metasploit | 41d17aeec282d38dd6c92978b25081f7c05996ed5c27b83dcc43b8dc51a66ea4

Analysis

max time kernel
150s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2025, 09:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b99a3c504fb3494c81eca16099aec5ab.exe
Size

472KB
MD5

b99a3c504fb3494c81eca16099aec5ab
SHA1

5695103a074dc622f1e7bd06e9b132c1e27550a2
SHA256

41d17aeec282d38dd6c92978b25081f7c05996ed5c27b83dcc43b8dc51a66ea4
SHA512

433cd7a44f055c3f1f9eb1498dd17d04b749dc587ddbde7c3d506c5a99b98db415c1d02fa0662f2d22934067feaa92c768c02c42be6c094cc5869ec3b23de705
SSDEEP

6144:uFeLlS5FZCAv2wFR24biJjWti/9q7R/ck6pSDy4N5q39dVdnNn1u9/TPr5P6uzPx:8D6AvTFgJVWt49y5YeE8RhpQetCe

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Executes dropped EXE 64 IoCs

pid	Process
2152	mdbmdw.exe
5112	mdbmdw.exe
5728	mhxcfv.exe
5064	mhxcfv.exe
4964	rfeizq.exe
4972	rfeizq.exe
5436	wojinl.exe
3676	wojinl.exe
2752	rcbetd.exe
2620	rcbetd.exe
5704	etfehx.exe
1808	etfehx.exe
5772	teexeg.exe
5908	teexeg.exe
2096	ohssih.exe
4376	ohssih.exe
5212	bvmfbx.exe
3268	bvmfbx.exe
4552	tuyimk.exe
1656	tuyimk.exe
3260	gldjam.exe
2320	gldjam.exe
2324	bkurpk.exe
4560	bkurpk.exe
3164	oxnfai.exe
5628	oxnfai.exe
436	ecyxsh.exe
4364	ecyxsh.exe
1868	gumtib.exe
4144	gumtib.exe
1668	vchqce.exe
5848	vchqce.exe
3724	ipbmnv.exe
1288	ipbmnv.exe
100	bpnpyi.exe
3088	bpnpyi.exe
2052	tscflz.exe
5568	tscflz.exe
4840	ggwsxy.exe
3032	ggwsxy.exe
3508	txbtts.exe
1640	txbtts.exe
2672	lxneef.exe
2708	lxneef.exe
4688	dxzhot.exe
3144	dxzhot.exe
5508	tfunbw.exe
2816	tfunbw.exe
2268	dqkdoo.exe
5544	dqkdoo.exe
5412	sguagb.exe
5960	sguagb.exe
5804	niivsu.exe
3552	niivsu.exe
4884	gxjtac.exe
4892	gxjtac.exe
5100	yiyjnu.exe
2464	yiyjnu.exe
4328	nufucc.exe
4964	nufucc.exe
5464	fujxnp.exe
3096	fujxnp.exe
4792	yfgvah.exe
3444	yfgvah.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\pkyner.exe	rcmafl.exe
File created	C:\Windows\SysWOW64\askolz.exe	qpuyyi.exe
File opened for modification	C:\Windows\SysWOW64\bexfkf.exe	jbhpxo.exe
File opened for modification	C:\Windows\SysWOW64\sguagb.exe	dqkdoo.exe
File created	C:\Windows\SysWOW64\kxmyoc.exe	tildxo.exe
File created	C:\Windows\SysWOW64\xnwgqr.exe	fywdav.exe
File created	C:\Windows\SysWOW64\bexfkf.exe	jbhpxo.exe
File opened for modification	C:\Windows\SysWOW64\yluaiu.exe	gixcvc.exe
File opened for modification	C:\Windows\SysWOW64\gldjam.exe	tuyimk.exe
File created	C:\Windows\SysWOW64\kefgio.exe	ssique.exe
File created	C:\Windows\SysWOW64\bpnpyi.exe	ipbmnv.exe
File created	C:\Windows\SysWOW64\tfunbw.exe	dxzhot.exe
File opened for modification	C:\Windows\SysWOW64\yiyjnu.exe	gxjtac.exe
File opened for modification	C:\Windows\SysWOW64\xvlodm.exe	fswyqc.exe
File created	C:\Windows\SysWOW64\wrcbks.exe	gjhexo.exe
File opened for modification	C:\Windows\SysWOW64\olxkdx.exe	zonmdl.exe
File created	C:\Windows\SysWOW64\mktztj.exe	rqfdhq.exe
File opened for modification	C:\Windows\SysWOW64\aufupz.exe	fnombc.exe
File opened for modification	C:\Windows\SysWOW64\ohssih.exe	teexeg.exe
File created	C:\Windows\SysWOW64\gxjtac.exe	niivsu.exe
File opened for modification	C:\Windows\SysWOW64\zombnh.exe	hlplzq.exe
File created	C:\Windows\SysWOW64\lhpemx.exe	sezozf.exe
File opened for modification	C:\Windows\SysWOW64\hbsxgh.exe	xmsuql.exe
File created	C:\Windows\SysWOW64\qlhoop.exe	bwxrwd.exe
File opened for modification	C:\Windows\SysWOW64\irizxm.exe	kxmyoc.exe
File opened for modification	C:\Windows\SysWOW64\kkehck.exe	qenzof.exe
File opened for modification	C:\Windows\SysWOW64\rqfdhq.exe	zbfaru.exe
File created	C:\Windows\SysWOW64\rcmafl.exe	znlxpx.exe
File opened for modification	C:\Windows\SysWOW64\wcggha.exe	yluaiu.exe
File created	C:\Windows\SysWOW64\xvlodm.exe	fswyqc.exe
File opened for modification	C:\Windows\SysWOW64\phjeqd.exe	xvlodm.exe
File opened for modification	C:\Windows\SysWOW64\roqexu.exe	zombnh.exe
File created	C:\Windows\SysWOW64\wnlyvj.exe	bwipmm.exe
File created	C:\Windows\SysWOW64\dxahmj.exe	irizxm.exe
File created	C:\Windows\SysWOW64\sgerfc.exe	acpbsl.exe
File created	C:\Windows\SysWOW64\hsjrdw.exe	pmioni.exe
File opened for modification	C:\Windows\SysWOW64\bhjzgk.exe	jwmbtt.exe
File created	C:\Windows\SysWOW64\fixpcj.exe	nxhzor.exe
File opened for modification	C:\Windows\SysWOW64\agzsme.exe	ihnhbr.exe
File created	C:\Windows\SysWOW64\dxzhot.exe	lxneef.exe
File created	C:\Windows\SysWOW64\xyddqh.exe	fvoncp.exe
File created	C:\Windows\SysWOW64\ihnhbr.exe	phjeqd.exe
File created	C:\Windows\SysWOW64\gjhexo.exe	pugbhs.exe
File created	C:\Windows\SysWOW64\qrsdet.exe	xocnrc.exe
File opened for modification	C:\Windows\SysWOW64\znlxpx.exe	hcohbg.exe
File opened for modification	C:\Windows\SysWOW64\lfrhjj.exe	tyqmto.exe
File opened for modification	C:\Windows\SysWOW64\jwmbtt.exe	wcggha.exe
File opened for modification	C:\Windows\SysWOW64\hcohbg.exe	mktztj.exe
File created	C:\Windows\SysWOW64\wuuxvs.exe	ejxhia.exe
File created	C:\Windows\SysWOW64\weantu.exe	bexfkf.exe
File opened for modification	C:\Windows\SysWOW64\ldjuza.exe	wrcbks.exe
File created	C:\Windows\SysWOW64\ewkecw.exe	lxgtrj.exe
File opened for modification	C:\Windows\SysWOW64\sipmkp.exe	ixswxx.exe
File created	C:\Windows\SysWOW64\icypxf.exe	ndvhoi.exe
File opened for modification	C:\Windows\SysWOW64\rmpfeg.exe	wuuxvs.exe
File opened for modification	C:\Windows\SysWOW64\tyqmto.exe	yznwkz.exe
File opened for modification	C:\Windows\SysWOW64\gumtib.exe	ecyxsh.exe
File opened for modification	C:\Windows\SysWOW64\zsdfkr.exe	hpgpwz.exe
File created	C:\Windows\SysWOW64\irizxm.exe	kxmyoc.exe
File opened for modification	C:\Windows\SysWOW64\omxgka.exe	tjjlyz.exe
File opened for modification	C:\Windows\SysWOW64\jbhpxo.exe	zykzjw.exe
File created	C:\Windows\SysWOW64\fujxnp.exe	nufucc.exe
File opened for modification	C:\Windows\SysWOW64\ihnhbr.exe	phjeqd.exe
File opened for modification	C:\Windows\SysWOW64\rjnass.exe	zjjxhe.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 1800 set thread context of 4504	1800	JaffaCakes118_b99a3c504fb3494c81eca16099aec5ab.exe	88
PID 2152 set thread context of 5112	2152	mdbmdw.exe	92
PID 5728 set thread context of 5064	5728	mhxcfv.exe	94
PID 4964 set thread context of 4972	4964	rfeizq.exe	96
PID 5436 set thread context of 3676	5436	wojinl.exe	98
PID 2752 set thread context of 2620	2752	rcbetd.exe	100
PID 5704 set thread context of 1808	5704	etfehx.exe	102
PID 5772 set thread context of 5908	5772	teexeg.exe	104
PID 2096 set thread context of 4376	2096	ohssih.exe	106
PID 5212 set thread context of 3268	5212	bvmfbx.exe	108
PID 4552 set thread context of 1656	4552	tuyimk.exe	110
PID 3260 set thread context of 2320	3260	gldjam.exe	112
PID 2324 set thread context of 4560	2324	bkurpk.exe	114
PID 3164 set thread context of 5628	3164	oxnfai.exe	116
PID 436 set thread context of 4364	436	ecyxsh.exe	118
PID 1868 set thread context of 4144	1868	gumtib.exe	120
PID 1668 set thread context of 5848	1668	vchqce.exe	122
PID 3724 set thread context of 1288	3724	ipbmnv.exe	124
PID 100 set thread context of 3088	100	bpnpyi.exe	126
PID 2052 set thread context of 5568	2052	tscflz.exe	128
PID 4840 set thread context of 3032	4840	ggwsxy.exe	130
PID 3508 set thread context of 1640	3508	txbtts.exe	132
PID 2672 set thread context of 2708	2672	lxneef.exe	134
PID 4688 set thread context of 3144	4688	dxzhot.exe	136
PID 5508 set thread context of 2816	5508	tfunbw.exe	138
PID 2268 set thread context of 5544	2268	dqkdoo.exe	140
PID 5412 set thread context of 5960	5412	sguagb.exe	142
PID 5804 set thread context of 3552	5804	niivsu.exe	144
PID 4884 set thread context of 4892	4884	gxjtac.exe	146
PID 5100 set thread context of 2464	5100	yiyjnu.exe	151
PID 4328 set thread context of 4964	4328	nufucc.exe	153
PID 5464 set thread context of 3096	5464	fujxnp.exe	155
PID 4792 set thread context of 3444	4792	yfgvah.exe	157
PID 5360 set thread context of 5704	5360	nrfgxp.exe	159
PID 2364 set thread context of 3272	2364	frrjic.exe	161
PID 4700 set thread context of 776	4700	nznpug.exe	163
PID 1692 set thread context of 6028	1692	fvoncp.exe	165
PID 2632 set thread context of 5888	2632	xyddqh.exe	167
PID 3612 set thread context of 3592	3612	nwvait.exe	169
PID 1540 set thread context of 5620	1540	fswyqc.exe	171
PID 5440 set thread context of 2384	5440	xvlodm.exe	173
PID 2576 set thread context of 6088	2576	phjeqd.exe	176
PID 4672 set thread context of 840	4672	ihnhbr.exe	178
PID 412 set thread context of 1552	412	agzsme.exe	180
PID 1340 set thread context of 5256	1340	qpuyyi.exe	182
PID 2728 set thread context of 6100	2728	askolz.exe	184
PID 6052 set thread context of 3392	6052	ppcmlm.exe	186
PID 2952 set thread context of 3428	2952	hpgpwz.exe	188
PID 6136 set thread context of 6104	6136	zsdfkr.exe	190
PID 1752 set thread context of 2212	1752	ssique.exe	192
PID 3696 set thread context of 2252	3696	kefgio.exe	194
PID 4688 set thread context of 1464	4688	cdrjsb.exe	196
PID 5584 set thread context of 2196	5584	uhhhgs.exe	198
PID 1208 set thread context of 5896	1208	kpcfsw.exe	200
PID 3292 set thread context of 3604	3292	zjjxhe.exe	202
PID 4728 set thread context of 4616	4728	rjnass.exe	204
PID 5032 set thread context of 4868	5032	edbwdt.exe	206
PID 1608 set thread context of 4200	1608	uxagtb.exe	208
PID 5076 set thread context of 4996	5076	mmbeak.exe	210
PID 3544 set thread context of 3276	3544	ftnhlx.exe	212
PID 2304 set thread context of 3432	2304	ujxndj.exe	214
PID 1032 set thread context of 2752	1032	ollapc.exe	216
PID 4756 set thread context of 4012	4756	hlplzq.exe	218
PID 2172 set thread context of 2024	2172	zombnh.exe	220

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jdzhoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qenzof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	weantu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bhjzgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ollapc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mdbmdw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oxnfai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oxifdt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxahmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	raqjgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yfgvah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eizshp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lxneef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fujxnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuuywf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xatqaq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xmsuql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxzhot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gxjtac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nufucc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pugbhs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omxgka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pkyner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zzuape.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yluaiu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wrcbks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tljder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wnlyvj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuuxvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gumtib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nwvait.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	askolz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kefgio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hsjrdw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gixcvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxzhot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdrjsb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lxgtrj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zonmdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tildxo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hcohbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yznwkz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecyxsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tfunbw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qpuyyi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mhxcfv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	etfehx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nznpug.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xyddqh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mcwere.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddxixi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bkurpk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ihnhbr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vchqce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yrinpr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zzuape.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gwqgwh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jwmbtt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	niivsu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hpgpwz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ujxndj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wuuywf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lfrhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sguagb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 4504	1800	JaffaCakes118_b99a3c504fb3494c81eca16099aec5ab.exe	88
PID 1800 wrote to memory of 4504	1800	JaffaCakes118_b99a3c504fb3494c81eca16099aec5ab.exe	88
PID 1800 wrote to memory of 4504	1800	JaffaCakes118_b99a3c504fb3494c81eca16099aec5ab.exe	88
PID 1800 wrote to memory of 4504	1800	JaffaCakes118_b99a3c504fb3494c81eca16099aec5ab.exe	88
PID 1800 wrote to memory of 4504	1800	JaffaCakes118_b99a3c504fb3494c81eca16099aec5ab.exe	88
PID 1800 wrote to memory of 4504	1800	JaffaCakes118_b99a3c504fb3494c81eca16099aec5ab.exe	88
PID 1800 wrote to memory of 4504	1800	JaffaCakes118_b99a3c504fb3494c81eca16099aec5ab.exe	88
PID 1800 wrote to memory of 4504	1800	JaffaCakes118_b99a3c504fb3494c81eca16099aec5ab.exe	88
PID 1800 wrote to memory of 4504	1800	JaffaCakes118_b99a3c504fb3494c81eca16099aec5ab.exe	88
PID 4504 wrote to memory of 2152	4504	JaffaCakes118_b99a3c504fb3494c81eca16099aec5ab.exe	89
PID 4504 wrote to memory of 2152	4504	JaffaCakes118_b99a3c504fb3494c81eca16099aec5ab.exe	89
PID 4504 wrote to memory of 2152	4504	JaffaCakes118_b99a3c504fb3494c81eca16099aec5ab.exe	89
PID 2152 wrote to memory of 5112	2152	mdbmdw.exe	92
PID 2152 wrote to memory of 5112	2152	mdbmdw.exe	92
PID 2152 wrote to memory of 5112	2152	mdbmdw.exe	92
PID 2152 wrote to memory of 5112	2152	mdbmdw.exe	92
PID 2152 wrote to memory of 5112	2152	mdbmdw.exe	92
PID 2152 wrote to memory of 5112	2152	mdbmdw.exe	92
PID 2152 wrote to memory of 5112	2152	mdbmdw.exe	92
PID 2152 wrote to memory of 5112	2152	mdbmdw.exe	92
PID 2152 wrote to memory of 5112	2152	mdbmdw.exe	92
PID 5112 wrote to memory of 5728	5112	mdbmdw.exe	93
PID 5112 wrote to memory of 5728	5112	mdbmdw.exe	93
PID 5112 wrote to memory of 5728	5112	mdbmdw.exe	93
PID 5728 wrote to memory of 5064	5728	mhxcfv.exe	94
PID 5728 wrote to memory of 5064	5728	mhxcfv.exe	94
PID 5728 wrote to memory of 5064	5728	mhxcfv.exe	94
PID 5728 wrote to memory of 5064	5728	mhxcfv.exe	94
PID 5728 wrote to memory of 5064	5728	mhxcfv.exe	94
PID 5728 wrote to memory of 5064	5728	mhxcfv.exe	94
PID 5728 wrote to memory of 5064	5728	mhxcfv.exe	94
PID 5728 wrote to memory of 5064	5728	mhxcfv.exe	94
PID 5728 wrote to memory of 5064	5728	mhxcfv.exe	94
PID 5064 wrote to memory of 4964	5064	mhxcfv.exe	95
PID 5064 wrote to memory of 4964	5064	mhxcfv.exe	95
PID 5064 wrote to memory of 4964	5064	mhxcfv.exe	95
PID 4964 wrote to memory of 4972	4964	rfeizq.exe	96
PID 4964 wrote to memory of 4972	4964	rfeizq.exe	96
PID 4964 wrote to memory of 4972	4964	rfeizq.exe	96
PID 4964 wrote to memory of 4972	4964	rfeizq.exe	96
PID 4964 wrote to memory of 4972	4964	rfeizq.exe	96
PID 4964 wrote to memory of 4972	4964	rfeizq.exe	96
PID 4964 wrote to memory of 4972	4964	rfeizq.exe	96
PID 4964 wrote to memory of 4972	4964	rfeizq.exe	96
PID 4964 wrote to memory of 4972	4964	rfeizq.exe	96
PID 4972 wrote to memory of 5436	4972	rfeizq.exe	97
PID 4972 wrote to memory of 5436	4972	rfeizq.exe	97
PID 4972 wrote to memory of 5436	4972	rfeizq.exe	97
PID 5436 wrote to memory of 3676	5436	wojinl.exe	98
PID 5436 wrote to memory of 3676	5436	wojinl.exe	98
PID 5436 wrote to memory of 3676	5436	wojinl.exe	98
PID 5436 wrote to memory of 3676	5436	wojinl.exe	98
PID 5436 wrote to memory of 3676	5436	wojinl.exe	98
PID 5436 wrote to memory of 3676	5436	wojinl.exe	98
PID 5436 wrote to memory of 3676	5436	wojinl.exe	98
PID 5436 wrote to memory of 3676	5436	wojinl.exe	98
PID 5436 wrote to memory of 3676	5436	wojinl.exe	98
PID 3676 wrote to memory of 2752	3676	wojinl.exe	99
PID 3676 wrote to memory of 2752	3676	wojinl.exe	99
PID 3676 wrote to memory of 2752	3676	wojinl.exe	99
PID 2752 wrote to memory of 2620	2752	rcbetd.exe	100
PID 2752 wrote to memory of 2620	2752	rcbetd.exe	100
PID 2752 wrote to memory of 2620	2752	rcbetd.exe	100
PID 2752 wrote to memory of 2620	2752	rcbetd.exe	100

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b99a3c504fb3494c81eca16099aec5ab.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b99a3c504fb3494c81eca16099aec5ab.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b99a3c504fb3494c81eca16099aec5ab.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b99a3c504fb3494c81eca16099aec5ab.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4504
- - C:\Windows\SysWOW64\mdbmdw.exe
    C:\Windows\system32\mdbmdw.exe 1112 "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b99a3c504fb3494c81eca16099aec5ab.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - C:\Windows\SysWOW64\mdbmdw.exe
      C:\Windows\system32\mdbmdw.exe 1112 "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b99a3c504fb3494c81eca16099aec5ab.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5112
    - - C:\Windows\SysWOW64\mhxcfv.exe
        
        C:\Windows\system32\mhxcfv.exe 1012 "C:\Windows\SysWOW64\mdbmdw.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5728
      - C:\Windows\SysWOW64\mhxcfv.exe
        
        C:\Windows\system32\mhxcfv.exe 1012 "C:\Windows\SysWOW64\mdbmdw.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\SysWOW64\rfeizq.exe
        
        C:\Windows\system32\rfeizq.exe 992 "C:\Windows\SysWOW64\mhxcfv.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\SysWOW64\rfeizq.exe
        
        C:\Windows\system32\rfeizq.exe 992 "C:\Windows\SysWOW64\mhxcfv.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\SysWOW64\wojinl.exe
        
        C:\Windows\system32\wojinl.exe 988 "C:\Windows\SysWOW64\rfeizq.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:5436
        
        C:\Windows\SysWOW64\wojinl.exe
        
        C:\Windows\system32\wojinl.exe 988 "C:\Windows\SysWOW64\rfeizq.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        C:\Windows\SysWOW64\rcbetd.exe
        
        C:\Windows\system32\rcbetd.exe 1120 "C:\Windows\SysWOW64\wojinl.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\rcbetd.exe
        
        C:\Windows\system32\rcbetd.exe 1120 "C:\Windows\SysWOW64\wojinl.exe"
        12⤵
        Executes dropped EXE
        
        PID:2620
        
        C:\Windows\SysWOW64\etfehx.exe
        
        C:\Windows\system32\etfehx.exe 988 "C:\Windows\SysWOW64\rcbetd.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5704
        
        C:\Windows\SysWOW64\etfehx.exe
        
        C:\Windows\system32\etfehx.exe 988 "C:\Windows\SysWOW64\rcbetd.exe"
        14⤵
        Executes dropped EXE
        
        PID:1808
        
        C:\Windows\SysWOW64\teexeg.exe
        
        C:\Windows\system32\teexeg.exe 1012 "C:\Windows\SysWOW64\etfehx.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5772
        
        C:\Windows\SysWOW64\teexeg.exe
        
        C:\Windows\system32\teexeg.exe 1012 "C:\Windows\SysWOW64\etfehx.exe"
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5908
        
        C:\Windows\SysWOW64\ohssih.exe
        
        C:\Windows\system32\ohssih.exe 1136 "C:\Windows\SysWOW64\teexeg.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2096
        
        C:\Windows\SysWOW64\ohssih.exe
        
        C:\Windows\system32\ohssih.exe 1136 "C:\Windows\SysWOW64\teexeg.exe"
        18⤵
        Executes dropped EXE
        
        PID:4376
        
        C:\Windows\SysWOW64\bvmfbx.exe
        
        C:\Windows\system32\bvmfbx.exe 1000 "C:\Windows\SysWOW64\ohssih.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5212
        
        C:\Windows\SysWOW64\bvmfbx.exe
        
        C:\Windows\system32\bvmfbx.exe 1000 "C:\Windows\SysWOW64\ohssih.exe"
        20⤵
        Executes dropped EXE
        
        PID:3268
        
        C:\Windows\SysWOW64\tuyimk.exe
        
        C:\Windows\system32\tuyimk.exe 1012 "C:\Windows\SysWOW64\bvmfbx.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4552
        
        C:\Windows\SysWOW64\tuyimk.exe
        
        C:\Windows\system32\tuyimk.exe 1012 "C:\Windows\SysWOW64\bvmfbx.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1656
        
        C:\Windows\SysWOW64\gldjam.exe
        
        C:\Windows\system32\gldjam.exe 1012 "C:\Windows\SysWOW64\tuyimk.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3260
        
        C:\Windows\SysWOW64\gldjam.exe
        
        C:\Windows\system32\gldjam.exe 1012 "C:\Windows\SysWOW64\tuyimk.exe"
        24⤵
        Executes dropped EXE
        
        PID:2320
        
        C:\Windows\SysWOW64\bkurpk.exe
        
        C:\Windows\system32\bkurpk.exe 1124 "C:\Windows\SysWOW64\gldjam.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2324
        
        C:\Windows\SysWOW64\bkurpk.exe
        
        C:\Windows\system32\bkurpk.exe 1124 "C:\Windows\SysWOW64\gldjam.exe"
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4560
        
        C:\Windows\SysWOW64\oxnfai.exe
        
        C:\Windows\system32\oxnfai.exe 988 "C:\Windows\SysWOW64\bkurpk.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3164
        
        C:\Windows\SysWOW64\oxnfai.exe
        
        C:\Windows\system32\oxnfai.exe 988 "C:\Windows\SysWOW64\bkurpk.exe"
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5628
        
        C:\Windows\SysWOW64\ecyxsh.exe
        
        C:\Windows\system32\ecyxsh.exe 1012 "C:\Windows\SysWOW64\oxnfai.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:436
        
        C:\Windows\SysWOW64\ecyxsh.exe
        
        C:\Windows\system32\ecyxsh.exe 1012 "C:\Windows\SysWOW64\oxnfai.exe"
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4364
        
        C:\Windows\SysWOW64\gumtib.exe
        
        C:\Windows\system32\gumtib.exe 1000 "C:\Windows\SysWOW64\ecyxsh.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1868
        
        C:\Windows\SysWOW64\gumtib.exe
        
        C:\Windows\system32\gumtib.exe 1000 "C:\Windows\SysWOW64\ecyxsh.exe"
        32⤵
        Executes dropped EXE
        
        PID:4144
        
        C:\Windows\SysWOW64\vchqce.exe
        
        C:\Windows\system32\vchqce.exe 1052 "C:\Windows\SysWOW64\gumtib.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1668
        
        C:\Windows\SysWOW64\vchqce.exe
        
        C:\Windows\system32\vchqce.exe 1052 "C:\Windows\SysWOW64\gumtib.exe"
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5848
        
        C:\Windows\SysWOW64\ipbmnv.exe
        
        C:\Windows\system32\ipbmnv.exe 1012 "C:\Windows\SysWOW64\vchqce.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3724
        
        C:\Windows\SysWOW64\ipbmnv.exe
        
        C:\Windows\system32\ipbmnv.exe 1012 "C:\Windows\SysWOW64\vchqce.exe"
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1288
        
        C:\Windows\SysWOW64\bpnpyi.exe
        
        C:\Windows\system32\bpnpyi.exe 1012 "C:\Windows\SysWOW64\ipbmnv.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:100
        
        C:\Windows\SysWOW64\bpnpyi.exe
        
        C:\Windows\system32\bpnpyi.exe 1012 "C:\Windows\SysWOW64\ipbmnv.exe"
        38⤵
        Executes dropped EXE
        
        PID:3088
        
        C:\Windows\SysWOW64\tscflz.exe
        
        C:\Windows\system32\tscflz.exe 1120 "C:\Windows\SysWOW64\bpnpyi.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2052
        
        C:\Windows\SysWOW64\tscflz.exe
        
        C:\Windows\system32\tscflz.exe 1120 "C:\Windows\SysWOW64\bpnpyi.exe"
        40⤵
        Executes dropped EXE
        
        PID:5568
        
        C:\Windows\SysWOW64\ggwsxy.exe
        
        C:\Windows\system32\ggwsxy.exe 1120 "C:\Windows\SysWOW64\tscflz.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4840
        
        C:\Windows\SysWOW64\ggwsxy.exe
        
        C:\Windows\system32\ggwsxy.exe 1120 "C:\Windows\SysWOW64\tscflz.exe"
        42⤵
        Executes dropped EXE
        
        PID:3032
        
        C:\Windows\SysWOW64\txbtts.exe
        
        C:\Windows\system32\txbtts.exe 988 "C:\Windows\SysWOW64\ggwsxy.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3508
        
        C:\Windows\SysWOW64\txbtts.exe
        
        C:\Windows\system32\txbtts.exe 988 "C:\Windows\SysWOW64\ggwsxy.exe"
        44⤵
        Executes dropped EXE
        
        PID:1640
        
        C:\Windows\SysWOW64\lxneef.exe
        
        C:\Windows\system32\lxneef.exe 1012 "C:\Windows\SysWOW64\txbtts.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Windows\SysWOW64\lxneef.exe
        
        C:\Windows\system32\lxneef.exe 1012 "C:\Windows\SysWOW64\txbtts.exe"
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2708
        
        C:\Windows\SysWOW64\dxzhot.exe
        
        C:\Windows\system32\dxzhot.exe 996 "C:\Windows\SysWOW64\lxneef.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4688
        
        C:\Windows\SysWOW64\dxzhot.exe
        
        C:\Windows\system32\dxzhot.exe 996 "C:\Windows\SysWOW64\lxneef.exe"
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3144
        
        C:\Windows\SysWOW64\tfunbw.exe
        
        C:\Windows\system32\tfunbw.exe 988 "C:\Windows\SysWOW64\dxzhot.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5508
        
        C:\Windows\SysWOW64\tfunbw.exe
        
        C:\Windows\system32\tfunbw.exe 988 "C:\Windows\SysWOW64\dxzhot.exe"
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Windows\SysWOW64\dqkdoo.exe
        
        C:\Windows\system32\dqkdoo.exe 1068 "C:\Windows\SysWOW64\tfunbw.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2268
        
        C:\Windows\SysWOW64\dqkdoo.exe
        
        C:\Windows\system32\dqkdoo.exe 1068 "C:\Windows\SysWOW64\tfunbw.exe"
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5544
        
        C:\Windows\SysWOW64\sguagb.exe
        
        C:\Windows\system32\sguagb.exe 1000 "C:\Windows\SysWOW64\dqkdoo.exe"
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5412
        
        C:\Windows\SysWOW64\sguagb.exe
        
        C:\Windows\system32\sguagb.exe 1000 "C:\Windows\SysWOW64\dqkdoo.exe"
        54⤵
        Executes dropped EXE
        
        PID:5960
        
        C:\Windows\SysWOW64\niivsu.exe
        
        C:\Windows\system32\niivsu.exe 1120 "C:\Windows\SysWOW64\sguagb.exe"
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5804
        
        C:\Windows\SysWOW64\niivsu.exe
        
        C:\Windows\system32\niivsu.exe 1120 "C:\Windows\SysWOW64\sguagb.exe"
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3552
        
        C:\Windows\SysWOW64\gxjtac.exe
        
        C:\Windows\system32\gxjtac.exe 1008 "C:\Windows\SysWOW64\niivsu.exe"
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4884
        
        C:\Windows\SysWOW64\gxjtac.exe
        
        C:\Windows\system32\gxjtac.exe 1008 "C:\Windows\SysWOW64\niivsu.exe"
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4892
        
        C:\Windows\SysWOW64\yiyjnu.exe
        
        C:\Windows\system32\yiyjnu.exe 1124 "C:\Windows\SysWOW64\gxjtac.exe"
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5100
        
        C:\Windows\SysWOW64\yiyjnu.exe
        
        C:\Windows\system32\yiyjnu.exe 1124 "C:\Windows\SysWOW64\gxjtac.exe"
        60⤵
        Executes dropped EXE
        
        PID:2464
        
        C:\Windows\SysWOW64\nufucc.exe
        
        C:\Windows\system32\nufucc.exe 988 "C:\Windows\SysWOW64\yiyjnu.exe"
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4328
        
        C:\Windows\SysWOW64\nufucc.exe
        
        C:\Windows\system32\nufucc.exe 988 "C:\Windows\SysWOW64\yiyjnu.exe"
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4964
        
        C:\Windows\SysWOW64\fujxnp.exe
        
        C:\Windows\system32\fujxnp.exe 1000 "C:\Windows\SysWOW64\nufucc.exe"
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5464
        
        C:\Windows\SysWOW64\fujxnp.exe
        
        C:\Windows\system32\fujxnp.exe 1000 "C:\Windows\SysWOW64\nufucc.exe"
        64⤵
        Executes dropped EXE
        
        PID:3096
        
        C:\Windows\SysWOW64\yfgvah.exe
        
        C:\Windows\system32\yfgvah.exe 1120 "C:\Windows\SysWOW64\fujxnp.exe"
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4792
        
        C:\Windows\SysWOW64\yfgvah.exe
        
        C:\Windows\system32\yfgvah.exe 1120 "C:\Windows\SysWOW64\fujxnp.exe"
        66⤵
        Executes dropped EXE
        
        PID:3444
        
        C:\Windows\SysWOW64\nrfgxp.exe
        
        C:\Windows\system32\nrfgxp.exe 1060 "C:\Windows\SysWOW64\yfgvah.exe"
        67⤵
        Suspicious use of SetThreadContext
        
        PID:5360
        
        C:\Windows\SysWOW64\nrfgxp.exe
        
        C:\Windows\system32\nrfgxp.exe 1060 "C:\Windows\SysWOW64\yfgvah.exe"
        68⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\frrjic.exe
        
        C:\Windows\system32\frrjic.exe 1008 "C:\Windows\SysWOW64\nrfgxp.exe"
        69⤵
        Suspicious use of SetThreadContext
        
        PID:2364
        
        C:\Windows\SysWOW64\frrjic.exe
        
        C:\Windows\system32\frrjic.exe 1008 "C:\Windows\SysWOW64\nrfgxp.exe"
        70⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\nznpug.exe
        
        C:\Windows\system32\nznpug.exe 1120 "C:\Windows\SysWOW64\frrjic.exe"
        71⤵
        Suspicious use of SetThreadContext
        
        PID:4700
        
        C:\Windows\SysWOW64\nznpug.exe
        
        C:\Windows\system32\nznpug.exe 1120 "C:\Windows\SysWOW64\frrjic.exe"
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:776
        
        C:\Windows\SysWOW64\fvoncp.exe
        
        C:\Windows\system32\fvoncp.exe 1000 "C:\Windows\SysWOW64\nznpug.exe"
        73⤵
        Suspicious use of SetThreadContext
        
        PID:1692
        
        C:\Windows\SysWOW64\fvoncp.exe
        
        C:\Windows\system32\fvoncp.exe 1000 "C:\Windows\SysWOW64\nznpug.exe"
        74⤵
        Drops file in System32 directory
        
        PID:6028
        
        C:\Windows\SysWOW64\xyddqh.exe
        
        C:\Windows\system32\xyddqh.exe 1000 "C:\Windows\SysWOW64\fvoncp.exe"
        75⤵
        Suspicious use of SetThreadContext
        
        PID:2632
        
        C:\Windows\SysWOW64\xyddqh.exe
        
        C:\Windows\system32\xyddqh.exe 1000 "C:\Windows\SysWOW64\fvoncp.exe"
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:5888
        
        C:\Windows\SysWOW64\nwvait.exe
        
        C:\Windows\system32\nwvait.exe 1120 "C:\Windows\SysWOW64\xyddqh.exe"
        77⤵
        Suspicious use of SetThreadContext
        
        PID:3612
        
        C:\Windows\SysWOW64\nwvait.exe
        
        C:\Windows\system32\nwvait.exe 1120 "C:\Windows\SysWOW64\xyddqh.exe"
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:3592
        
        C:\Windows\SysWOW64\fswyqc.exe
        
        C:\Windows\system32\fswyqc.exe 988 "C:\Windows\SysWOW64\nwvait.exe"
        79⤵
        Suspicious use of SetThreadContext
        
        PID:1540
        
        C:\Windows\SysWOW64\fswyqc.exe
        
        C:\Windows\system32\fswyqc.exe 988 "C:\Windows\SysWOW64\nwvait.exe"
        80⤵
        Drops file in System32 directory
        
        PID:5620
        
        C:\Windows\SysWOW64\xvlodm.exe
        
        C:\Windows\system32\xvlodm.exe 1120 "C:\Windows\SysWOW64\fswyqc.exe"
        81⤵
        Suspicious use of SetThreadContext
        
        PID:5440
        
        C:\Windows\SysWOW64\xvlodm.exe
        
        C:\Windows\system32\xvlodm.exe 1120 "C:\Windows\SysWOW64\fswyqc.exe"
        82⤵
        Drops file in System32 directory
        
        PID:2384
        
        C:\Windows\SysWOW64\phjeqd.exe
        
        C:\Windows\system32\phjeqd.exe 1128 "C:\Windows\SysWOW64\xvlodm.exe"
        83⤵
        Suspicious use of SetThreadContext
        
        PID:2576
        
        C:\Windows\SysWOW64\phjeqd.exe
        
        C:\Windows\system32\phjeqd.exe 1128 "C:\Windows\SysWOW64\xvlodm.exe"
        84⤵
        Drops file in System32 directory
        
        PID:6088
        
        C:\Windows\SysWOW64\ihnhbr.exe
        
        C:\Windows\system32\ihnhbr.exe 992 "C:\Windows\SysWOW64\phjeqd.exe"
        85⤵
        Suspicious use of SetThreadContext
        
        PID:4672
        
        C:\Windows\SysWOW64\ihnhbr.exe
        
        C:\Windows\system32\ihnhbr.exe 992 "C:\Windows\SysWOW64\phjeqd.exe"
        86⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:840
        
        C:\Windows\SysWOW64\agzsme.exe
        
        C:\Windows\system32\agzsme.exe 1012 "C:\Windows\SysWOW64\ihnhbr.exe"
        87⤵
        Suspicious use of SetThreadContext
        
        PID:412
        
        C:\Windows\SysWOW64\agzsme.exe
        
        C:\Windows\system32\agzsme.exe 1012 "C:\Windows\SysWOW64\ihnhbr.exe"
        88⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\qpuyyi.exe
        
        C:\Windows\system32\qpuyyi.exe 1120 "C:\Windows\SysWOW64\agzsme.exe"
        89⤵
        Suspicious use of SetThreadContext
        
        PID:1340
        
        C:\Windows\SysWOW64\qpuyyi.exe
        
        C:\Windows\system32\qpuyyi.exe 1120 "C:\Windows\SysWOW64\agzsme.exe"
        90⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5256
        
        C:\Windows\SysWOW64\askolz.exe
        
        C:\Windows\system32\askolz.exe 1008 "C:\Windows\SysWOW64\qpuyyi.exe"
        91⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Windows\SysWOW64\askolz.exe
        
        C:\Windows\system32\askolz.exe 1008 "C:\Windows\SysWOW64\qpuyyi.exe"
        92⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\ppcmlm.exe
        
        C:\Windows\system32\ppcmlm.exe 1008 "C:\Windows\SysWOW64\askolz.exe"
        93⤵
        Suspicious use of SetThreadContext
        
        PID:6052
        
        C:\Windows\SysWOW64\ppcmlm.exe
        
        C:\Windows\system32\ppcmlm.exe 1008 "C:\Windows\SysWOW64\askolz.exe"
        94⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\hpgpwz.exe
        
        C:\Windows\system32\hpgpwz.exe 1000 "C:\Windows\SysWOW64\ppcmlm.exe"
        95⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Windows\SysWOW64\hpgpwz.exe
        
        C:\Windows\system32\hpgpwz.exe 1000 "C:\Windows\SysWOW64\ppcmlm.exe"
        96⤵
        Drops file in System32 directory
        
        PID:3428
        
        C:\Windows\SysWOW64\zsdfkr.exe
        
        C:\Windows\system32\zsdfkr.exe 1052 "C:\Windows\SysWOW64\hpgpwz.exe"
        97⤵
        Suspicious use of SetThreadContext
        
        PID:6136
        
        C:\Windows\SysWOW64\zsdfkr.exe
        
        C:\Windows\system32\zsdfkr.exe 1052 "C:\Windows\SysWOW64\hpgpwz.exe"
        98⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\ssique.exe
        
        C:\Windows\system32\ssique.exe 1000 "C:\Windows\SysWOW64\zsdfkr.exe"
        99⤵
        Suspicious use of SetThreadContext
        
        PID:1752
        
        C:\Windows\SysWOW64\ssique.exe
        
        C:\Windows\system32\ssique.exe 1000 "C:\Windows\SysWOW64\zsdfkr.exe"
        100⤵
        Drops file in System32 directory
        
        PID:2212
        
        C:\Windows\SysWOW64\kefgio.exe
        
        C:\Windows\system32\kefgio.exe 988 "C:\Windows\SysWOW64\ssique.exe"
        101⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3696
        
        C:\Windows\SysWOW64\kefgio.exe
        
        C:\Windows\system32\kefgio.exe 988 "C:\Windows\SysWOW64\ssique.exe"
        102⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cdrjsb.exe
        
        C:\Windows\system32\cdrjsb.exe 988 "C:\Windows\SysWOW64\kefgio.exe"
        103⤵
        Suspicious use of SetThreadContext
        
        PID:4688
        
        C:\Windows\SysWOW64\cdrjsb.exe
        
        C:\Windows\system32\cdrjsb.exe 988 "C:\Windows\SysWOW64\kefgio.exe"
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:1464
        
        C:\Windows\SysWOW64\uhhhgs.exe
        
        C:\Windows\system32\uhhhgs.exe 1000 "C:\Windows\SysWOW64\cdrjsb.exe"
        105⤵
        Suspicious use of SetThreadContext
        
        PID:5584
        
        C:\Windows\SysWOW64\uhhhgs.exe
        
        C:\Windows\system32\uhhhgs.exe 1000 "C:\Windows\SysWOW64\cdrjsb.exe"
        106⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\kpcfsw.exe
        
        C:\Windows\system32\kpcfsw.exe 996 "C:\Windows\SysWOW64\uhhhgs.exe"
        107⤵
        Suspicious use of SetThreadContext
        
        PID:1208
        
        C:\Windows\SysWOW64\kpcfsw.exe
        
        C:\Windows\system32\kpcfsw.exe 996 "C:\Windows\SysWOW64\uhhhgs.exe"
        108⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\zjjxhe.exe
        
        C:\Windows\system32\zjjxhe.exe 1000 "C:\Windows\SysWOW64\kpcfsw.exe"
        109⤵
        Suspicious use of SetThreadContext
        
        PID:3292
        
        C:\Windows\SysWOW64\zjjxhe.exe
        
        C:\Windows\system32\zjjxhe.exe 1000 "C:\Windows\SysWOW64\kpcfsw.exe"
        110⤵
        Drops file in System32 directory
        
        PID:3604
        
        C:\Windows\SysWOW64\rjnass.exe
        
        C:\Windows\system32\rjnass.exe 988 "C:\Windows\SysWOW64\zjjxhe.exe"
        111⤵
        Suspicious use of SetThreadContext
        
        PID:4728
        
        C:\Windows\SysWOW64\rjnass.exe
        
        C:\Windows\system32\rjnass.exe 988 "C:\Windows\SysWOW64\zjjxhe.exe"
        112⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\edbwdt.exe
        
        C:\Windows\system32\edbwdt.exe 1016 "C:\Windows\SysWOW64\rjnass.exe"
        113⤵
        Suspicious use of SetThreadContext
        
        PID:5032
        
        C:\Windows\SysWOW64\edbwdt.exe
        
        C:\Windows\system32\edbwdt.exe 1016 "C:\Windows\SysWOW64\rjnass.exe"
        114⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\uxagtb.exe
        
        C:\Windows\system32\uxagtb.exe 988 "C:\Windows\SysWOW64\edbwdt.exe"
        115⤵
        Suspicious use of SetThreadContext
        
        PID:1608
        
        C:\Windows\SysWOW64\uxagtb.exe
        
        C:\Windows\system32\uxagtb.exe 988 "C:\Windows\SysWOW64\edbwdt.exe"
        116⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\mmbeak.exe
        
        C:\Windows\system32\mmbeak.exe 1008 "C:\Windows\SysWOW64\uxagtb.exe"
        117⤵
        Suspicious use of SetThreadContext
        
        PID:5076
        
        C:\Windows\SysWOW64\mmbeak.exe
        
        C:\Windows\system32\mmbeak.exe 1008 "C:\Windows\SysWOW64\uxagtb.exe"
        118⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\ftnhlx.exe
        
        C:\Windows\system32\ftnhlx.exe 992 "C:\Windows\SysWOW64\mmbeak.exe"
        119⤵
        Suspicious use of SetThreadContext
        
        PID:3544
        
        C:\Windows\SysWOW64\ftnhlx.exe
        
        C:\Windows\system32\ftnhlx.exe 992 "C:\Windows\SysWOW64\mmbeak.exe"
        120⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\ujxndj.exe
        
        C:\Windows\system32\ujxndj.exe 1012 "C:\Windows\SysWOW64\ftnhlx.exe"
        121⤵
        Suspicious use of SetThreadContext
        
        PID:2304
        
        C:\Windows\SysWOW64\ujxndj.exe
        
        C:\Windows\system32\ujxndj.exe 1012 "C:\Windows\SysWOW64\ftnhlx.exe"
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:3432
        
        C:\Windows\SysWOW64\ollapc.exe
        
        C:\Windows\system32\ollapc.exe 1008 "C:\Windows\SysWOW64\ujxndj.exe"
        123⤵
        Suspicious use of SetThreadContext
        
        PID:1032
        
        C:\Windows\SysWOW64\ollapc.exe
        
        C:\Windows\system32\ollapc.exe 1008 "C:\Windows\SysWOW64\ujxndj.exe"
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:2752
        
        C:\Windows\SysWOW64\hlplzq.exe
        
        C:\Windows\system32\hlplzq.exe 996 "C:\Windows\SysWOW64\ollapc.exe"
        125⤵
        Suspicious use of SetThreadContext
        
        PID:4756
        
        C:\Windows\SysWOW64\hlplzq.exe
        
        C:\Windows\system32\hlplzq.exe 996 "C:\Windows\SysWOW64\ollapc.exe"
        126⤵
        Drops file in System32 directory
        
        PID:4012
        
        C:\Windows\SysWOW64\zombnh.exe
        
        C:\Windows\system32\zombnh.exe 988 "C:\Windows\SysWOW64\hlplzq.exe"
        127⤵
        Suspicious use of SetThreadContext
        
        PID:2172
        
        C:\Windows\SysWOW64\zombnh.exe
        
        C:\Windows\system32\zombnh.exe 988 "C:\Windows\SysWOW64\hlplzq.exe"
        128⤵
        Drops file in System32 directory
        
        PID:2024
        
        C:\Windows\SysWOW64\roqexu.exe
        
        C:\Windows\system32\roqexu.exe 1120 "C:\Windows\SysWOW64\zombnh.exe"
        129⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\roqexu.exe
        
        C:\Windows\system32\roqexu.exe 1120 "C:\Windows\SysWOW64\zombnh.exe"
        130⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\jdzhoi.exe
        
        C:\Windows\system32\jdzhoi.exe 1000 "C:\Windows\SysWOW64\roqexu.exe"
        131⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\jdzhoi.exe
        
        C:\Windows\system32\jdzhoi.exe 1000 "C:\Windows\SysWOW64\roqexu.exe"
        132⤵
        System Location Discovery: System Language Discovery
        
        PID:4980
        
        C:\Windows\SysWOW64\wuuywf.exe
        
        C:\Windows\system32\wuuywf.exe 988 "C:\Windows\SysWOW64\jdzhoi.exe"
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:4132
        
        C:\Windows\SysWOW64\wuuywf.exe
        
        C:\Windows\system32\wuuywf.exe 988 "C:\Windows\SysWOW64\jdzhoi.exe"
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:220
        
        C:\Windows\SysWOW64\pugbhs.exe
        
        C:\Windows\system32\pugbhs.exe 1000 "C:\Windows\SysWOW64\wuuywf.exe"
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:3012
        
        C:\Windows\SysWOW64\pugbhs.exe
        
        C:\Windows\system32\pugbhs.exe 1000 "C:\Windows\SysWOW64\wuuywf.exe"
        136⤵
        Drops file in System32 directory
        
        PID:3808
        
        C:\Windows\SysWOW64\gjhexo.exe
        
        C:\Windows\system32\gjhexo.exe 1132 "C:\Windows\SysWOW64\pugbhs.exe"
        137⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\gjhexo.exe
        
        C:\Windows\system32\gjhexo.exe 1132 "C:\Windows\SysWOW64\pugbhs.exe"
        138⤵
        Drops file in System32 directory
        
        PID:4984
        
        C:\Windows\SysWOW64\wrcbks.exe
        
        C:\Windows\system32\wrcbks.exe 956 "C:\Windows\SysWOW64\gjhexo.exe"
        139⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\wrcbks.exe
        
        C:\Windows\system32\wrcbks.exe 956 "C:\Windows\SysWOW64\gjhexo.exe"
        140⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:816
        
        C:\Windows\SysWOW64\ldjuza.exe
        
        C:\Windows\system32\ldjuza.exe 1140 "C:\Windows\SysWOW64\wrcbks.exe"
        141⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\ldjuza.exe
        
        C:\Windows\system32\ldjuza.exe 1140 "C:\Windows\SysWOW64\wrcbks.exe"
        142⤵
        
        PID:924
        
        C:\Windows\SysWOW64\blwate.exe
        
        C:\Windows\system32\blwate.exe 1000 "C:\Windows\SysWOW64\ldjuza.exe"
        143⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\blwate.exe
        
        C:\Windows\system32\blwate.exe 1000 "C:\Windows\SysWOW64\ldjuza.exe"
        144⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\tljder.exe
        
        C:\Windows\system32\tljder.exe 1128 "C:\Windows\SysWOW64\blwate.exe"
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:3532
        
        C:\Windows\SysWOW64\tljder.exe
        
        C:\Windows\system32\tljder.exe 1128 "C:\Windows\SysWOW64\blwate.exe"
        146⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\lxgtrj.exe
        
        C:\Windows\system32\lxgtrj.exe 1128 "C:\Windows\SysWOW64\tljder.exe"
        147⤵
        
        PID:388
        
        C:\Windows\SysWOW64\lxgtrj.exe
        
        C:\Windows\system32\lxgtrj.exe 1128 "C:\Windows\SysWOW64\tljder.exe"
        148⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3940
        
        C:\Windows\SysWOW64\ewkecw.exe
        
        C:\Windows\system32\ewkecw.exe 988 "C:\Windows\SysWOW64\lxgtrj.exe"
        149⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\ewkecw.exe
        
        C:\Windows\system32\ewkecw.exe 988 "C:\Windows\SysWOW64\lxgtrj.exe"
        150⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\zonmdl.exe
        
        C:\Windows\system32\zonmdl.exe 988 "C:\Windows\SysWOW64\ewkecw.exe"
        151⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\zonmdl.exe
        
        C:\Windows\system32\zonmdl.exe 988 "C:\Windows\SysWOW64\ewkecw.exe"
        152⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Windows\SysWOW64\olxkdx.exe
        
        C:\Windows\system32\olxkdx.exe 1120 "C:\Windows\SysWOW64\zonmdl.exe"
        153⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\olxkdx.exe
        
        C:\Windows\system32\olxkdx.exe 1120 "C:\Windows\SysWOW64\zonmdl.exe"
        154⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\youaqp.exe
        
        C:\Windows\system32\youaqp.exe 988 "C:\Windows\SysWOW64\olxkdx.exe"
        155⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\youaqp.exe
        
        C:\Windows\system32\youaqp.exe 988 "C:\Windows\SysWOW64\olxkdx.exe"
        156⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\oxifdt.exe
        
        C:\Windows\system32\oxifdt.exe 1000 "C:\Windows\SysWOW64\youaqp.exe"
        157⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\oxifdt.exe
        
        C:\Windows\system32\oxifdt.exe 1000 "C:\Windows\SysWOW64\youaqp.exe"
        158⤵
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Windows\SysWOW64\jkzbjl.exe
        
        C:\Windows\system32\jkzbjl.exe 1128 "C:\Windows\SysWOW64\oxifdt.exe"
        159⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\jkzbjl.exe
        
        C:\Windows\system32\jkzbjl.exe 1128 "C:\Windows\SysWOW64\oxifdt.exe"
        160⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\bwxrwd.exe
        
        C:\Windows\system32\bwxrwd.exe 1012 "C:\Windows\SysWOW64\jkzbjl.exe"
        161⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\bwxrwd.exe
        
        C:\Windows\system32\bwxrwd.exe 1012 "C:\Windows\SysWOW64\jkzbjl.exe"
        162⤵
        Drops file in System32 directory
        
        PID:5508
        
        C:\Windows\SysWOW64\qlhoop.exe
        
        C:\Windows\system32\qlhoop.exe 1000 "C:\Windows\SysWOW64\bwxrwd.exe"
        163⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\qlhoop.exe
        
        C:\Windows\system32\qlhoop.exe 1000 "C:\Windows\SysWOW64\bwxrwd.exe"
        164⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\iltzzu.exe
        
        C:\Windows\system32\iltzzu.exe 1012 "C:\Windows\SysWOW64\qlhoop.exe"
        165⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\iltzzu.exe
        
        C:\Windows\system32\iltzzu.exe 1012 "C:\Windows\SysWOW64\qlhoop.exe"
        166⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\bwipmm.exe
        
        C:\Windows\system32\bwipmm.exe 1124 "C:\Windows\SysWOW64\iltzzu.exe"
        167⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\bwipmm.exe
        
        C:\Windows\system32\bwipmm.exe 1124 "C:\Windows\SysWOW64\iltzzu.exe"
        168⤵
        Drops file in System32 directory
        
        PID:4664
        
        C:\Windows\SysWOW64\wnlyvj.exe
        
        C:\Windows\system32\wnlyvj.exe 1000 "C:\Windows\SysWOW64\bwipmm.exe"
        169⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\wnlyvj.exe
        
        C:\Windows\system32\wnlyvj.exe 1000 "C:\Windows\SysWOW64\bwipmm.exe"
        170⤵
        System Location Discovery: System Language Discovery
        
        PID:4880
        
        C:\Windows\SysWOW64\onxjgw.exe
        
        C:\Windows\system32\onxjgw.exe 1000 "C:\Windows\SysWOW64\wnlyvj.exe"
        171⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\onxjgw.exe
        
        C:\Windows\system32\onxjgw.exe 1000 "C:\Windows\SysWOW64\wnlyvj.exe"
        172⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\ixswxx.exe
        
        C:\Windows\system32\ixswxx.exe 1128 "C:\Windows\SysWOW64\onxjgw.exe"
        173⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\ixswxx.exe
        
        C:\Windows\system32\ixswxx.exe 1128 "C:\Windows\SysWOW64\onxjgw.exe"
        174⤵
        Drops file in System32 directory
        
        PID:3496
        
        C:\Windows\SysWOW64\sipmkp.exe
        
        C:\Windows\system32\sipmkp.exe 1000 "C:\Windows\SysWOW64\ixswxx.exe"
        175⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\sipmkp.exe
        
        C:\Windows\system32\sipmkp.exe 1000 "C:\Windows\SysWOW64\ixswxx.exe"
        176⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\ndvhoi.exe
        
        C:\Windows\system32\ndvhoi.exe 1000 "C:\Windows\SysWOW64\sipmkp.exe"
        177⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\ndvhoi.exe
        
        C:\Windows\system32\ndvhoi.exe 1000 "C:\Windows\SysWOW64\sipmkp.exe"
        178⤵
        Drops file in System32 directory
        
        PID:2648
        
        C:\Windows\SysWOW64\icypxf.exe
        
        C:\Windows\system32\icypxf.exe 1128 "C:\Windows\SysWOW64\ndvhoi.exe"
        179⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\icypxf.exe
        
        C:\Windows\system32\icypxf.exe 1128 "C:\Windows\SysWOW64\ndvhoi.exe"
        180⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\yrinpr.exe
        
        C:\Windows\system32\yrinpr.exe 1000 "C:\Windows\SysWOW64\icypxf.exe"
        181⤵
        System Location Discovery: System Language Discovery
        
        PID:5300
        
        C:\Windows\SysWOW64\yrinpr.exe
        
        C:\Windows\system32\yrinpr.exe 1000 "C:\Windows\SysWOW64\icypxf.exe"
        182⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\tildxo.exe
        
        C:\Windows\system32\tildxo.exe 1000 "C:\Windows\SysWOW64\yrinpr.exe"
        183⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\tildxo.exe
        
        C:\Windows\system32\tildxo.exe 1000 "C:\Windows\SysWOW64\yrinpr.exe"
        184⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Windows\SysWOW64\kxmyoc.exe
        
        C:\Windows\system32\kxmyoc.exe 988 "C:\Windows\SysWOW64\tildxo.exe"
        185⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\kxmyoc.exe
        
        C:\Windows\system32\kxmyoc.exe 988 "C:\Windows\SysWOW64\tildxo.exe"
        186⤵
        Drops file in System32 directory
        
        PID:4528
        
        C:\Windows\SysWOW64\irizxm.exe
        
        C:\Windows\system32\irizxm.exe 1004 "C:\Windows\SysWOW64\kxmyoc.exe"
        187⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\irizxm.exe
        
        C:\Windows\system32\irizxm.exe 1004 "C:\Windows\SysWOW64\kxmyoc.exe"
        188⤵
        Drops file in System32 directory
        
        PID:4700
        
        C:\Windows\SysWOW64\dxahmj.exe
        
        C:\Windows\system32\dxahmj.exe 984 "C:\Windows\SysWOW64\irizxm.exe"
        189⤵
        
        PID:216
        
        C:\Windows\SysWOW64\dxahmj.exe
        
        C:\Windows\system32\dxahmj.exe 984 "C:\Windows\SysWOW64\irizxm.exe"
        190⤵
        System Location Discovery: System Language Discovery
        
        PID:3092
        
        C:\Windows\SysWOW64\ysocpc.exe
        
        C:\Windows\system32\ysocpc.exe 1008 "C:\Windows\SysWOW64\dxahmj.exe"
        191⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\ysocpc.exe
        
        C:\Windows\system32\ysocpc.exe 1008 "C:\Windows\SysWOW64\dxahmj.exe"
        192⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\tjjlyz.exe
        
        C:\Windows\system32\tjjlyz.exe 996 "C:\Windows\SysWOW64\ysocpc.exe"
        193⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\tjjlyz.exe
        
        C:\Windows\system32\tjjlyz.exe 996 "C:\Windows\SysWOW64\ysocpc.exe"
        194⤵
        Drops file in System32 directory
        
        PID:5016
        
        C:\Windows\SysWOW64\omxgka.exe
        
        C:\Windows\system32\omxgka.exe 1008 "C:\Windows\SysWOW64\tjjlyz.exe"
        195⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\omxgka.exe
        
        C:\Windows\system32\omxgka.exe 1008 "C:\Windows\SysWOW64\tjjlyz.exe"
        196⤵
        System Location Discovery: System Language Discovery
        
        PID:3164
        
        C:\Windows\SysWOW64\xbxjao.exe
        
        C:\Windows\system32\xbxjao.exe 1020 "C:\Windows\SysWOW64\omxgka.exe"
        197⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\xbxjao.exe
        
        C:\Windows\system32\xbxjao.exe 1020 "C:\Windows\SysWOW64\omxgka.exe"
        198⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\qenzof.exe
        
        C:\Windows\system32\qenzof.exe 1000 "C:\Windows\SysWOW64\xbxjao.exe"
        199⤵
        System Location Discovery: System Language Discovery
        
        PID:5128
        
        C:\Windows\SysWOW64\qenzof.exe
        
        C:\Windows\system32\qenzof.exe 1000 "C:\Windows\SysWOW64\xbxjao.exe"
        200⤵
        Drops file in System32 directory
        
        PID:4004
        
        C:\Windows\SysWOW64\kkehck.exe
        
        C:\Windows\system32\kkehck.exe 1120 "C:\Windows\SysWOW64\qenzof.exe"
        201⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\kkehck.exe
        
        C:\Windows\system32\kkehck.exe 1120 "C:\Windows\SysWOW64\qenzof.exe"
        202⤵
        
        PID:8
        
        C:\Windows\SysWOW64\fywdav.exe
        
        C:\Windows\system32\fywdav.exe 1000 "C:\Windows\SysWOW64\kkehck.exe"
        203⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\fywdav.exe
        
        C:\Windows\system32\fywdav.exe 1000 "C:\Windows\SysWOW64\kkehck.exe"
        204⤵
        Drops file in System32 directory
        
        PID:3484
        
        C:\Windows\SysWOW64\xnwgqr.exe
        
        C:\Windows\system32\xnwgqr.exe 1120 "C:\Windows\SysWOW64\fywdav.exe"
        205⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\xnwgqr.exe
        
        C:\Windows\system32\xnwgqr.exe 1120 "C:\Windows\SysWOW64\fywdav.exe"
        206⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\sezozf.exe
        
        C:\Windows\system32\sezozf.exe 1128 "C:\Windows\SysWOW64\xnwgqr.exe"
        207⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\sezozf.exe
        
        C:\Windows\system32\sezozf.exe 1128 "C:\Windows\SysWOW64\xnwgqr.exe"
        208⤵
        Drops file in System32 directory
        
        PID:3304
        
        C:\Windows\SysWOW64\lhpemx.exe
        
        C:\Windows\system32\lhpemx.exe 1000 "C:\Windows\SysWOW64\sezozf.exe"
        209⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\lhpemx.exe
        
        C:\Windows\system32\lhpemx.exe 1000 "C:\Windows\SysWOW64\sezozf.exe"
        210⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\fnombc.exe
        
        C:\Windows\system32\fnombc.exe 1128 "C:\Windows\SysWOW64\lhpemx.exe"
        211⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\fnombc.exe
        
        C:\Windows\system32\fnombc.exe 1128 "C:\Windows\SysWOW64\lhpemx.exe"
        212⤵
        Drops file in System32 directory
        
        PID:5336
        
        C:\Windows\SysWOW64\aufupz.exe
        
        C:\Windows\system32\aufupz.exe 988 "C:\Windows\SysWOW64\fnombc.exe"
        213⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\aufupz.exe
        
        C:\Windows\system32\aufupz.exe 988 "C:\Windows\SysWOW64\fnombc.exe"
        214⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\xocnrc.exe
        
        C:\Windows\system32\xocnrc.exe 1120 "C:\Windows\SysWOW64\aufupz.exe"
        215⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\xocnrc.exe
        
        C:\Windows\system32\xocnrc.exe 1120 "C:\Windows\SysWOW64\aufupz.exe"
        216⤵
        Drops file in System32 directory
        
        PID:2500
        
        C:\Windows\SysWOW64\qrsdet.exe
        
        C:\Windows\system32\qrsdet.exe 988 "C:\Windows\SysWOW64\xocnrc.exe"
        217⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\qrsdet.exe
        
        C:\Windows\system32\qrsdet.exe 988 "C:\Windows\SysWOW64\xocnrc.exe"
        218⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\acpbsl.exe
        
        C:\Windows\system32\acpbsl.exe 1028 "C:\Windows\SysWOW64\qrsdet.exe"
        219⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\acpbsl.exe
        
        C:\Windows\system32\acpbsl.exe 1028 "C:\Windows\SysWOW64\qrsdet.exe"
        220⤵
        Drops file in System32 directory
        
        PID:5948
        
        C:\Windows\SysWOW64\sgerfc.exe
        
        C:\Windows\system32\sgerfc.exe 988 "C:\Windows\SysWOW64\acpbsl.exe"
        221⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\sgerfc.exe
        
        C:\Windows\system32\sgerfc.exe 988 "C:\Windows\SysWOW64\acpbsl.exe"
        222⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\nxhzor.exe
        
        C:\Windows\system32\nxhzor.exe 1000 "C:\Windows\SysWOW64\sgerfc.exe"
        223⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\nxhzor.exe
        
        C:\Windows\system32\nxhzor.exe 1000 "C:\Windows\SysWOW64\sgerfc.exe"
        224⤵
        Drops file in System32 directory
        
        PID:4924
        
        C:\Windows\SysWOW64\fixpcj.exe
        
        C:\Windows\system32\fixpcj.exe 1016 "C:\Windows\SysWOW64\nxhzor.exe"
        225⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\fixpcj.exe
        
        C:\Windows\system32\fixpcj.exe 1016 "C:\Windows\SysWOW64\nxhzor.exe"
        226⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\agoxqo.exe
        
        C:\Windows\system32\agoxqo.exe 1008 "C:\Windows\SysWOW64\fixpcj.exe"
        227⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\agoxqo.exe
        
        C:\Windows\system32\agoxqo.exe 1008 "C:\Windows\SysWOW64\fixpcj.exe"
        228⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\xatqaq.exe
        
        C:\Windows\system32\xatqaq.exe 1120 "C:\Windows\SysWOW64\agoxqo.exe"
        229⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\xatqaq.exe
        
        C:\Windows\system32\xatqaq.exe 1120 "C:\Windows\SysWOW64\agoxqo.exe"
        230⤵
        System Location Discovery: System Language Discovery
        
        PID:6076
        
        C:\Windows\SysWOW64\pmioni.exe
        
        C:\Windows\system32\pmioni.exe 1012 "C:\Windows\SysWOW64\xatqaq.exe"
        231⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\pmioni.exe
        
        C:\Windows\system32\pmioni.exe 1012 "C:\Windows\SysWOW64\xatqaq.exe"
        232⤵
        Drops file in System32 directory
        
        PID:5100
        
        C:\Windows\SysWOW64\hsjrdw.exe
        
        C:\Windows\system32\hsjrdw.exe 1128 "C:\Windows\SysWOW64\pmioni.exe"
        233⤵
        System Location Discovery: System Language Discovery
        
        PID:4380
        
        C:\Windows\SysWOW64\hsjrdw.exe
        
        C:\Windows\system32\hsjrdw.exe 1128 "C:\Windows\SysWOW64\pmioni.exe"
        234⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\csmzes.exe
        
        C:\Windows\system32\csmzes.exe 1000 "C:\Windows\SysWOW64\hsjrdw.exe"
        235⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\csmzes.exe
        
        C:\Windows\system32\csmzes.exe 1000 "C:\Windows\SysWOW64\hsjrdw.exe"
        236⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\xmsuql.exe
        
        C:\Windows\system32\xmsuql.exe 1120 "C:\Windows\SysWOW64\csmzes.exe"
        237⤵
        
        PID:780
        
        C:\Windows\SysWOW64\xmsuql.exe
        
        C:\Windows\system32\xmsuql.exe 1120 "C:\Windows\SysWOW64\csmzes.exe"
        238⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5192
        
        C:\Windows\SysWOW64\hbsxgh.exe
        
        C:\Windows\system32\hbsxgh.exe 1000 "C:\Windows\SysWOW64\xmsuql.exe"
        239⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\hbsxgh.exe
        
        C:\Windows\system32\hbsxgh.exe 1000 "C:\Windows\SysWOW64\xmsuql.exe"
        240⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\zbfaru.exe
        
        C:\Windows\system32\zbfaru.exe 1128 "C:\Windows\SysWOW64\hbsxgh.exe"
        241⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\zbfaru.exe
        
        C:\Windows\system32\zbfaru.exe 1128 "C:\Windows\SysWOW64\hbsxgh.exe"
        242⤵
        Drops file in System32 directory
        
        PID:3892
        
        C:\Windows\SysWOW64\rqfdhq.exe
        
        C:\Windows\system32\rqfdhq.exe 1000 "C:\Windows\SysWOW64\zbfaru.exe"
        243⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\rqfdhq.exe
        
        C:\Windows\system32\rqfdhq.exe 1000 "C:\Windows\SysWOW64\zbfaru.exe"
        244⤵
        Drops file in System32 directory
        
        PID:6108
        
        C:\Windows\SysWOW64\mktztj.exe
        
        C:\Windows\system32\mktztj.exe 988 "C:\Windows\SysWOW64\rqfdhq.exe"
        245⤵
        
        PID:404
        
        C:\Windows\SysWOW64\mktztj.exe
        
        C:\Windows\system32\mktztj.exe 988 "C:\Windows\SysWOW64\rqfdhq.exe"
        246⤵
        Drops file in System32 directory
        
        PID:6040
        
        C:\Windows\SysWOW64\hcohbg.exe
        
        C:\Windows\system32\hcohbg.exe 1120 "C:\Windows\SysWOW64\mktztj.exe"
        247⤵
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Windows\SysWOW64\hcohbg.exe
        
        C:\Windows\system32\hcohbg.exe 1120 "C:\Windows\SysWOW64\mktztj.exe"
        248⤵
        Drops file in System32 directory
        
        PID:1052
        
        C:\Windows\SysWOW64\znlxpx.exe
        
        C:\Windows\system32\znlxpx.exe 992 "C:\Windows\SysWOW64\hcohbg.exe"
        249⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\znlxpx.exe
        
        C:\Windows\system32\znlxpx.exe 992 "C:\Windows\SysWOW64\hcohbg.exe"
        250⤵
        Drops file in System32 directory
        
        PID:5212
        
        C:\Windows\SysWOW64\rcmafl.exe
        
        C:\Windows\system32\rcmafl.exe 1120 "C:\Windows\SysWOW64\znlxpx.exe"
        251⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\rcmafl.exe
        
        C:\Windows\system32\rcmafl.exe 1120 "C:\Windows\SysWOW64\znlxpx.exe"
        252⤵
        Drops file in System32 directory
        
        PID:5576
        
        C:\Windows\SysWOW64\pkyner.exe
        
        C:\Windows\system32\pkyner.exe 988 "C:\Windows\SysWOW64\rcmafl.exe"
        253⤵
        
        PID:564
        
        C:\Windows\SysWOW64\pkyner.exe
        
        C:\Windows\system32\pkyner.exe 988 "C:\Windows\SysWOW64\rcmafl.exe"
        254⤵
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Windows\SysWOW64\hzgquf.exe
        
        C:\Windows\system32\hzgquf.exe 1120 "C:\Windows\SysWOW64\pkyner.exe"
        255⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\hzgquf.exe
        
        C:\Windows\system32\hzgquf.exe 1120 "C:\Windows\SysWOW64\pkyner.exe"
        256⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cqbzdc.exe
        
        C:\Windows\system32\cqbzdc.exe 1008 "C:\Windows\SysWOW64\hzgquf.exe"
        257⤵
        
        PID:428
        
        C:\Windows\SysWOW64\cqbzdc.exe
        
        C:\Windows\system32\cqbzdc.exe 1008 "C:\Windows\SysWOW64\hzgquf.exe"
        258⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\ufccty.exe
        
        C:\Windows\system32\ufccty.exe 992 "C:\Windows\SysWOW64\cqbzdc.exe"
        259⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\ufccty.exe
        
        C:\Windows\system32\ufccty.exe 992 "C:\Windows\SysWOW64\cqbzdc.exe"
        260⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\eizshp.exe
        
        C:\Windows\system32\eizshp.exe 1120 "C:\Windows\SysWOW64\ufccty.exe"
        261⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\eizshp.exe
        
        C:\Windows\system32\eizshp.exe 1120 "C:\Windows\SysWOW64\ufccty.exe"
        262⤵
        System Location Discovery: System Language Discovery
        
        PID:3688
        
        C:\Windows\SysWOW64\zzuape.exe
        
        C:\Windows\system32\zzuape.exe 1120 "C:\Windows\SysWOW64\eizshp.exe"
        263⤵
        System Location Discovery: System Language Discovery
        
        PID:1400
        
        C:\Windows\SysWOW64\zzuape.exe
        
        C:\Windows\system32\zzuape.exe 1120 "C:\Windows\SysWOW64\eizshp.exe"
        264⤵
        System Location Discovery: System Language Discovery
        
        PID:1192
        
        C:\Windows\SysWOW64\ucivbf.exe
        
        C:\Windows\system32\ucivbf.exe 1000 "C:\Windows\SysWOW64\zzuape.exe"
        265⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\ucivbf.exe
        
        C:\Windows\system32\ucivbf.exe 1000 "C:\Windows\SysWOW64\zzuape.exe"
        266⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\raqjgl.exe
        
        C:\Windows\system32\raqjgl.exe 992 "C:\Windows\SysWOW64\ucivbf.exe"
        267⤵
        System Location Discovery: System Language Discovery
        
        PID:5548
        
        C:\Windows\SysWOW64\raqjgl.exe
        
        C:\Windows\system32\raqjgl.exe 992 "C:\Windows\SysWOW64\ucivbf.exe"
        268⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\mcwere.exe
        
        C:\Windows\system32\mcwere.exe 1120 "C:\Windows\SysWOW64\raqjgl.exe"
        269⤵
        System Location Discovery: System Language Discovery
        
        PID:4752
        
        C:\Windows\SysWOW64\mcwere.exe
        
        C:\Windows\system32\mcwere.exe 1120 "C:\Windows\SysWOW64\raqjgl.exe"
        270⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\ejxhia.exe
        
        C:\Windows\system32\ejxhia.exe 1120 "C:\Windows\SysWOW64\mcwere.exe"
        271⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\ejxhia.exe
        
        C:\Windows\system32\ejxhia.exe 1120 "C:\Windows\SysWOW64\mcwere.exe"
        272⤵
        Drops file in System32 directory
        
        PID:4784
        
        C:\Windows\SysWOW64\wuuxvs.exe
        
        C:\Windows\system32\wuuxvs.exe 1120 "C:\Windows\SysWOW64\ejxhia.exe"
        273⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\wuuxvs.exe
        
        C:\Windows\system32\wuuxvs.exe 1120 "C:\Windows\SysWOW64\ejxhia.exe"
        274⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4712
        
        C:\Windows\SysWOW64\rmpfeg.exe
        
        C:\Windows\system32\rmpfeg.exe 1012 "C:\Windows\SysWOW64\wuuxvs.exe"
        275⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\rmpfeg.exe
        
        C:\Windows\system32\rmpfeg.exe 1012 "C:\Windows\SysWOW64\wuuxvs.exe"
        276⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\mgdaph.exe
        
        C:\Windows\system32\mgdaph.exe 1128 "C:\Windows\SysWOW64\rmpfeg.exe"
        277⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\mgdaph.exe
        
        C:\Windows\system32\mgdaph.exe 1128 "C:\Windows\SysWOW64\rmpfeg.exe"
        278⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\ezpiii.exe
        
        C:\Windows\system32\ezpiii.exe 1128 "C:\Windows\SysWOW64\mgdaph.exe"
        279⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\ezpiii.exe
        
        C:\Windows\system32\ezpiii.exe 1128 "C:\Windows\SysWOW64\mgdaph.exe"
        280⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\zykzjw.exe
        
        C:\Windows\system32\zykzjw.exe 1000 "C:\Windows\SysWOW64\ezpiii.exe"
        281⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\zykzjw.exe
        
        C:\Windows\system32\zykzjw.exe 1000 "C:\Windows\SysWOW64\ezpiii.exe"
        282⤵
        Drops file in System32 directory
        
        PID:5380
        
        C:\Windows\SysWOW64\jbhpxo.exe
        
        C:\Windows\system32\jbhpxo.exe 1124 "C:\Windows\SysWOW64\zykzjw.exe"
        283⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\jbhpxo.exe
        
        C:\Windows\system32\jbhpxo.exe 1124 "C:\Windows\SysWOW64\zykzjw.exe"
        284⤵
        Drops file in System32 directory
        
        PID:3832
        
        C:\Windows\SysWOW64\bexfkf.exe
        
        C:\Windows\system32\bexfkf.exe 1000 "C:\Windows\SysWOW64\jbhpxo.exe"
        285⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\bexfkf.exe
        
        C:\Windows\system32\bexfkf.exe 1000 "C:\Windows\SysWOW64\jbhpxo.exe"
        286⤵
        Drops file in System32 directory
        
        PID:4872
        
        C:\Windows\SysWOW64\weantu.exe
        
        C:\Windows\system32\weantu.exe 992 "C:\Windows\SysWOW64\bexfkf.exe"
        287⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\weantu.exe
        
        C:\Windows\system32\weantu.exe 992 "C:\Windows\SysWOW64\bexfkf.exe"
        288⤵
        System Location Discovery: System Language Discovery
        
        PID:4512
        
        C:\Windows\SysWOW64\okaqjq.exe
        
        C:\Windows\system32\okaqjq.exe 1000 "C:\Windows\SysWOW64\weantu.exe"
        289⤵
        
        PID:984
        
        C:\Windows\SysWOW64\okaqjq.exe
        
        C:\Windows\system32\okaqjq.exe 1000 "C:\Windows\SysWOW64\weantu.exe"
        290⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\gwqgwh.exe
        
        C:\Windows\system32\gwqgwh.exe 1008 "C:\Windows\SysWOW64\okaqjq.exe"
        291⤵
        System Location Discovery: System Language Discovery
        
        PID:432
        
        C:\Windows\SysWOW64\gwqgwh.exe
        
        C:\Windows\system32\gwqgwh.exe 1008 "C:\Windows\SysWOW64\okaqjq.exe"
        292⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\yznwkz.exe
        
        C:\Windows\system32\yznwkz.exe 1052 "C:\Windows\SysWOW64\gwqgwh.exe"
        293⤵
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Windows\SysWOW64\yznwkz.exe
        
        C:\Windows\system32\yznwkz.exe 1052 "C:\Windows\SysWOW64\gwqgwh.exe"
        294⤵
        Drops file in System32 directory
        
        PID:2572
        
        C:\Windows\SysWOW64\tyqmto.exe
        
        C:\Windows\system32\tyqmto.exe 988 "C:\Windows\SysWOW64\yznwkz.exe"
        295⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\tyqmto.exe
        
        C:\Windows\system32\tyqmto.exe 988 "C:\Windows\SysWOW64\yznwkz.exe"
        296⤵
        Drops file in System32 directory
        
        PID:1456
        
        C:\Windows\SysWOW64\lfrhjj.exe
        
        C:\Windows\system32\lfrhjj.exe 988 "C:\Windows\SysWOW64\tyqmto.exe"
        297⤵
        System Location Discovery: System Language Discovery
        
        PID:5232
        
        C:\Windows\SysWOW64\lfrhjj.exe
        
        C:\Windows\system32\lfrhjj.exe 988 "C:\Windows\SysWOW64\tyqmto.exe"
        298⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\gixcvc.exe
        
        C:\Windows\system32\gixcvc.exe 1120 "C:\Windows\SysWOW64\lfrhjj.exe"
        299⤵
        System Location Discovery: System Language Discovery
        
        PID:5608
        
        C:\Windows\SysWOW64\gixcvc.exe
        
        C:\Windows\system32\gixcvc.exe 1120 "C:\Windows\SysWOW64\lfrhjj.exe"
        300⤵
        Drops file in System32 directory
        
        PID:3664
        
        C:\Windows\SysWOW64\yluaiu.exe
        
        C:\Windows\system32\yluaiu.exe 988 "C:\Windows\SysWOW64\gixcvc.exe"
        301⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\yluaiu.exe
        
        C:\Windows\system32\yluaiu.exe 988 "C:\Windows\SysWOW64\gixcvc.exe"
        302⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5104
        
        C:\Windows\SysWOW64\wcggha.exe
        
        C:\Windows\system32\wcggha.exe 1120 "C:\Windows\SysWOW64\yluaiu.exe"
        303⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\wcggha.exe
        
        C:\Windows\system32\wcggha.exe 1120 "C:\Windows\SysWOW64\yluaiu.exe"
        304⤵
        Drops file in System32 directory
        
        PID:1376
        
        C:\Windows\SysWOW64\jwmbtt.exe
        
        C:\Windows\system32\jwmbtt.exe 1004 "C:\Windows\SysWOW64\wcggha.exe"
        305⤵
        System Location Discovery: System Language Discovery
        
        PID:3828
        
        C:\Windows\SysWOW64\jwmbtt.exe
        
        C:\Windows\system32\jwmbtt.exe 1004 "C:\Windows\SysWOW64\wcggha.exe"
        306⤵
        Drops file in System32 directory
        
        PID:3412
        
        C:\Windows\SysWOW64\bhjzgk.exe
        
        C:\Windows\system32\bhjzgk.exe 1000 "C:\Windows\SysWOW64\jwmbtt.exe"
        307⤵
        System Location Discovery: System Language Discovery
        
        PID:5148
        
        C:\Windows\SysWOW64\bhjzgk.exe
        
        C:\Windows\system32\bhjzgk.exe 1000 "C:\Windows\SysWOW64\jwmbtt.exe"
        308⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\tlzptc.exe
        
        C:\Windows\system32\tlzptc.exe 988 "C:\Windows\SysWOW64\bhjzgk.exe"
        309⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\tlzptc.exe
        
        C:\Windows\system32\tlzptc.exe 988 "C:\Windows\SysWOW64\bhjzgk.exe"
        310⤵
        
        PID:208
        
        C:\Windows\SysWOW64\lowfhm.exe
        
        C:\Windows\system32\lowfhm.exe 1000 "C:\Windows\SysWOW64\tlzptc.exe"
        311⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\lowfhm.exe
        
        C:\Windows\system32\lowfhm.exe 1000 "C:\Windows\SysWOW64\tlzptc.exe"
        312⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\ddxixi.exe
        
        C:\Windows\system32\ddxixi.exe 1016 "C:\Windows\SysWOW64\lowfhm.exe"
        313⤵
        System Location Discovery: System Language Discovery
        
        PID:3008

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\mdbmdw.exe

Filesize
472KB

MD5
b99a3c504fb3494c81eca16099aec5ab

SHA1
5695103a074dc622f1e7bd06e9b132c1e27550a2

SHA256
41d17aeec282d38dd6c92978b25081f7c05996ed5c27b83dcc43b8dc51a66ea4

SHA512
433cd7a44f055c3f1f9eb1498dd17d04b749dc587ddbde7c3d506c5a99b98db415c1d02fa0662f2d22934067feaa92c768c02c42be6c094cc5869ec3b23de705

Download Submit
memory/100-212-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/388-667-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/412-424-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/436-167-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1032-569-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1208-504-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1340-432-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1540-391-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1540-386-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1608-532-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1608-537-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1656-129-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1668-190-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1692-366-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1752-472-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1800-4-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1800-0-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1808-85-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1868-179-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1868-173-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1908-699-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2052-223-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2096-101-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2152-20-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2156-739-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2172-585-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2268-278-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2304-561-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2320-140-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2324-145-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2364-350-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2520-675-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2576-408-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2620-74-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2632-374-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2672-254-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2728-440-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2752-68-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2932-723-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2952-456-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3012-618-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3024-626-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3164-156-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3260-134-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3268-118-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/3292-512-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3456-601-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3508-245-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3532-659-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3544-553-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3612-382-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3676-63-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/3696-480-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3724-201-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3756-630-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/3756-635-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4088-715-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4132-605-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4132-610-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4328-318-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4364-174-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4376-107-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4444-731-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4504-14-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4504-5-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4504-3-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4504-1-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4552-123-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4560-151-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4672-416-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4688-262-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4688-488-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4700-593-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4700-358-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4728-520-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4756-577-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4784-691-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4792-334-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4840-234-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4884-302-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4964-46-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4972-52-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/5032-528-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5064-42-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/5064-33-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/5076-545-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5100-310-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5112-27-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/5112-19-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/5212-112-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5304-683-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5360-342-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5412-286-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5436-57-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5440-400-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5440-395-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5464-326-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5508-270-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5584-496-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5624-651-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5628-162-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/5704-79-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5728-26-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5728-34-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5772-90-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5804-294-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5812-643-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/5908-96-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/6052-448-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/6084-707-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/6136-464-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download