system32\vhbwxws.exe 1156 "C:\Windows\SysWOW64\ibylydx.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3456
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sbail.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4180
      - C:\Windows\SysWOW64\vhbwxws.exe
        
        C:\Windows\SysWOW64\vhbwxws.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3904
        
        C:\Windows\SysWOW64\qnteltf.exe
        
        C:\Windows\system32\qnteltf.exe 1044 "C:\Windows\SysWOW64\vhbwxws.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jnmbw.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3696
        
        C:\Windows\SysWOW64\qnteltf.exe
        
        C:\Windows\SysWOW64\qnteltf.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5520
        
        C:\Windows\SysWOW64\qoehdns.exe
        
        C:\Windows\system32\qoehdns.exe 1016 "C:\Windows\SysWOW64\qnteltf.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rkmrc.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:472
        
        C:\Windows\SysWOW64\qoehdns.exe
        
        C:\Windows\SysWOW64\qoehdns.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5200
        
        C:\Windows\SysWOW64\idcsndb.exe
        
        C:\Windows\system32\idcsndb.exe 1044 "C:\Windows\SysWOW64\qoehdns.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pouur.bat" "
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:760
        
        C:\Windows\SysWOW64\idcsndb.exe
        
        C:\Windows\SysWOW64\idcsndb.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:680
        
        C:\Windows\SysWOW64\tgvgaau.exe
        
        C:\Windows\system32\tgvgaau.exe 1016 "C:\Windows\SysWOW64\idcsndb.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xrjtx.bat" "
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:4928
        
        C:\Windows\SysWOW64\tgvgaau.exe
        
        C:\Windows\SysWOW64\tgvgaau.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4488
        
        C:\Windows\SysWOW64\lfhrkod.exe
        
        C:\Windows\system32\lfhrkod.exe 988 "C:\Windows\SysWOW64\tgvgaau.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ntnwq.bat" "
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:632
        
        C:\Windows\SysWOW64\lfhrkod.exe
        
        C:\Windows\SysWOW64\lfhrkod.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Windows\SysWOW64\djfrssv.exe
        
        C:\Windows\system32\djfrssv.exe 1032 "C:\Windows\SysWOW64\lfhrkod.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ujcpa.bat" "
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:3928
        
        C:\Windows\SysWOW64\djfrssv.exe
        
        C:\Windows\SysWOW64\djfrssv.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2992
        
        C:\Windows\SysWOW64\vjrccfe.exe
        
        C:\Windows\system32\vjrccfe.exe 1068 "C:\Windows\SysWOW64\djfrssv.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kanrv.bat" "
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:5560
        
        C:\Windows\SysWOW64\vjrccfe.exe
        
        C:\Windows\SysWOW64\vjrccfe.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5492
        
        C:\Windows\SysWOW64\ssmadyt.exe
        
        C:\Windows\system32\ssmadyt.exe 1020 "C:\Windows\SysWOW64\vjrccfe.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xlidh.bat" "
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:1080
        
        C:\Windows\SysWOW64\ssmadyt.exe
        
        C:\Windows\SysWOW64\ssmadyt.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4888
        
        C:\Windows\SysWOW64\njhqema.exe
        
        C:\Windows\system32\njhqema.exe 1052 "C:\Windows\SysWOW64\ssmadyt.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ifgmu.bat" "
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:5816
        
        C:\Windows\SysWOW64\njhqema.exe
        
        C:\Windows\SysWOW64\njhqema.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3192
        
        C:\Windows\SysWOW64\itkjhwr.exe
        
        C:\Windows\system32\itkjhwr.exe 1032 "C:\Windows\SysWOW64\njhqema.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\diwhk.bat" "
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Windows\SysWOW64\itkjhwr.exe
        
        C:\Windows\SysWOW64\itkjhwr.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3932
        
        C:\Windows\SysWOW64\qbgptzc.exe
        
        C:\Windows\system32\qbgptzc.exe 1044 "C:\Windows\SysWOW64\itkjhwr.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\shlyb.bat" "
        28⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\qbgptzc.exe
        
        C:\Windows\SysWOW64\qbgptzc.exe
        28⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\nkauusj.exe
        
        C:\Windows\system32\nkauusj.exe 1044 "C:\Windows\SysWOW64\qbgptzc.exe"
        29⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\avase.bat" "
        30⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\nkauusj.exe
        
        C:\Windows\SysWOW64\nkauusj.exe
        30⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\vejkptc.exe
        
        C:\Windows\system32\vejkptc.exe 1044 "C:\Windows\SysWOW64\nkauusj.exe"
        31⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\swbqs.bat" "
        32⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\vejkptc.exe
        
        C:\Windows\SysWOW64\vejkptc.exe
        32⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\nauubmo.exe
        
        C:\Windows\system32\nauubmo.exe 1056 "C:\Windows\SysWOW64\vejkptc.exe"
        33⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ckgic.bat" "
        34⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\nauubmo.exe
        
        C:\Windows\SysWOW64\nauubmo.exe
        34⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\xsuaqzq.exe
        
        C:\Windows\system32\xsuaqzq.exe 1020 "C:\Windows\SysWOW64\nauubmo.exe"
        35⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uiapu.bat" "
        36⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\xsuaqzq.exe
        
        C:\Windows\SysWOW64\xsuaqzq.exe
        36⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cyxlprm.exe
        
        C:\Windows\system32\cyxlprm.exe 1032 "C:\Windows\SysWOW64\xsuaqzq.exe"
        37⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kwojf.bat" "
        38⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\cyxlprm.exe
        
        C:\Windows\SysWOW64\cyxlprm.exe
        38⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\ppcmlmz.exe
        
        C:\Windows\system32\ppcmlmz.exe 1052 "C:\Windows\SysWOW64\cyxlprm.exe"
        39⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\unsxo.bat" "
        40⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\ppcmlmz.exe
        
        C:\Windows\SysWOW64\ppcmlmz.exe
        40⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\ugjsfhn.exe
        
        C:\Windows\system32\ugjsfhn.exe 1044 "C:\Windows\SysWOW64\ppcmlmz.exe"
        41⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wgbfj.bat" "
        42⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\ugjsfhn.exe
        
        C:\Windows\SysWOW64\ugjsfhn.exe
        42⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\uvicipw.exe
        
        C:\Windows\system32\uvicipw.exe 1032 "C:\Windows\SysWOW64\ugjsfhn.exe"
        43⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oguex.bat" "
        44⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\uvicipw.exe
        
        C:\Windows\SysWOW64\uvicipw.exe
        44⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\mvvymxh.exe
        
        C:\Windows\system32\mvvymxh.exe 1020 "C:\Windows\SysWOW64\uvicipw.exe"
        45⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qgdmy.bat" "
        46⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\mvvymxh.exe
        
        C:\Windows\SysWOW64\mvvymxh.exe
        46⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\ktdlzer.exe
        
        C:\Windows\system32\ktdlzer.exe 1044 "C:\Windows\SysWOW64\mvvymxh.exe"
        47⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fbfox.bat" "
        48⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\ktdlzer.exe
        
        C:\Windows\SysWOW64\ktdlzer.exe
        48⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\pfyepnz.exe
        
        C:\Windows\system32\pfyepnz.exe 1044 "C:\Windows\SysWOW64\ktdlzer.exe"
        49⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\edwhg.bat" "
        50⤵
        
        PID:876
        
        C:\Windows\SysWOW64\pfyepnz.exe
        
        C:\Windows\SysWOW64\pfyepnz.exe
        50⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\puxxsdi.exe
        
        C:\Windows\system32\puxxsdi.exe 1044 "C:\Windows\SysWOW64\pfyepnz.exe"
        51⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xyywr.bat" "
        52⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\puxxsdi.exe
        
        C:\Windows\SysWOW64\puxxsdi.exe
        52⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\fsiaexe.exe
        
        C:\Windows\system32\fsiaexe.exe 1016 "C:\Windows\SysWOW64\puxxsdi.exe"
        53⤵
        
        PID:696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xvygo.bat" "
        54⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\fsiaexe.exe
        
        C:\Windows\SysWOW64\fsiaexe.exe
        54⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\kbzigch.exe
        
        C:\Windows\system32\kbzigch.exe 1012 "C:\Windows\SysWOW64\fsiaexe.exe"
        55⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vhlgh.bat" "
        56⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\kbzigch.exe
        
        C:\Windows\SysWOW64\kbzigch.exe
        56⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\rqkljow.exe
        
        C:\Windows\system32\rqkljow.exe 1044 "C:\Windows\SysWOW64\kbzigch.exe"
        57⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yvbmf.bat" "
        58⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\rqkljow.exe
        
        C:\Windows\SysWOW64\rqkljow.exe
        58⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\rrujpjl.exe
        
        C:\Windows\system32\rrujpjl.exe 1044 "C:\Windows\SysWOW64\rqkljow.exe"
        59⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\srccp.bat" "
        60⤵
        
        PID:880
        
        C:\Windows\SysWOW64\rrujpjl.exe
        
        C:\Windows\SysWOW64\rrujpjl.exe
        60⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\hoguadz.exe
        
        C:\Windows\system32\hoguadz.exe 1044 "C:\Windows\SysWOW64\rrujpjl.exe"
        61⤵
        
        PID:788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wcsod.bat" "
        62⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\hoguadz.exe
        
        C:\Windows\SysWOW64\hoguadz.exe
        62⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\hatsapj.exe
        
        C:\Windows\system32\hatsapj.exe 1044 "C:\Windows\SysWOW64\hoguadz.exe"
        63⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nglhu.bat" "
        64⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\hatsapj.exe
        
        C:\Windows\SysWOW64\hatsapj.exe
        64⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\zsonfpc.exe
        
        C:\Windows\system32\zsonfpc.exe 1016 "C:\Windows\SysWOW64\hatsapj.exe"
        65⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oymvw.bat" "
        66⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\zsonfpc.exe
        
        C:\Windows\SysWOW64\zsonfpc.exe
        66⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\ebxwhuf.exe
        
        C:\Windows\system32\ebxwhuf.exe 1032 "C:\Windows\SysWOW64\zsonfpc.exe"
        67⤵
        
        PID:696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\duoyv.bat" "
        68⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\ebxwhuf.exe
        
        C:\Windows\SysWOW64\ebxwhuf.exe
        68⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\ucumwka.exe
        
        C:\Windows\system32\ucumwka.exe 1020 "C:\Windows\SysWOW64\ebxwhuf.exe"
        69⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hemep.bat" "
        70⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\ucumwka.exe
        
        C:\Windows\SysWOW64\ucumwka.exe
        70⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\uohkwwc.exe
        
        C:\Windows\system32\uohkwwc.exe 1016 "C:\Windows\SysWOW64\ucumwka.exe"
        71⤵
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\baott.bat" "
        72⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\uohkwwc.exe
        
        C:\Windows\SysWOW64\uohkwwc.exe
        72⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\erixibv.exe
        
        C:\Windows\system32\erixibv.exe 1044 "C:\Windows\SysWOW64\uohkwwc.exe"
        73⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bfhbn.bat" "
        74⤵
        
        PID:868
        
        C:\Windows\SysWOW64\erixibv.exe
        
        C:\Windows\SysWOW64\erixibv.exe
        74⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\twxorkz.exe
        
        C:\Windows\system32\twxorkz.exe 1028 "C:\Windows\SysWOW64\erixibv.exe"
        75⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fhxga.bat" "
        76⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\twxorkz.exe
        
        C:\Windows\SysWOW64\twxorkz.exe
        76⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\zfhotpc.exe
        
        C:\Windows\system32\zfhotpc.exe 1012 "C:\Windows\SysWOW64\twxorkz.exe"
        77⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uxjhv.bat" "
        78⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\zfhotpc.exe
        
        C:\Windows\SysWOW64\zfhotpc.exe
        78⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\ocszxkq.exe
        
        C:\Windows\system32\ocszxkq.exe 1040 "C:\Windows\SysWOW64\zfhotpc.exe"
        79⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmxbg.bat" "
        80⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\ocszxkq.exe
        
        C:\Windows\SysWOW64\ocszxkq.exe
        80⤵
        
        PID:536
        
        C:\Windows\SysWOW64\lsafkqb.exe
        
        C:\Windows\system32\lsafkqb.exe 1060 "C:\Windows\SysWOW64\ocszxkq.exe"
        81⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\movrt.bat" "
        82⤵
        
        PID:976
        
        C:\Windows\SysWOW64\lsafkqb.exe
        
        C:\Windows\SysWOW64\lsafkqb.exe
        82⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\ggaskvt.exe
        
        C:\Windows\system32\ggaskvt.exe 1044 "C:\Windows\SysWOW64\lsafkqb.exe"
        83⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xiigl.bat" "
        84⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\ggaskvt.exe
        
        C:\Windows\SysWOW64\ggaskvt.exe
        84⤵
        
        PID:772
        
        C:\Windows\SysWOW64\esxtmxx.exe
        
        C:\Windows\system32\esxtmxx.exe 1036 "C:\Windows\SysWOW64\ggaskvt.exe"
        85⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\flpyf.bat" "
        86⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\esxtmxx.exe
        
        C:\Windows\SysWOW64\esxtmxx.exe
        86⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\wtkoqxq.exe
        
        C:\Windows\system32\wtkoqxq.exe 1020 "C:\Windows\SysWOW64\esxtmxx.exe"
        87⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eqigy.bat" "
        88⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\wtkoqxq.exe
        
        C:\Windows\SysWOW64\wtkoqxq.exe
        88⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\yhyilgl.exe
        
        C:\Windows\system32\yhyilgl.exe 1044 "C:\Windows\SysWOW64\wtkoqxq.exe"
        89⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yxqel.bat" "
        90⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\yhyilgl.exe
        
        C:\Windows\SysWOW64\yhyilgl.exe
        90⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\dbaymso.exe
        
        C:\Windows\system32\dbaymso.exe 1016 "C:\Windows\SysWOW64\yhyilgl.exe"
        91⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rdkle.bat" "
        92⤵
        
        PID:696
        
        C:\Windows\SysWOW64\dbaymso.exe
        
        C:\Windows\SysWOW64\dbaymso.exe
        92⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\dyymulh.exe
        
        C:\Windows\system32\dyymulh.exe 1044 "C:\Windows\SysWOW64\dbaymso.exe"
        93⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uqbau.bat" "
        94⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\dyymulh.exe
        
        C:\Windows\SysWOW64\dyymulh.exe
        94⤵
        
        PID:352
        
        C:\Windows\SysWOW64\ejmkuxr.exe
        
        C:\Windows\system32\ejmkuxr.exe 1016 "C:\Windows\SysWOW64\dyymulh.exe"
        95⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jmeut.bat" "
        96⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\ejmkuxr.exe
        
        C:\Windows\SysWOW64\ejmkuxr.exe
        96⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\wyosesd.exe
        
        C:\Windows\system32\wyosesd.exe 1044 "C:\Windows\SysWOW64\ejmkuxr.exe"
        97⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dmfcd.bat" "
        98⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\wyosesd.exe
        
        C:\Windows\SysWOW64\wyosesd.exe
        98⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\ixswxxi.exe
        
        C:\Windows\system32\ixswxxi.exe 1028 "C:\Windows\SysWOW64\wyosesd.exe"
        99⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dkyjw.bat" "
        100⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\ixswxxi.exe
        
        C:\Windows\SysWOW64\ixswxxi.exe
        100⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\taapbjd.exe
        
        C:\Windows\system32\taapbjd.exe 1016 "C:\Windows\SysWOW64\ixswxxi.exe"
        101⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xyhoi.bat" "
        102⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\taapbjd.exe
        
        C:\Windows\SysWOW64\taapbjd.exe
        102⤵
        
        PID:540
        
        C:\Windows\SysWOW64\dbavrwf.exe
        
        C:\Windows\system32\dbavrwf.exe 1048 "C:\Windows\SysWOW64\taapbjd.exe"
        103⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pitxy.bat" "
        104⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\dbavrwf.exe
        
        C:\Windows\SysWOW64\dbavrwf.exe
        104⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\qkguslh.exe
        
        C:\Windows\system32\qkguslh.exe 1016 "C:\Windows\SysWOW64\dbavrwf.exe"
        105⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\trkcs.bat" "
        106⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\qkguslh.exe
        
        C:\Windows\SysWOW64\qkguslh.exe
        106⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\lnmpemn.exe
        
        C:\Windows\system32\lnmpemn.exe 1016 "C:\Windows\SysWOW64\qkguslh.exe"
        107⤵
        
        PID:516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jiveo.bat" "
        108⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\lnmpemn.exe
        
        C:\Windows\SysWOW64\lnmpemn.exe
        108⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\vxnyiwu.exe
        
        C:\Windows\system32\vxnyiwu.exe 1040 "C:\Windows\SysWOW64\lnmpemn.exe"
        109⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dbwkx.bat" "
        110⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\vxnyiwu.exe
        
        C:\Windows\SysWOW64\vxnyiwu.exe
        110⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\qxnwjca.exe
        
        C:\Windows\system32\qxnwjca.exe 1020 "C:\Windows\SysWOW64\vxnyiwu.exe"
        111⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jcwdy.bat" "
        112⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\qxnwjca.exe
        
        C:\Windows\SysWOW64\qxnwjca.exe
        112⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\yulkfcx.exe
        
        C:\Windows\system32\yulkfcx.exe 1056 "C:\Windows\SysWOW64\qxnwjca.exe"
        113⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yphos.bat" "
        114⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\yulkfcx.exe
        
        C:\Windows\SysWOW64\yulkfcx.exe
        114⤵
        
        PID:544
        
        C:\Windows\SysWOW64\seyingw.exe
        
        C:\Windows\system32\seyingw.exe 1016 "C:\Windows\SysWOW64\yulkfcx.exe"
        115⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pelys.bat" "
        116⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\seyingw.exe
        
        C:\Windows\SysWOW64\seyingw.exe
        116⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\yjezjjt.exe
        
        C:\Windows\system32\yjezjjt.exe 1056 "C:\Windows\SysWOW64\seyingw.exe"
        117⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wsaav.bat" "
        118⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\yjezjjt.exe
        
        C:\Windows\SysWOW64\yjezjjt.exe
        118⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\kajzglg.exe
        
        C:\Windows\system32\kajzglg.exe 1044 "C:\Windows\SysWOW64\yjezjjt.exe"
        119⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mjlbr.bat" "
        120⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\kajzglg.exe
        
        C:\Windows\SysWOW64\kajzglg.exe
        120⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\ijdfhwv.exe
        
        C:\Windows\system32\ijdfhwv.exe 1016 "C:\Windows\SysWOW64\kajzglg.exe"
        121⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mheik.bat" "
        122⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\ijdfhwv.exe
        
        C:\Windows\SysWOW64\ijdfhwv.exe
        122⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\utjwpat.exe
        
        C:\Windows\system32\utjwpat.exe 1016 "C:\Windows\SysWOW64\ijdfhwv.exe"
        123⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\flxqe.bat" "
        124⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\utjwpat.exe
        
        C:\Windows\SysWOW64\utjwpat.exe
        124⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\ppacsvm.exe
        
        C:\Windows\system32\ppacsvm.exe 1044 "C:\Windows\SysWOW64\utjwpat.exe"
        125⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ymywm.bat" "
        126⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\ppacsvm.exe
        
        C:\Windows\SysWOW64\ppacsvm.exe
        126⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\kczglvr.exe
        
        C:\Windows\system32\kczglvr.exe 1060 "C:\Windows\SysWOW64\ppacsvm.exe"
        127⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iwwom.bat" "
        128⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\kczglvr.exe
        
        C:\Windows\SysWOW64\kczglvr.exe
        128⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\cgovzmz.exe
        
        C:\Windows\system32\cgovzmz.exe 996 "C:\Windows\SysWOW64\kczglvr.exe"
        129⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rjseg.bat" "
        130⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cgovzmz.exe
        
        C:\Windows\SysWOW64\cgovzmz.exe
        130⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\eneeuyp.exe
        
        C:\Windows\system32\eneeuyp.exe 1016 "C:\Windows\SysWOW64\cgovzmz.exe"
        131⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xdxym.bat" "
        132⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\eneeuyp.exe
        
        C:\Windows\SysWOW64\eneeuyp.exe
        132⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\fyscukr.exe
        
        C:\Windows\system32\fyscukr.exe 1044 "C:\Windows\SysWOW64\eneeuyp.exe"
        133⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jsfov.bat" "
        134⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\fyscukr.exe
        
        C:\Windows\SysWOW64\fyscukr.exe
        134⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\hbsxghl.exe
        
        C:\Windows\system32\hbsxghl.exe 1016 "C:\Windows\SysWOW64\fyscukr.exe"
        135⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\syjug.bat" "
        136⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\hbsxghl.exe
        
        C:\Windows\SysWOW64\hbsxghl.exe
        136⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\xkzgsnj.exe
        
        C:\Windows\system32\xkzgsnj.exe 1044 "C:\Windows\SysWOW64\hbsxghl.exe"
        137⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gdxqn.bat" "
        138⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\xkzgsnj.exe
        
        C:\Windows\SysWOW64\xkzgsnj.exe
        138⤵
        
        PID:396
        
        C:\Windows\SysWOW64\rmnxajh.exe
        
        C:\Windows\system32\rmnxajh.exe 1016 "C:\Windows\SysWOW64\xkzgsnj.exe"
        139⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ybqxh.bat" "
        140⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\rmnxajh.exe
        
        C:\Windows\SysWOW64\rmnxajh.exe
        140⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\uicqglg.exe
        
        C:\Windows\system32\uicqglg.exe 1072 "C:\Windows\SysWOW64\rmnxajh.exe"
        141⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sbsep.bat" "
        142⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\uicqglg.exe
        
        C:\Windows\SysWOW64\uicqglg.exe
        142⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\hrjuthg.exe
        
        C:\Windows\system32\hrjuthg.exe 1016 "C:\Windows\SysWOW64\uicqglg.exe"
        143⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vljby.bat" "
        144⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\hrjuthg.exe
        
        C:\Windows\SysWOW64\hrjuthg.exe
        144⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\rhvabxa.exe
        
        C:\Windows\system32\rhvabxa.exe 1016 "C:\Windows\SysWOW64\hrjuthg.exe"
        145⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mynsr.bat" "
        146⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\rhvabxa.exe
        
        C:\Windows\SysWOW64\rhvabxa.exe
        146⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\eqlloma.exe
        
        C:\Windows\system32\eqlloma.exe 1016 "C:\Windows\SysWOW64\rhvabxa.exe"
        147⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lstlt.bat" "
        148⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\eqlloma.exe
        
        C:\Windows\SysWOW64\eqlloma.exe
        148⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\bsphvyw.exe
        
        C:\Windows\system32\bsphvyw.exe 1044 "C:\Windows\SysWOW64\eqlloma.exe"
        149⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ccguk.bat" "
        150⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\bsphvyw.exe
        
        C:\Windows\SysWOW64\bsphvyw.exe
        150⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\wcvfluc.exe
        
        C:\Windows\system32\wcvfluc.exe 1016 "C:\Windows\SysWOW64\bsphvyw.exe"
        151⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wqpav.bat" "
        152⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\wcvfluc.exe
        
        C:\Windows\SysWOW64\wcvfluc.exe
        152⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\ogezqox.exe
        
        C:\Windows\system32\ogezqox.exe 1044 "C:\Windows\SysWOW64\wcvfluc.exe"
        153⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xdkbi.bat" "
        154⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\ogezqox.exe
        
        C:\Windows\SysWOW64\ogezqox.exe
        154⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\bmykefx.exe
        
        C:\Windows\system32\bmykefx.exe 1044 "C:\Windows\SysWOW64\ogezqox.exe"
        155⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sksfu.bat" "
        156⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\bmykefx.exe
        
        C:\Windows\SysWOW64\bmykefx.exe
        156⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\tukylvq.exe
        
        C:\Windows\system32\tukylvq.exe 1016 "C:\Windows\SysWOW64\bmykefx.exe"
        157⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jbfol.bat" "
        158⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\tukylvq.exe
        
        C:\Windows\SysWOW64\tukylvq.exe
        158⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\dxukdmz.exe
        
        C:\Windows\system32\dxukdmz.exe 1040 "C:\Windows\SysWOW64\tukylvq.exe"
        159⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dmfub.bat" "
        160⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\dxukdmz.exe
        
        C:\Windows\SysWOW64\dxukdmz.exe
        160⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\gljvjoq.exe
        
        C:\Windows\system32\gljvjoq.exe 1044 "C:\Windows\SysWOW64\dxukdmz.exe"
        161⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vrxct.bat" "
        162⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\gljvjoq.exe
        
        C:\Windows\SysWOW64\gljvjoq.exe
        162⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\tvxtrsp.exe
        
        C:\Windows\system32\tvxtrsp.exe 1040 "C:\Windows\SysWOW64\gljvjoq.exe"
        163⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ubrmj.bat" "
        164⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\tvxtrsp.exe
        
        C:\Windows\SysWOW64\tvxtrsp.exe
        164⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\wcpmsdi.exe
        
        C:\Windows\system32\wcpmsdi.exe 1044 "C:\Windows\SysWOW64\tvxtrsp.exe"
        165⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\upaei.bat" "
        166⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\wcpmsdi.exe
        
        C:\Windows\SysWOW64\wcpmsdi.exe
        166⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\yuqluwq.exe
        
        C:\Windows\system32\yuqluwq.exe 1016 "C:\Windows\SysWOW64\wcpmsdi.exe"
        167⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mgmnx.bat" "
        168⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\yuqluwq.exe
        
        C:\Windows\SysWOW64\yuqluwq.exe
        168⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\dhwcqin.exe
        
        C:\Windows\system32\dhwcqin.exe 1044 "C:\Windows\SysWOW64\yuqluwq.exe"
        169⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tvbni.bat" "
        170⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\dhwcqin.exe
        
        C:\Windows\SysWOW64\dhwcqin.exe
        170⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\golsrzm.exe
        
        C:\Windows\system32\golsrzm.exe 1016 "C:\Windows\SysWOW64\dhwcqin.exe"
        171⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eefur.bat" "
        172⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\golsrzm.exe
        
        C:\Windows\SysWOW64\golsrzm.exe
        172⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\sjddwsn.exe
        
        C:\Windows\system32\sjddwsn.exe 1060 "C:\Windows\SysWOW64\golsrzm.exe"
        173⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xarjt.bat" "
        174⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\sjddwsn.exe
        
        C:\Windows\SysWOW64\sjddwsn.exe
        174⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\ntpjzqg.exe
        
        C:\Windows\system32\ntpjzqg.exe 1044 "C:\Windows\SysWOW64\sjddwsn.exe"
        175⤵
        
        PID:7144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qxlyf.bat" "
        176⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\ntpjzqg.exe
        
        C:\Windows\SysWOW64\ntpjzqg.exe
        176⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\kyxsizj.exe
        
        C:\Windows\system32\kyxsizj.exe 1040 "C:\Windows\SysWOW64\ntpjzqg.exe"
        177⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\beooi.bat" "
        178⤵
        
        PID:896
        
        C:\Windows\SysWOW64\kyxsizj.exe
        
        C:\Windows\SysWOW64\kyxsizj.exe
        178⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\dyjvtns.exe
        
        C:\Windows\system32\dyjvtns.exe 1044 "C:\Windows\SysWOW64\kyxsizj.exe"
        179⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kxmxv.bat" "
        180⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\dyjvtns.exe
        
        C:\Windows\SysWOW64\dyjvtns.exe
        180⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\dymgspf.exe
        
        C:\Windows\system32\dymgspf.exe 1044 "C:\Windows\SysWOW64\dyjvtns.exe"
        181⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ddgfo.bat" "
        182⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\dymgspf.exe
        
        C:\Windows\SysWOW64\dymgspf.exe
        182⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\vvueffe.exe
        
        C:\Windows\system32\vvueffe.exe 1044 "C:\Windows\SysWOW64\dymgspf.exe"
        183⤵
        
        PID:1860
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 1264
  2⤵
  - Program crash
  PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5036 -ip 5036
1⤵
PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\avase.bat

Filesize
151B

MD5
261a812bf5f88bce11d696f3925e6f7a

SHA1
7673cc3f2c2b14999593a35ee7439f720d94cf2d

SHA256
03efd1943244a107c34ee38656a4d14c3b7951a08a9ab18dd3f5e064ffce5470

SHA512
542c1b180b896ed7219e69734b57aa0a96518ebf201b3e42c2879ec0a6a80628577b5e07ec5498b88e80ca8c891f38f1e5d60a2baebf89dde53d4cbbfd61d33c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckgic.bat

Filesize
151B

MD5
7154f3a6bf06bc4a4617c360359bcbc6

SHA1
25368702a41eb74db1f0d828ac75ff2d24e59d8d

SHA256
03a0ea50ef0333d7aa6903c87e3885dfebb28c690301d5e340b555fccb273bbc

SHA512
3279c1203ce887a97011bbe5c874d8a4de68941386a2afcc484dd25484a6fe240b9938b463d08e7fce0a819d283e1f6a286ffd788fe260d9ed3e01ddbcc6a13e

Download Submit
C:\Users\Admin\AppData\Local\Temp\diwhk.bat

Filesize
151B

MD5
c14381140595481da35da7c5c8fd6ea0

SHA1
bb441968ddd6791bc9750dd5884bb4a828d90c37

SHA256
2f085970d972dabe3166023ffbab49d34205827aba807217afa7d4b9fa36daf7

SHA512
390ce1bf61c9233a481b7636b931d056c6b1836ce89173c584aeedf77229faae84920134f98f9035670159cb4a746f7da6839ff8c3c801c4c92e465ca55b10f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ifgmu.bat

Filesize
151B

MD5
64a87d8213c3fa2eb80aeab8b9bc07b2

SHA1
0031bb47eccaab17647cca7ed1f0173b2ac905cb

SHA256
fbb2708d8f2f000f51b3eb6e20e2d692af0b775f8b08ef9a7d34c4f30db92d5a

SHA512
d0a6c72035ef9a6bf7d1c9d873515d9a537e9ad99e4d61384416732b5b3e19f29bd33daddcd5e2a6e1d03cfd65c8e85283aa9e2bdb83ee974e08366b1e09b8b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnmbw.bat

Filesize
151B

MD5
1081c90c6987f610c54b4c8b3a58d670

SHA1
8df5293b3162d0b0fa7fa6b033ef24b17bc5c391

SHA256
a57243ec943b89fb7a23ffb4b0cf1cc248a77a4d3faba4671b3d43a20ea2f272

SHA512
7d155c7e3b920a952e045cabfe2a759d35afa87e1fc88ff0bed33c546ac7b52047cd80513855118a42c9b4aca8c0c67be5ba19489e09516ee6f32e231e015074

Download Submit
C:\Users\Admin\AppData\Local\Temp\kanrv.bat

Filesize
151B

MD5
9746193b69a07a127cb84892191a6fc0

SHA1
d9f27929b12f7ef25a1e01f5264c0a4b63dba345

SHA256
ace18050c39629bbff3413744475218493f1acd001ff7f29a559e5cd040ee3b2

SHA512
2d24cb446313d717bebad035473dfb956629fad15940551028d58dcfe960bc14c1ab15e46e8f445faa46f4bbe1a22ee6440185f0b2c05e29eda7ba9b78813e80

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntnwq.bat

Filesize
151B

MD5
b1f441190df70bc46d420f99297a3214

SHA1
2bb85d6c8d742a8825f2d311f25e115081a05d02

SHA256
2cd50ea3cd0f3128451b3aaa41fbed195f94ce01fa2960b03e4d1a27ff0acfc4

SHA512
b04c09ae46c1a1f6ac740103806e5bb2b73186a9f79ed55004f110e034ff236385e29ce23617524d49398524bff5d991a47847f13214e2a64a3e075b839b25b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nvtfu.bat

Filesize
151B

MD5
329129f5dee3a9fa64671aad7fa58ea7

SHA1
de3725a6a3a1ea2b0c4b906174c73058b0e3b06c

SHA256
4fd8b701229c55d4c5f7b94f31ed45e6d35b448ecad3464855437133f2583c5d

SHA512
a05d1cf0062ef1eca7d8278039b87632ea82784b5981bee0ec24b53e4c45bd627dde2b26735ebb9259fc898b19539354d7bbc80007626cebce57dd66a656b63b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pouur.bat

Filesize
151B

MD5
9c712dd150a009a439f6265859138f02

SHA1
7ee3654a332da3bd24e37b7c4229554a08893aa3

SHA256
86ff1a7fee2395fc2cecaea1a7049c51c07ec9df1d197340adfdcf349ac79b1a

SHA512
2656610deb009c0b3f2b9e89a31db91ba71a7b7da1526090d9d79abbf1e6c949d717f437d867b684158b265d9217502e3f008d1792e570e22a536446c0a6759d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rkmrc.bat

Filesize
151B

MD5
75fdf25224fb47136a60958eddbb120f

SHA1
a034ba91b8e522ea4b17bcd42c16d1dd5687fd6c

SHA256
83659978c14f7fba2510989ad59ac03c50c1a93fb821774b691243153f7319e3

SHA512
0570c20916765166c5a6af8edaa57f8d1de0c87362a94523f4ad348b11facd52d354c00a740c1296ce099d868c1bc22a723b028196cce55057553345b72d0293

Download Submit
C:\Users\Admin\AppData\Local\Temp\sbail.bat

Filesize
151B

MD5
a7d7b46541040fde8217984e3d560d43

SHA1
5270f24f724c85a0132310179169e382205351f5

SHA256
e6ed1d223ee2b02745196ba4a9022fea3b887145136811f08e9c5ec4dae6b9b3

SHA512
a92661b1ff287b310c2a7fc68f338359540333e21facf57830bca4d409de0366ebc11581777a807d19e4280b8f517bcb711426699d599199cbcb5279ca32dc03

Download Submit
C:\Users\Admin\AppData\Local\Temp\shlap.bat

Filesize
257B

MD5
58a0863d376c5ef15ec23394fec2c111

SHA1
02f17e577ff771aacdcca60eea4c76858508f2fe

SHA256
5c22c66591ce9152b9e326a2d9db1104e5284bf8e9a3b98c3c3d779691a27f68

SHA512
605d23977e90ed10bd5a2d3e682a1a7e181b1125315524cd9aa443158045ec5802bd3b33db2809b5ab75dc3b1e18c24264aae5db0327d2371446e2a6da389e32

Download Submit
C:\Users\Admin\AppData\Local\Temp\shlyb.bat

Filesize
151B

MD5
c3e22b1c1e643908ef6885e06d6a332a

SHA1
8564b48eeecf171cea911d4158b89fd262aa2315

SHA256
f4574018146819a43fc4112d97133596e79a6e49c7e6c70813a6558ad4c69ab2

SHA512
0e907e985df0b438f2fc9f7e95c15ad9952cfcd863c3e18dad028db2ca7a4b7d2d16848525e0335a711c354ad1e5171baa4103b326281bcf77bfb1edef98b29d

Download Submit
C:\Users\Admin\AppData\Local\Temp\swbqs.bat

Filesize
151B

MD5
f8ab68d71d03e9f91e325063b161b7df

SHA1
ae561c1d24982c3ccf46438695e249d3242272a8

SHA256
97df26e1b64658204177c3bfe1ec6ed3cb7080164ff93d8f8c2501f014438f65

SHA512
8d67652440786598d8c2120bebf1a1d572468e1bcf55358bc60c83abc987af2b377bf8455903303fbeeeb37841030dfe7905646b9dc6f167e438c0dd9552d8a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ujcpa.bat

Filesize
151B

MD5
3275355b8415d7030d048cf35cbe80d6

SHA1
55c0d94f460148dbe5c754d22f7c187a8597093c

SHA256
ed2d9ae66eedecf924f677dd32ebe6cbe4a00b3f96ab0c1de4b3eb1fc8f2aaa4

SHA512
0cd1ce69da43f5afd6854c051521e15d89aab9dbb5d582db7cb107dfc80821f842f84e641d18a5b7d9368854dea989417452d43c2cce6e05796038b69b58b189

Download Submit
C:\Users\Admin\AppData\Local\Temp\xlidh.bat

Filesize
151B

MD5
4f58dc5ab7c15aa6259cba02817c5e78

SHA1
1ad4dd8f9526e1b1558a9c72e2c36622546686a6

SHA256
ea31f775e2eaca781503e89f2a73cfe3ece41264e7407175fd0bef30733cc86f

SHA512
4b9a23461075ae65e79a67a46066afc63a361631601b0132318bb4a5da63c2fc039cba33b0254517cdd6dac981e06194ef952ff0a4b2936e2b3758b45f53887b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xrjtx.bat

Filesize
151B

MD5
18e580465db556cca85fc50dea265269

SHA1
a7fcad385db1eea2b9f0b50623fd00fa47002190

SHA256
78d8a5ceaf6b8e354ed91896aa990f6df01a30b4699df6ef1a1ee532c8f29cb5

SHA512
519b230bee6622e5d3127fa61c2be370a63e00d9236ee634b5a224cb12b4746fab732e0c68702f7f2df95f51b743659cbde43cd71ce05b692f8973930be6d0a0

Download Submit
C:\Windows\SysWOW64\ibylydx.exe

Filesize
1.4MB

MD5
98513d260023a0cb3667f2e8dac81c4f

SHA1
189be40083f151d30b3c588accdc23ea6c2f5075

SHA256
2925a43bce9b41922ab001e421806ef21ae443d4f1eda68639a9b155d5dfb29e

SHA512
6eb37009bd8f8145ad9378c87605a6f0195ceed56213bc7d17bef6a78ef6889900442b8f38fb9bd44f780beaa7d7e328b51a2885c141414810a91f0d930a3f27

Download Submit
memory/680-86-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1436-225-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2268-115-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2360-211-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2992-127-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/3192-170-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/3904-43-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/3932-183-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4184-16-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4184-7-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4184-6-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4184-5-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4296-198-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4488-99-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4888-156-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4964-30-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/5200-71-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/5492-142-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/5520-59-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download