542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

Analysis

max time kernel
153s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
02-10-2022 15:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732.exe
Size

157KB
MD5

43f9dae058f9d6da6e6ac6a9c2a8d7e1
SHA1

8f9b33ab344abd96a51d5aa72f5b5b482933898f
SHA256

542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732
SHA512

52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7
SSDEEP

1536:1ZcEJFL7xDcXKGz5uYwZYnANVjZVc8K+wC++RiBya3PMCcDEpITeynKDuaagoxey:1mm1DyA7toVHiYuaagoxe2Yo5nowd1

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
1212	ssktnkow.exe
1180	aljtursr.exe
584	bkwjfldi.exe
1048	ictmnaga.exe
864	odyovxja.exe
832	ykbczyee.exe
1908	zxapibeg.exe
2012	dvdzpkco.exe
1656	jobcyggo.exe
964	trakyebq.exe
1672	xsgijrha.exe
1752	ggrvmlbf.exe
1188	nzoyuiwf.exe
1764	ravvfvcp.exe
1820	xipwmaiv.exe
1168	wbvzuxlv.exe
1956	fhxmqzga.exe
1540	lmgbjsqu.exe
1556	xnkhghhj.exe
684	ktezikav.exe
2020	iazhsjko.exe
1976	rwzuclkq.exe
1680	bgmvirmx.exe
1128	kqidppfw.exe
840	wznitxel.exe
528	axgbnaxx.exe
1708	jtfowkxz.exe
532	qlcrfhaz.exe
1824	crejgktl.exe
952	iomzslvf.exe
1684	syazqjwf.exe
1780	eetrsmpz.exe
1344	nrsmbxpb.exe
1728	wjgnivqa.exe
1716	ahjxpepq.exe
1980	eiodltof.exe
1368	lblfcirw.exe
1276	xhnywtkj.exe
816	ggpyiarn.exe
1316	pqlyogku.exe
1532	bapdlnkj.exe
1472	gdwrczee.exe
1964	pnjzbxfd.exe
1732	ruumezzi.exe
2032	aqtaobzk.exe
904	jlsvxmam.exe
1460	svgvdkbt.exe
1536	cfuvcqua.exe
1812	olvvetvm.exe
1284	xvjvkzom.exe
1464	grijtcov.exe
436	tpcjnfpi.exe
1616	clbwxppj.exe
324	yieheynz.exe
1948	hsshkwpz.exe
1940	tqlzmhhl.exe
1696	cmkuvkhv.exe
1928	lijhxmhw.exe
1072	ygdazxaj.exe
1320	raokszik.exe
1204	ahqgwakp.exe
1900	kregcydw.exe
1608	warlzgdd.exe
1576	xztllvkh.exe

Loads dropped DLL 64 IoCs

pid	Process
1340	542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732.exe
1340	542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732.exe
1212	ssktnkow.exe
1212	ssktnkow.exe
1180	aljtursr.exe
1180	aljtursr.exe
584	bkwjfldi.exe
584	bkwjfldi.exe
1048	ictmnaga.exe
1048	ictmnaga.exe
864	odyovxja.exe
864	odyovxja.exe
832	ykbczyee.exe
832	ykbczyee.exe
1908	zxapibeg.exe
1908	zxapibeg.exe
2012	dvdzpkco.exe
2012	dvdzpkco.exe
1656	jobcyggo.exe
1656	jobcyggo.exe
964	trakyebq.exe
964	trakyebq.exe
1672	xsgijrha.exe
1672	xsgijrha.exe
1752	ggrvmlbf.exe
1752	ggrvmlbf.exe
1188	nzoyuiwf.exe
1188	nzoyuiwf.exe
1764	ravvfvcp.exe
1764	ravvfvcp.exe
1820	xipwmaiv.exe
1820	xipwmaiv.exe
1168	wbvzuxlv.exe
1168	wbvzuxlv.exe
1956	fhxmqzga.exe
1956	fhxmqzga.exe
1540	lmgbjsqu.exe
1540	lmgbjsqu.exe
1556	xnkhghhj.exe
1556	xnkhghhj.exe
684	ktezikav.exe
684	ktezikav.exe
2020	iazhsjko.exe
2020	iazhsjko.exe
1976	rwzuclkq.exe
1976	rwzuclkq.exe
1680	bgmvirmx.exe
1680	bgmvirmx.exe
1128	kqidppfw.exe
1128	kqidppfw.exe
840	wznitxel.exe
840	wznitxel.exe
528	axgbnaxx.exe
528	axgbnaxx.exe
1708	jtfowkxz.exe
1708	jtfowkxz.exe
532	qlcrfhaz.exe
532	qlcrfhaz.exe
1824	crejgktl.exe
1824	crejgktl.exe
952	iomzslvf.exe
952	iomzslvf.exe
1684	syazqjwf.exe
1684	syazqjwf.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\aljtursr.exe	ssktnkow.exe
File created	C:\Windows\SysWOW64\xhnywtkj.exe	lblfcirw.exe
File created	C:\Windows\SysWOW64\xnkhghhj.exe	lmgbjsqu.exe
File opened for modification	C:\Windows\SysWOW64\kregcydw.exe	ahqgwakp.exe
File created	C:\Windows\SysWOW64\ernrqlvp.exe	stmzwacd.exe
File created	C:\Windows\SysWOW64\rofjtzje.exe	fnbewrkp.exe
File created	C:\Windows\SysWOW64\svmwgcnc.exe	gpteermq.exe
File opened for modification	C:\Windows\SysWOW64\pqosvvbg.exe	dgknqncr.exe
File opened for modification	C:\Windows\SysWOW64\ggrvmlbf.exe	xsgijrha.exe
File opened for modification	C:\Windows\SysWOW64\bgmvirmx.exe	rwzuclkq.exe
File opened for modification	C:\Windows\SysWOW64\gdwrczee.exe	bapdlnkj.exe
File opened for modification	C:\Windows\SysWOW64\qkmhvhem.exe	ikjpjaxp.exe
File created	C:\Windows\SysWOW64\wjgnivqa.exe	nrsmbxpb.exe
File opened for modification	C:\Windows\SysWOW64\dyfdygfg.exe	rxbytzos.exe
File created	C:\Windows\SysWOW64\haebfydw.exe	xiqbzsjx.exe
File created	C:\Windows\SysWOW64\jyprnnll.exe	dcgjcmjr.exe
File opened for modification	C:\Windows\SysWOW64\tpcjnfpi.exe	grijtcov.exe
File opened for modification	C:\Windows\SysWOW64\yieheynz.exe	clbwxppj.exe
File created	C:\Windows\SysWOW64\ahltwpty.exe	oggfzius.exe
File created	C:\Windows\SysWOW64\bzftfbsq.exe	sactbmlm.exe
File created	C:\Windows\SysWOW64\xiqbzsjx.exe	lglwclki.exe
File opened for modification	C:\Windows\SysWOW64\xiqbzsjx.exe	lglwclki.exe
File opened for modification	C:\Windows\SysWOW64\fnbewrkp.exe	ahzeuord.exe
File opened for modification	C:\Windows\SysWOW64\dcgjcmjr.exe	wfolkztp.exe
File opened for modification	C:\Windows\SysWOW64\lypcjade.exe	alzkboev.exe
File created	C:\Windows\SysWOW64\ewqcdker.exe	svmwgcnc.exe
File opened for modification	C:\Windows\SysWOW64\fvbcpqlv.exe	ewqcdker.exe
File opened for modification	C:\Windows\SysWOW64\wjgnivqa.exe	nrsmbxpb.exe
File created	C:\Windows\SysWOW64\gdwrczee.exe	bapdlnkj.exe
File created	C:\Windows\SysWOW64\aqtaobzk.exe	ruumezzi.exe
File created	C:\Windows\SysWOW64\stmzwacd.exe	gjhtstdo.exe
File created	C:\Windows\SysWOW64\ahtkzfkl.exe	rofjtzje.exe
File opened for modification	C:\Windows\SysWOW64\ahtkzfkl.exe	rofjtzje.exe
File opened for modification	C:\Windows\SysWOW64\eetrsmpz.exe	syazqjwf.exe
File opened for modification	C:\Windows\SysWOW64\xhnywtkj.exe	lblfcirw.exe
File created	C:\Windows\SysWOW64\rxbytzos.exe	tedvlcks.exe
File created	C:\Windows\SysWOW64\yavhdcwi.exe	mcupbrew.exe
File created	C:\Windows\SysWOW64\woxyfusl.exe	knstbfaw.exe
File opened for modification	C:\Windows\SysWOW64\pqlyogku.exe	ggpyiarn.exe
File opened for modification	C:\Windows\SysWOW64\lijhxmhw.exe	cmkuvkhv.exe
File opened for modification	C:\Windows\SysWOW64\dhvcaodu.exe	zfqwvhef.exe
File opened for modification	C:\Windows\SysWOW64\ewqcdker.exe	svmwgcnc.exe
File opened for modification	C:\Windows\SysWOW64\zxapibeg.exe	ykbczyee.exe
File opened for modification	C:\Windows\SysWOW64\rwzuclkq.exe	iazhsjko.exe
File created	C:\Windows\SysWOW64\iomzslvf.exe	crejgktl.exe
File opened for modification	C:\Windows\SysWOW64\xdfxqfip.exe	ltajlxib.exe
File created	C:\Windows\SysWOW64\ravvfvcp.exe	nzoyuiwf.exe
File created	C:\Windows\SysWOW64\grijtcov.exe	xvjvkzom.exe
File opened for modification	C:\Windows\SysWOW64\gqekzpir.exe	xdfxqfip.exe
File opened for modification	C:\Windows\SysWOW64\ggpyiarn.exe	xhnywtkj.exe
File created	C:\Windows\SysWOW64\muaddbrp.exe	ahltwpty.exe
File created	C:\Windows\SysWOW64\fxmikoyw.exe	wbnvaeyv.exe
File opened for modification	C:\Windows\SysWOW64\ykbczyee.exe	odyovxja.exe
File opened for modification	C:\Windows\SysWOW64\nqprcscl.exe	ernrqlvp.exe
File created	C:\Windows\SysWOW64\dhvcaodu.exe	zfqwvhef.exe
File created	C:\Windows\SysWOW64\raokszik.exe	ygdazxaj.exe
File created	C:\Windows\SysWOW64\lglwclki.exe	coxnwnjb.exe
File opened for modification	C:\Windows\SysWOW64\divtldxa.exe	rgrngwyl.exe
File opened for modification	C:\Windows\SysWOW64\ndvguoxc.exe	divtldxa.exe
File opened for modification	C:\Windows\SysWOW64\aljtursr.exe	ssktnkow.exe
File opened for modification	C:\Windows\SysWOW64\lmgbjsqu.exe	fhxmqzga.exe
File created	C:\Windows\SysWOW64\tqlzmhhl.exe	hsshkwpz.exe
File created	C:\Windows\SysWOW64\qndoobly.exe	haebfydw.exe
File opened for modification	C:\Windows\SysWOW64\rffhtykc.exe	fvbcpqlv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 1212	1340	542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732.exe	27
PID 1340 wrote to memory of 1212	1340	542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732.exe	27
PID 1340 wrote to memory of 1212	1340	542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732.exe	27
PID 1340 wrote to memory of 1212	1340	542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732.exe	27
PID 1212 wrote to memory of 1180	1212	ssktnkow.exe	28
PID 1212 wrote to memory of 1180	1212	ssktnkow.exe	28
PID 1212 wrote to memory of 1180	1212	ssktnkow.exe	28
PID 1212 wrote to memory of 1180	1212	ssktnkow.exe	28
PID 1180 wrote to memory of 584	1180	aljtursr.exe	29
PID 1180 wrote to memory of 584	1180	aljtursr.exe	29
PID 1180 wrote to memory of 584	1180	aljtursr.exe	29
PID 1180 wrote to memory of 584	1180	aljtursr.exe	29
PID 584 wrote to memory of 1048	584	bkwjfldi.exe	30
PID 584 wrote to memory of 1048	584	bkwjfldi.exe	30
PID 584 wrote to memory of 1048	584	bkwjfldi.exe	30
PID 584 wrote to memory of 1048	584	bkwjfldi.exe	30
PID 1048 wrote to memory of 864	1048	ictmnaga.exe	31
PID 1048 wrote to memory of 864	1048	ictmnaga.exe	31
PID 1048 wrote to memory of 864	1048	ictmnaga.exe	31
PID 1048 wrote to memory of 864	1048	ictmnaga.exe	31
PID 864 wrote to memory of 832	864	odyovxja.exe	32
PID 864 wrote to memory of 832	864	odyovxja.exe	32
PID 864 wrote to memory of 832	864	odyovxja.exe	32
PID 864 wrote to memory of 832	864	odyovxja.exe	32
PID 832 wrote to memory of 1908	832	ykbczyee.exe	33
PID 832 wrote to memory of 1908	832	ykbczyee.exe	33
PID 832 wrote to memory of 1908	832	ykbczyee.exe	33
PID 832 wrote to memory of 1908	832	ykbczyee.exe	33
PID 1908 wrote to memory of 2012	1908	zxapibeg.exe	34
PID 1908 wrote to memory of 2012	1908	zxapibeg.exe	34
PID 1908 wrote to memory of 2012	1908	zxapibeg.exe	34
PID 1908 wrote to memory of 2012	1908	zxapibeg.exe	34
PID 2012 wrote to memory of 1656	2012	dvdzpkco.exe	35
PID 2012 wrote to memory of 1656	2012	dvdzpkco.exe	35
PID 2012 wrote to memory of 1656	2012	dvdzpkco.exe	35
PID 2012 wrote to memory of 1656	2012	dvdzpkco.exe	35
PID 1656 wrote to memory of 964	1656	jobcyggo.exe	36
PID 1656 wrote to memory of 964	1656	jobcyggo.exe	36
PID 1656 wrote to memory of 964	1656	jobcyggo.exe	36
PID 1656 wrote to memory of 964	1656	jobcyggo.exe	36
PID 964 wrote to memory of 1672	964	trakyebq.exe	37
PID 964 wrote to memory of 1672	964	trakyebq.exe	37
PID 964 wrote to memory of 1672	964	trakyebq.exe	37
PID 964 wrote to memory of 1672	964	trakyebq.exe	37
PID 1672 wrote to memory of 1752	1672	xsgijrha.exe	38
PID 1672 wrote to memory of 1752	1672	xsgijrha.exe	38
PID 1672 wrote to memory of 1752	1672	xsgijrha.exe	38
PID 1672 wrote to memory of 1752	1672	xsgijrha.exe	38
PID 1752 wrote to memory of 1188	1752	ggrvmlbf.exe	39
PID 1752 wrote to memory of 1188	1752	ggrvmlbf.exe	39
PID 1752 wrote to memory of 1188	1752	ggrvmlbf.exe	39
PID 1752 wrote to memory of 1188	1752	ggrvmlbf.exe	39
PID 1188 wrote to memory of 1764	1188	nzoyuiwf.exe	40
PID 1188 wrote to memory of 1764	1188	nzoyuiwf.exe	40
PID 1188 wrote to memory of 1764	1188	nzoyuiwf.exe	40
PID 1188 wrote to memory of 1764	1188	nzoyuiwf.exe	40
PID 1764 wrote to memory of 1820	1764	ravvfvcp.exe	41
PID 1764 wrote to memory of 1820	1764	ravvfvcp.exe	41
PID 1764 wrote to memory of 1820	1764	ravvfvcp.exe	41
PID 1764 wrote to memory of 1820	1764	ravvfvcp.exe	41
PID 1820 wrote to memory of 1168	1820	xipwmaiv.exe	42
PID 1820 wrote to memory of 1168	1820	xipwmaiv.exe	42
PID 1820 wrote to memory of 1168	1820	xipwmaiv.exe	42
PID 1820 wrote to memory of 1168	1820	xipwmaiv.exe	42

C:\Users\Admin\AppData\Local\Temp\542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732.exe
"C:\Users\Admin\AppData\Local\Temp\542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Windows\SysWOW64\ssktnkow.exe
  C:\Windows\system32\ssktnkow.exe 520 "C:\Users\Admin\AppData\Local\Temp\542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1212
- - C:\Windows\SysWOW64\aljtursr.exe
    C:\Windows\system32\aljtursr.exe 524 "C:\Windows\SysWOW64\ssktnkow.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1180
  - - C:\Windows\SysWOW64\bkwjfldi.exe
      C:\Windows\system32\bkwjfldi.exe 516 "C:\Windows\SysWOW64\aljtursr.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:584
    - - C:\Windows\SysWOW64\ictmnaga.exe
        
        C:\Windows\system32\ictmnaga.exe 528 "C:\Windows\SysWOW64\bkwjfldi.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1048
      - C:\Windows\SysWOW64\odyovxja.exe
        
        C:\Windows\system32\odyovxja.exe 540 "C:\Windows\SysWOW64\ictmnaga.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Windows\SysWOW64\ykbczyee.exe
        
        C:\Windows\system32\ykbczyee.exe 512 "C:\Windows\SysWOW64\odyovxja.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:832
        
        C:\Windows\SysWOW64\zxapibeg.exe
        
        C:\Windows\system32\zxapibeg.exe 532 "C:\Windows\SysWOW64\ykbczyee.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\dvdzpkco.exe
        
        C:\Windows\system32\dvdzpkco.exe 548 "C:\Windows\SysWOW64\zxapibeg.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\jobcyggo.exe
        
        C:\Windows\system32\jobcyggo.exe 552 "C:\Windows\SysWOW64\dvdzpkco.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\trakyebq.exe
        
        C:\Windows\system32\trakyebq.exe 556 "C:\Windows\SysWOW64\jobcyggo.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Windows\SysWOW64\xsgijrha.exe
        
        C:\Windows\system32\xsgijrha.exe 544 "C:\Windows\SysWOW64\trakyebq.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\ggrvmlbf.exe
        
        C:\Windows\system32\ggrvmlbf.exe 536 "C:\Windows\SysWOW64\xsgijrha.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\SysWOW64\nzoyuiwf.exe
        
        C:\Windows\system32\nzoyuiwf.exe 564 "C:\Windows\SysWOW64\ggrvmlbf.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\SysWOW64\ravvfvcp.exe
        
        C:\Windows\system32\ravvfvcp.exe 568 "C:\Windows\SysWOW64\nzoyuiwf.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\SysWOW64\xipwmaiv.exe
        
        C:\Windows\system32\xipwmaiv.exe 576 "C:\Windows\SysWOW64\ravvfvcp.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\wbvzuxlv.exe
        
        C:\Windows\system32\wbvzuxlv.exe 580 "C:\Windows\SysWOW64\xipwmaiv.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1168
        
        C:\Windows\SysWOW64\fhxmqzga.exe
        
        C:\Windows\system32\fhxmqzga.exe 588 "C:\Windows\SysWOW64\wbvzuxlv.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1956
        
        C:\Windows\SysWOW64\lmgbjsqu.exe
        
        C:\Windows\system32\lmgbjsqu.exe 504 "C:\Windows\SysWOW64\fhxmqzga.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1540
        
        C:\Windows\SysWOW64\xnkhghhj.exe
        
        C:\Windows\system32\xnkhghhj.exe 584 "C:\Windows\SysWOW64\lmgbjsqu.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1556
        
        C:\Windows\SysWOW64\ktezikav.exe
        
        C:\Windows\system32\ktezikav.exe 596 "C:\Windows\SysWOW64\xnkhghhj.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:684
        
        C:\Windows\SysWOW64\iazhsjko.exe
        
        C:\Windows\system32\iazhsjko.exe 604 "C:\Windows\SysWOW64\ktezikav.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2020
        
        C:\Windows\SysWOW64\rwzuclkq.exe
        
        C:\Windows\system32\rwzuclkq.exe 572 "C:\Windows\SysWOW64\iazhsjko.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1976
        
        C:\Windows\SysWOW64\bgmvirmx.exe
        
        C:\Windows\system32\bgmvirmx.exe 600 "C:\Windows\SysWOW64\rwzuclkq.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1680
        
        C:\Windows\SysWOW64\kqidppfw.exe
        
        C:\Windows\system32\kqidppfw.exe 608 "C:\Windows\SysWOW64\bgmvirmx.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1128
        
        C:\Windows\SysWOW64\wznitxel.exe
        
        C:\Windows\system32\wznitxel.exe 624 "C:\Windows\SysWOW64\kqidppfw.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:840
        
        C:\Windows\SysWOW64\axgbnaxx.exe
        
        C:\Windows\system32\axgbnaxx.exe 592 "C:\Windows\SysWOW64\wznitxel.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:528
        
        C:\Windows\SysWOW64\jtfowkxz.exe
        
        C:\Windows\system32\jtfowkxz.exe 620 "C:\Windows\SysWOW64\axgbnaxx.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1708
        
        C:\Windows\SysWOW64\qlcrfhaz.exe
        
        C:\Windows\system32\qlcrfhaz.exe 612 "C:\Windows\SysWOW64\jtfowkxz.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:532
        
        C:\Windows\SysWOW64\crejgktl.exe
        
        C:\Windows\system32\crejgktl.exe 640 "C:\Windows\SysWOW64\qlcrfhaz.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1824
        
        C:\Windows\SysWOW64\iomzslvf.exe
        
        C:\Windows\system32\iomzslvf.exe 560 "C:\Windows\SysWOW64\crejgktl.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:952
        
        C:\Windows\SysWOW64\syazqjwf.exe
        
        C:\Windows\system32\syazqjwf.exe 636 "C:\Windows\SysWOW64\iomzslvf.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1684
        
        C:\Windows\SysWOW64\eetrsmpz.exe
        
        C:\Windows\system32\eetrsmpz.exe 632 "C:\Windows\SysWOW64\syazqjwf.exe"
        33⤵
        Executes dropped EXE
        
        PID:1780
        
        C:\Windows\SysWOW64\nrsmbxpb.exe
        
        C:\Windows\system32\nrsmbxpb.exe 644 "C:\Windows\SysWOW64\eetrsmpz.exe"
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1344
        
        C:\Windows\SysWOW64\wjgnivqa.exe
        
        C:\Windows\system32\wjgnivqa.exe 628 "C:\Windows\SysWOW64\nrsmbxpb.exe"
        35⤵
        Executes dropped EXE
        
        PID:1728
        
        C:\Windows\SysWOW64\ahjxpepq.exe
        
        C:\Windows\system32\ahjxpepq.exe 652 "C:\Windows\SysWOW64\wjgnivqa.exe"
        36⤵
        Executes dropped EXE
        
        PID:1716
        
        C:\Windows\SysWOW64\eiodltof.exe
        
        C:\Windows\system32\eiodltof.exe 508 "C:\Windows\SysWOW64\ahjxpepq.exe"
        37⤵
        Executes dropped EXE
        
        PID:1980
        
        C:\Windows\SysWOW64\lblfcirw.exe
        
        C:\Windows\system32\lblfcirw.exe 660 "C:\Windows\SysWOW64\eiodltof.exe"
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1368
        
        C:\Windows\SysWOW64\xhnywtkj.exe
        
        C:\Windows\system32\xhnywtkj.exe 656 "C:\Windows\SysWOW64\lblfcirw.exe"
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1276
        
        C:\Windows\SysWOW64\ggpyiarn.exe
        
        C:\Windows\system32\ggpyiarn.exe 676 "C:\Windows\SysWOW64\xhnywtkj.exe"
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:816
        
        C:\Windows\SysWOW64\pqlyogku.exe
        
        C:\Windows\system32\pqlyogku.exe 672 "C:\Windows\SysWOW64\ggpyiarn.exe"
        41⤵
        Executes dropped EXE
        
        PID:1316
        
        C:\Windows\SysWOW64\bapdlnkj.exe
        
        C:\Windows\system32\bapdlnkj.exe 688 "C:\Windows\SysWOW64\pqlyogku.exe"
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1532
        
        C:\Windows\SysWOW64\gdwrczee.exe
        
        C:\Windows\system32\gdwrczee.exe 648 "C:\Windows\SysWOW64\bapdlnkj.exe"
        43⤵
        Executes dropped EXE
        
        PID:1472
        
        C:\Windows\SysWOW64\pnjzbxfd.exe
        
        C:\Windows\system32\pnjzbxfd.exe 684 "C:\Windows\SysWOW64\gdwrczee.exe"
        44⤵
        Executes dropped EXE
        
        PID:1964
        
        C:\Windows\SysWOW64\ruumezzi.exe
        
        C:\Windows\system32\ruumezzi.exe 680 "C:\Windows\SysWOW64\pnjzbxfd.exe"
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1732
        
        C:\Windows\SysWOW64\aqtaobzk.exe
        
        C:\Windows\system32\aqtaobzk.exe 700 "C:\Windows\SysWOW64\ruumezzi.exe"
        46⤵
        Executes dropped EXE
        
        PID:2032
        
        C:\Windows\SysWOW64\jlsvxmam.exe
        
        C:\Windows\system32\jlsvxmam.exe 668 "C:\Windows\SysWOW64\aqtaobzk.exe"
        47⤵
        Executes dropped EXE
        
        PID:904
        
        C:\Windows\SysWOW64\svgvdkbt.exe
        
        C:\Windows\system32\svgvdkbt.exe 704 "C:\Windows\SysWOW64\jlsvxmam.exe"
        48⤵
        Executes dropped EXE
        
        PID:1460
        
        C:\Windows\SysWOW64\cfuvcqua.exe
        
        C:\Windows\system32\cfuvcqua.exe 692 "C:\Windows\SysWOW64\svgvdkbt.exe"
        49⤵
        Executes dropped EXE
        
        PID:1536
        
        C:\Windows\SysWOW64\olvvetvm.exe
        
        C:\Windows\system32\olvvetvm.exe 696 "C:\Windows\SysWOW64\cfuvcqua.exe"
        50⤵
        Executes dropped EXE
        
        PID:1812
        
        C:\Windows\SysWOW64\xvjvkzom.exe
        
        C:\Windows\system32\xvjvkzom.exe 716 "C:\Windows\SysWOW64\olvvetvm.exe"
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1284
        
        C:\Windows\SysWOW64\grijtcov.exe
        
        C:\Windows\system32\grijtcov.exe 720 "C:\Windows\SysWOW64\xvjvkzom.exe"
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1464
        
        C:\Windows\SysWOW64\tpcjnfpi.exe
        
        C:\Windows\system32\tpcjnfpi.exe 664 "C:\Windows\SysWOW64\grijtcov.exe"
        53⤵
        Executes dropped EXE
        
        PID:436
        
        C:\Windows\SysWOW64\clbwxppj.exe
        
        C:\Windows\system32\clbwxppj.exe 724 "C:\Windows\SysWOW64\tpcjnfpi.exe"
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1616
        
        C:\Windows\SysWOW64\yieheynz.exe
        
        C:\Windows\system32\yieheynz.exe 712 "C:\Windows\SysWOW64\clbwxppj.exe"
        55⤵
        Executes dropped EXE
        
        PID:324
        
        C:\Windows\SysWOW64\hsshkwpz.exe
        
        C:\Windows\system32\hsshkwpz.exe 708 "C:\Windows\SysWOW64\yieheynz.exe"
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1948
        
        C:\Windows\SysWOW64\tqlzmhhl.exe
        
        C:\Windows\system32\tqlzmhhl.exe 740 "C:\Windows\SysWOW64\hsshkwpz.exe"
        57⤵
        Executes dropped EXE
        
        PID:1940
        
        C:\Windows\SysWOW64\cmkuvkhv.exe
        
        C:\Windows\system32\cmkuvkhv.exe 736 "C:\Windows\SysWOW64\tqlzmhhl.exe"
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1696
        
        C:\Windows\SysWOW64\lijhxmhw.exe
        
        C:\Windows\system32\lijhxmhw.exe 732 "C:\Windows\SysWOW64\cmkuvkhv.exe"
        59⤵
        Executes dropped EXE
        
        PID:1928
        
        C:\Windows\SysWOW64\ygdazxaj.exe
        
        C:\Windows\system32\ygdazxaj.exe 748 "C:\Windows\SysWOW64\lijhxmhw.exe"
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1072
        
        C:\Windows\SysWOW64\raokszik.exe
        
        C:\Windows\system32\raokszik.exe 752 "C:\Windows\SysWOW64\ygdazxaj.exe"
        61⤵
        Executes dropped EXE
        
        PID:1320
        
        C:\Windows\SysWOW64\ahqgwakp.exe
        
        C:\Windows\system32\ahqgwakp.exe 764 "C:\Windows\SysWOW64\raokszik.exe"
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1204
        
        C:\Windows\SysWOW64\kregcydw.exe
        
        C:\Windows\system32\kregcydw.exe 760 "C:\Windows\SysWOW64\ahqgwakp.exe"
        63⤵
        Executes dropped EXE
        
        PID:1900
        
        C:\Windows\SysWOW64\warlzgdd.exe
        
        C:\Windows\system32\warlzgdd.exe 756 "C:\Windows\SysWOW64\kregcydw.exe"
        64⤵
        Executes dropped EXE
        
        PID:1608
        
        C:\Windows\SysWOW64\xztllvkh.exe
        
        C:\Windows\system32\xztllvkh.exe 776 "C:\Windows\SysWOW64\warlzgdd.exe"
        65⤵
        Executes dropped EXE
        
        PID:1576
        
        C:\Windows\SysWOW64\gjhtstdo.exe
        
        C:\Windows\system32\gjhtstdo.exe 728 "C:\Windows\SysWOW64\xztllvkh.exe"
        66⤵
        Drops file in System32 directory
        
        PID:524
        
        C:\Windows\SysWOW64\stmzwacd.exe
        
        C:\Windows\system32\stmzwacd.exe 772 "C:\Windows\SysWOW64\gjhtstdo.exe"
        67⤵
        Drops file in System32 directory
        
        PID:680
        
        C:\Windows\SysWOW64\ernrqlvp.exe
        
        C:\Windows\system32\ernrqlvp.exe 780 "C:\Windows\SysWOW64\stmzwacd.exe"
        68⤵
        Drops file in System32 directory
        
        PID:1156
        
        C:\Windows\SysWOW64\nqprcscl.exe
        
        C:\Windows\system32\nqprcscl.exe 788 "C:\Windows\SysWOW64\ernrqlvp.exe"
        69⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\zorkevug.exe
        
        C:\Windows\system32\zorkevug.exe 784 "C:\Windows\SysWOW64\nqprcscl.exe"
        70⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\lxvxbdmv.exe
        
        C:\Windows\system32\lxvxbdmv.exe 768 "C:\Windows\SysWOW64\zorkevug.exe"
        71⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\uxgpnrtr.exe
        
        C:\Windows\system32\uxgpnrtr.exe 800 "C:\Windows\SysWOW64\lxvxbdmv.exe"
        72⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\hvzqovll.exe
        
        C:\Windows\system32\hvzqovll.exe 804 "C:\Windows\SysWOW64\uxgpnrtr.exe"
        73⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\tedvlcks.exe
        
        C:\Windows\system32\tedvlcks.exe 796 "C:\Windows\SysWOW64\hvzqovll.exe"
        74⤵
        Drops file in System32 directory
        
        PID:1096
        
        C:\Windows\SysWOW64\rxbytzos.exe
        
        C:\Windows\system32\rxbytzos.exe 816 "C:\Windows\SysWOW64\tedvlcks.exe"
        75⤵
        Drops file in System32 directory
        
        PID:1600
        
        C:\Windows\SysWOW64\dyfdygfg.exe
        
        C:\Windows\system32\dyfdygfg.exe 808 "C:\Windows\SysWOW64\rxbytzos.exe"
        76⤵
        
        PID:320
        
        C:\Windows\SysWOW64\mxqdknmc.exe
        
        C:\Windows\system32\mxqdknmc.exe 812 "C:\Windows\SysWOW64\dyfdygfg.exe"
        77⤵
        
        PID:600
        
        C:\Windows\SysWOW64\ydjweyfp.exe
        
        C:\Windows\system32\ydjweyfp.exe 744 "C:\Windows\SysWOW64\mxqdknmc.exe"
        78⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\fwozmvip.exe
        
        C:\Windows\system32\fwozmvip.exe 832 "C:\Windows\SysWOW64\ydjweyfp.exe"
        79⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\ojnmwxiq.exe
        
        C:\Windows\system32\ojnmwxiq.exe 840 "C:\Windows\SysWOW64\fwozmvip.exe"
        80⤵
        
        PID:556
        
        C:\Windows\SysWOW64\atsrafhf.exe
        
        C:\Windows\system32\atsrafhf.exe 820 "C:\Windows\SysWOW64\ojnmwxiq.exe"
        81⤵
        
        PID:972
        
        C:\Windows\SysWOW64\mrljuiar.exe
        
        C:\Windows\system32\mrljuiar.exe 828 "C:\Windows\SysWOW64\atsrafhf.exe"
        82⤵
        
        PID:604
        
        C:\Windows\SysWOW64\vqvkgxhv.exe
        
        C:\Windows\system32\vqvkgxhv.exe 824 "C:\Windows\SysWOW64\mrljuiar.exe"
        83⤵
        
        PID:368
        
        C:\Windows\SysWOW64\hzapleyk.exe
        
        C:\Windows\system32\hzapleyk.exe 852 "C:\Windows\SysWOW64\vqvkgxhv.exe"
        84⤵
        
        PID:820
        
        C:\Windows\SysWOW64\lxtpfhrx.exe
        
        C:\Windows\system32\lxtpfhrx.exe 860 "C:\Windows\SysWOW64\hzapleyk.exe"
        85⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\vtscoszy.exe
        
        C:\Windows\system32\vtscoszy.exe 836 "C:\Windows\SysWOW64\lxtpfhrx.exe"
        86⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\huxitzqn.exe
        
        C:\Windows\system32\huxitzqn.exe 864 "C:\Windows\SysWOW64\vtscoszy.exe"
        87⤵
        
        PID:668
        
        C:\Windows\SysWOW64\qqwvccqp.exe
        
        C:\Windows\system32\qqwvccqp.exe 868 "C:\Windows\SysWOW64\huxitzqn.exe"
        88⤵
        
        PID:472
        
        C:\Windows\SysWOW64\coxnwnjb.exe
        
        C:\Windows\system32\coxnwnjb.exe 844 "C:\Windows\SysWOW64\qqwvccqp.exe"
        89⤵
        Drops file in System32 directory
        
        PID:620
        
        C:\Windows\SysWOW64\lglwclki.exe
        
        C:\Windows\system32\lglwclki.exe 872 "C:\Windows\SysWOW64\coxnwnjb.exe"
        90⤵
        Drops file in System32 directory
        
        PID:1504
        
        C:\Windows\SysWOW64\xiqbzsjx.exe
        
        C:\Windows\system32\xiqbzsjx.exe 848 "C:\Windows\SysWOW64\lglwclki.exe"
        91⤵
        Drops file in System32 directory
        
        PID:772
        
        C:\Windows\SysWOW64\haebfydw.exe
        
        C:\Windows\system32\haebfydw.exe 884 "C:\Windows\SysWOW64\xiqbzsjx.exe"
        92⤵
        Drops file in System32 directory
        
        PID:1924
        
        C:\Windows\SysWOW64\qndoobly.exe
        
        C:\Windows\system32\qndoobly.exe 792 "C:\Windows\SysWOW64\haebfydw.exe"
        93⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\zfqwvhef.exe
        
        C:\Windows\system32\zfqwvhef.exe 876 "C:\Windows\SysWOW64\qndoobly.exe"
        94⤵
        Drops file in System32 directory
        
        PID:1404
        
        C:\Windows\SysWOW64\dhvcaodu.exe
        
        C:\Windows\system32\dhvcaodu.exe 880 "C:\Windows\SysWOW64\zfqwvhef.exe"
        95⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\mcupbrew.exe
        
        C:\Windows\system32\mcupbrew.exe 892 "C:\Windows\SysWOW64\dhvcaodu.exe"
        96⤵
        Drops file in System32 directory
        
        PID:836
        
        C:\Windows\SysWOW64\yavhdcwi.exe
        
        C:\Windows\system32\yavhdcwi.exe 856 "C:\Windows\SysWOW64\mcupbrew.exe"
        97⤵
        
        PID:568
        
        C:\Windows\SysWOW64\ikjpjaxp.exe
        
        C:\Windows\system32\ikjpjaxp.exe 900 "C:\Windows\SysWOW64\yavhdcwi.exe"
        98⤵
        Drops file in System32 directory
        
        PID:1952
        
        C:\Windows\SysWOW64\qkmhvhem.exe
        
        C:\Windows\system32\qkmhvhem.exe 904 "C:\Windows\SysWOW64\ikjpjaxp.exe"
        99⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\ghenntvn.exe
        
        C:\Windows\system32\ghenntvn.exe 912 "C:\Windows\SysWOW64\qkmhvhem.exe"
        100⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\oggfzius.exe
        
        C:\Windows\system32\oggfzius.exe 908 "C:\Windows\SysWOW64\ghenntvn.exe"
        101⤵
        Drops file in System32 directory
        
        PID:748
        
        C:\Windows\SysWOW64\ahltwpty.exe
        
        C:\Windows\system32\ahltwpty.exe 916 "C:\Windows\SysWOW64\oggfzius.exe"
        102⤵
        Drops file in System32 directory
        
        PID:1216
        
        C:\Windows\SysWOW64\muaddbrp.exe
        
        C:\Windows\system32\muaddbrp.exe 896 "C:\Windows\SysWOW64\ahltwpty.exe"
        103⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\wfolkztp.exe
        
        C:\Windows\system32\wfolkztp.exe 924 "C:\Windows\SysWOW64\muaddbrp.exe"
        104⤵
        Drops file in System32 directory
        
        PID:1076
        
        C:\Windows\SysWOW64\dcgjcmjr.exe
        
        C:\Windows\system32\dcgjcmjr.exe 920 "C:\Windows\SysWOW64\wfolkztp.exe"
        105⤵
        Drops file in System32 directory
        
        PID:1832
        
        C:\Windows\SysWOW64\jyprnnll.exe
        
        C:\Windows\system32\jyprnnll.exe 940 "C:\Windows\SysWOW64\dcgjcmjr.exe"
        106⤵
        
        PID:924
        
        C:\Windows\SysWOW64\vitwsuka.exe
        
        C:\Windows\system32\vitwsuka.exe 928 "C:\Windows\SysWOW64\jyprnnll.exe"
        107⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\esheyamz.exe
        
        C:\Windows\system32\esheyamz.exe 932 "C:\Windows\SysWOW64\vitwsuka.exe"
        108⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\okvexyfg.exe
        
        C:\Windows\system32\okvexyfg.exe 936 "C:\Windows\SysWOW64\esheyamz.exe"
        109⤵
        
        PID:896
        
        C:\Windows\SysWOW64\alzkboev.exe
        
        C:\Windows\system32\alzkboev.exe 952 "C:\Windows\SysWOW64\okvexyfg.exe"
        110⤵
        Drops file in System32 directory
        
        PID:1972
        
        C:\Windows\SysWOW64\lypcjade.exe
        
        C:\Windows\system32\lypcjade.exe 944 "C:\Windows\SysWOW64\alzkboev.exe"
        111⤵
        
        PID:360
        
        C:\Windows\SysWOW64\vuopkcdg.exe
        
        C:\Windows\system32\vuopkcdg.exe 956 "C:\Windows\SysWOW64\lypcjade.exe"
        112⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\kjynkpti.exe
        
        C:\Windows\system32\kjynkpti.exe 960 "C:\Windows\SysWOW64\vuopkcdg.exe"
        113⤵
        
        PID:960
        
        C:\Windows\SysWOW64\tbuvqvvh.exe
        
        C:\Windows\system32\tbuvqvvh.exe 968 "C:\Windows\SysWOW64\kjynkpti.exe"
        114⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\uaxvvbbl.exe
        
        C:\Windows\system32\uaxvvbbl.exe 948 "C:\Windows\SysWOW64\tbuvqvvh.exe"
        115⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\gyyowfux.exe
        
        C:\Windows\system32\gyyowfux.exe 972 "C:\Windows\SysWOW64\uaxvvbbl.exe"
        116⤵
        
        PID:812
        
        C:\Windows\SysWOW64\sactbmlm.exe
        
        C:\Windows\system32\sactbmlm.exe 964 "C:\Windows\SysWOW64\gyyowfux.exe"
        117⤵
        Drops file in System32 directory
        
        PID:1416
        
        C:\Windows\SysWOW64\bzftfbsq.exe
        
        C:\Windows\system32\bzftfbsq.exe 988 "C:\Windows\SysWOW64\sactbmlm.exe"
        118⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\nijykisf.exe
        
        C:\Windows\system32\nijykisf.exe 980 "C:\Windows\SysWOW64\bzftfbsq.exe"
        119⤵
        
        PID:608
        
        C:\Windows\SysWOW64\zkoeoqjm.exe
        
        C:\Windows\system32\zkoeoqjm.exe 992 "C:\Windows\SysWOW64\nijykisf.exe"
        120⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\ltajlxib.exe
        
        C:\Windows\system32\ltajlxib.exe 976 "C:\Windows\SysWOW64\zkoeoqjm.exe"
        121⤵
        Drops file in System32 directory
        
        PID:1800
        
        C:\Windows\SysWOW64\xdfxqfip.exe
        
        C:\Windows\system32\xdfxqfip.exe 996 "C:\Windows\SysWOW64\ltajlxib.exe"
        122⤵
        Drops file in System32 directory
        
        PID:1044
        
        C:\Windows\SysWOW64\gqekzpir.exe
        
        C:\Windows\system32\gqekzpir.exe 984 "C:\Windows\SysWOW64\xdfxqfip.exe"
        123⤵
        
        PID:784
        
        C:\Windows\SysWOW64\sajpwxhg.exe
        
        C:\Windows\system32\sajpwxhg.exe 1008 "C:\Windows\SysWOW64\gqekzpir.exe"
        124⤵
        
        PID:632
        
        C:\Windows\SysWOW64\wbnvaeyv.exe
        
        C:\Windows\system32\wbnvaeyv.exe 888 "C:\Windows\SysWOW64\sajpwxhg.exe"
        125⤵
        Drops file in System32 directory
        
        PID:1724
        
        C:\Windows\SysWOW64\fxmikoyw.exe
        
        C:\Windows\system32\fxmikoyw.exe 1028 "C:\Windows\SysWOW64\wbnvaeyv.exe"
        126⤵
        
        PID:288
        
        C:\Windows\SysWOW64\rgrngwyl.exe
        
        C:\Windows\system32\rgrngwyl.exe 1016 "C:\Windows\SysWOW64\fxmikoyw.exe"
        127⤵
        Drops file in System32 directory
        
        PID:296
        
        C:\Windows\SysWOW64\divtldxa.exe
        
        C:\Windows\system32\divtldxa.exe 1036 "C:\Windows\SysWOW64\rgrngwyl.exe"
        128⤵
        Drops file in System32 directory
        
        PID:1056
        
        C:\Windows\SysWOW64\ndvguoxc.exe
        
        C:\Windows\system32\ndvguoxc.exe 1012 "C:\Windows\SysWOW64\divtldxa.exe"
        129⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\yqkyuavl.exe
        
        C:\Windows\system32\yqkyuavl.exe 1040 "C:\Windows\SysWOW64\ndvguoxc.exe"
        130⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\loeyvdox.exe
        
        C:\Windows\system32\loeyvdox.exe 1004 "C:\Windows\SysWOW64\yqkyuavl.exe"
        131⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\xqiesknm.exe
        
        C:\Windows\system32\xqiesknm.exe 1052 "C:\Windows\SysWOW64\loeyvdox.exe"
        132⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\gpteermq.exe
        
        C:\Windows\system32\gpteermq.exe 1048 "C:\Windows\SysWOW64\xqiesknm.exe"
        133⤵
        Drops file in System32 directory
        
        PID:1244
        
        C:\Windows\SysWOW64\svmwgcnc.exe
        
        C:\Windows\system32\svmwgcnc.exe 1032 "C:\Windows\SysWOW64\gpteermq.exe"
        134⤵
        Drops file in System32 directory
        
        PID:1524
        
        C:\Windows\SysWOW64\ewqcdker.exe
        
        C:\Windows\system32\ewqcdker.exe 1056 "C:\Windows\SysWOW64\svmwgcnc.exe"
        135⤵
        Drops file in System32 directory
        
        PID:1324
        
        C:\Windows\SysWOW64\fvbcpqlv.exe
        
        C:\Windows\system32\fvbcpqlv.exe 1068 "C:\Windows\SysWOW64\ewqcdker.exe"
        136⤵
        Drops file in System32 directory
        
        PID:1476
        
        C:\Windows\SysWOW64\rffhtykc.exe
        
        C:\Windows\system32\rffhtykc.exe 1044 "C:\Windows\SysWOW64\fvbcpqlv.exe"
        137⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\dgknqncr.exe
        
        C:\Windows\system32\dgknqncr.exe 1060 "C:\Windows\SysWOW64\rffhtykc.exe"
        138⤵
        Drops file in System32 directory
        
        PID:944
        
        C:\Windows\SysWOW64\pqosvvbg.exe
        
        C:\Windows\system32\pqosvvbg.exe 1072 "C:\Windows\SysWOW64\dgknqncr.exe"
        139⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\ydonexbh.exe
        
        C:\Windows\system32\ydonexbh.exe 1076 "C:\Windows\SysWOW64\pqosvvbg.exe"
        140⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\knstbfaw.exe
        
        C:\Windows\system32\knstbfaw.exe 1064 "C:\Windows\SysWOW64\ydonexbh.exe"
        141⤵
        Drops file in System32 directory
        
        PID:1012
        
        C:\Windows\SysWOW64\woxyfusl.exe
        
        C:\Windows\system32\woxyfusl.exe 1020 "C:\Windows\SysWOW64\knstbfaw.exe"
        142⤵
        
        PID:956
        
        C:\Windows\SysWOW64\fkwlpwsm.exe
        
        C:\Windows\system32\fkwlpwsm.exe 1080 "C:\Windows\SysWOW64\woxyfusl.exe"
        143⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\rtaqlerb.exe
        
        C:\Windows\system32\rtaqlerb.exe 1088 "C:\Windows\SysWOW64\fkwlpwsm.exe"
        144⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\ahzeuord.exe
        
        C:\Windows\system32\ahzeuord.exe 1084 "C:\Windows\SysWOW64\rtaqlerb.exe"
        145⤵
        Drops file in System32 directory
        
        PID:976
        
        C:\Windows\SysWOW64\fnbewrkp.exe
        
        C:\Windows\system32\fnbewrkp.exe 1096 "C:\Windows\SysWOW64\ahzeuord.exe"
        146⤵
        Drops file in System32 directory
        
        PID:1628
        
        C:\Windows\SysWOW64\rofjtzje.exe
        
        C:\Windows\system32\rofjtzje.exe 1104 "C:\Windows\SysWOW64\fnbewrkp.exe"
        147⤵
        Drops file in System32 directory
        
        PID:980
        
        C:\Windows\SysWOW64\ahtkzfkl.exe
        
        C:\Windows\system32\ahtkzfkl.exe 1100 "C:\Windows\SysWOW64\rofjtzje.exe"
        148⤵
        
        PID:1500

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\aljtursr.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
C:\Windows\SysWOW64\aljtursr.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
C:\Windows\SysWOW64\bkwjfldi.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
C:\Windows\SysWOW64\bkwjfldi.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
C:\Windows\SysWOW64\dvdzpkco.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
C:\Windows\SysWOW64\dvdzpkco.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
C:\Windows\SysWOW64\ggrvmlbf.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
C:\Windows\SysWOW64\ggrvmlbf.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
C:\Windows\SysWOW64\ictmnaga.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
C:\Windows\SysWOW64\ictmnaga.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
C:\Windows\SysWOW64\jobcyggo.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
C:\Windows\SysWOW64\jobcyggo.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
C:\Windows\SysWOW64\nzoyuiwf.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
C:\Windows\SysWOW64\nzoyuiwf.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
C:\Windows\SysWOW64\odyovxja.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
C:\Windows\SysWOW64\odyovxja.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
C:\Windows\SysWOW64\ravvfvcp.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
C:\Windows\SysWOW64\ravvfvcp.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
C:\Windows\SysWOW64\ssktnkow.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
C:\Windows\SysWOW64\ssktnkow.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
C:\Windows\SysWOW64\trakyebq.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
C:\Windows\SysWOW64\trakyebq.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
C:\Windows\SysWOW64\wbvzuxlv.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
C:\Windows\SysWOW64\wbvzuxlv.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
C:\Windows\SysWOW64\xipwmaiv.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
C:\Windows\SysWOW64\xipwmaiv.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
C:\Windows\SysWOW64\xsgijrha.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
C:\Windows\SysWOW64\xsgijrha.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
C:\Windows\SysWOW64\ykbczyee.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
C:\Windows\SysWOW64\ykbczyee.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
C:\Windows\SysWOW64\zxapibeg.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
C:\Windows\SysWOW64\zxapibeg.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
\Windows\SysWOW64\aljtursr.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
\Windows\SysWOW64\aljtursr.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
\Windows\SysWOW64\bkwjfldi.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
\Windows\SysWOW64\bkwjfldi.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
\Windows\SysWOW64\dvdzpkco.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
\Windows\SysWOW64\dvdzpkco.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
\Windows\SysWOW64\ggrvmlbf.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
\Windows\SysWOW64\ggrvmlbf.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
\Windows\SysWOW64\ictmnaga.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
\Windows\SysWOW64\ictmnaga.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
\Windows\SysWOW64\jobcyggo.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
\Windows\SysWOW64\jobcyggo.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
\Windows\SysWOW64\nzoyuiwf.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
\Windows\SysWOW64\nzoyuiwf.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
\Windows\SysWOW64\odyovxja.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
\Windows\SysWOW64\odyovxja.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
\Windows\SysWOW64\ravvfvcp.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
\Windows\SysWOW64\ravvfvcp.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
\Windows\SysWOW64\ssktnkow.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
\Windows\SysWOW64\ssktnkow.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
\Windows\SysWOW64\trakyebq.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
\Windows\SysWOW64\trakyebq.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
\Windows\SysWOW64\wbvzuxlv.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
\Windows\SysWOW64\wbvzuxlv.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
\Windows\SysWOW64\xipwmaiv.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
\Windows\SysWOW64\xipwmaiv.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
\Windows\SysWOW64\xsgijrha.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
\Windows\SysWOW64\xsgijrha.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
\Windows\SysWOW64\ykbczyee.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
\Windows\SysWOW64\ykbczyee.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
\Windows\SysWOW64\zxapibeg.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
\Windows\SysWOW64\zxapibeg.exe

Filesize
157KB

MD5
43f9dae058f9d6da6e6ac6a9c2a8d7e1

SHA1
8f9b33ab344abd96a51d5aa72f5b5b482933898f

SHA256
542a865eac1dd6aa5de685dfeeb2f92d36eb7b6b210d504e421c1b245bb38732

SHA512
52edc8354c740b2050ccca855383583052e69f24c5e9e5910ee94f330122a5e5ee82b394fb0bf7975eefdc8e2808707ef9369ceee81cd52f2402a4639436b5b7

Download Submit
memory/324-225-0x0000000000000000-mapping.dmp

Download
memory/436-221-0x0000000000000000-mapping.dmp

Download
memory/528-169-0x0000000000000000-mapping.dmp

Download
memory/532-173-0x0000000000000000-mapping.dmp

Download
memory/584-69-0x0000000000000000-mapping.dmp

Download
memory/684-157-0x0000000000000000-mapping.dmp

Download
memory/816-195-0x0000000000000000-mapping.dmp

Download
memory/832-87-0x0000000000000000-mapping.dmp

Download
memory/840-167-0x0000000000000000-mapping.dmp

Download
memory/864-81-0x0000000000000000-mapping.dmp

Download
memory/904-209-0x0000000000000000-mapping.dmp

Download
memory/952-177-0x0000000000000000-mapping.dmp

Download
memory/964-111-0x0000000000000000-mapping.dmp

Download
memory/1048-75-0x0000000000000000-mapping.dmp

Download
memory/1072-235-0x0000000000000000-mapping.dmp

Download
memory/1128-165-0x0000000000000000-mapping.dmp

Download
memory/1168-147-0x0000000000000000-mapping.dmp

Download
memory/1180-63-0x0000000000000000-mapping.dmp

Download
memory/1188-129-0x0000000000000000-mapping.dmp

Download
memory/1204-239-0x0000000000000000-mapping.dmp

Download
memory/1212-57-0x0000000000000000-mapping.dmp

Download
memory/1276-193-0x0000000000000000-mapping.dmp

Download
memory/1284-217-0x0000000000000000-mapping.dmp

Download
memory/1316-197-0x0000000000000000-mapping.dmp

Download
memory/1320-237-0x0000000000000000-mapping.dmp

Download
memory/1340-54-0x00000000758B1000-0x00000000758B3000-memory.dmp

Filesize
8KB

Download
memory/1344-183-0x0000000000000000-mapping.dmp

Download
memory/1368-191-0x0000000000000000-mapping.dmp

Download
memory/1460-211-0x0000000000000000-mapping.dmp

Download
memory/1464-219-0x0000000000000000-mapping.dmp

Download
memory/1472-201-0x0000000000000000-mapping.dmp

Download
memory/1532-199-0x0000000000000000-mapping.dmp

Download
memory/1536-213-0x0000000000000000-mapping.dmp

Download
memory/1540-153-0x0000000000000000-mapping.dmp

Download
memory/1556-155-0x0000000000000000-mapping.dmp

Download
memory/1576-245-0x0000000000000000-mapping.dmp

Download
memory/1608-243-0x0000000000000000-mapping.dmp

Download
memory/1616-223-0x0000000000000000-mapping.dmp

Download
memory/1656-105-0x0000000000000000-mapping.dmp

Download
memory/1672-117-0x0000000000000000-mapping.dmp

Download
memory/1680-163-0x0000000000000000-mapping.dmp

Download
memory/1684-179-0x0000000000000000-mapping.dmp

Download
memory/1696-231-0x0000000000000000-mapping.dmp

Download
memory/1708-171-0x0000000000000000-mapping.dmp

Download
memory/1716-187-0x0000000000000000-mapping.dmp

Download
memory/1728-185-0x0000000000000000-mapping.dmp

Download
memory/1732-205-0x0000000000000000-mapping.dmp

Download
memory/1752-123-0x0000000000000000-mapping.dmp

Download
memory/1764-135-0x0000000000000000-mapping.dmp

Download
memory/1780-181-0x0000000000000000-mapping.dmp

Download
memory/1812-215-0x0000000000000000-mapping.dmp

Download
memory/1820-141-0x0000000000000000-mapping.dmp

Download
memory/1824-175-0x0000000000000000-mapping.dmp

Download
memory/1900-241-0x0000000000000000-mapping.dmp

Download
memory/1908-93-0x0000000000000000-mapping.dmp

Download
memory/1928-233-0x0000000000000000-mapping.dmp

Download
memory/1940-229-0x0000000000000000-mapping.dmp

Download
memory/1948-227-0x0000000000000000-mapping.dmp

Download
memory/1956-151-0x0000000000000000-mapping.dmp

Download
memory/1964-203-0x0000000000000000-mapping.dmp

Download
memory/1976-161-0x0000000000000000-mapping.dmp

Download
memory/1980-189-0x0000000000000000-mapping.dmp

Download
memory/2012-99-0x0000000000000000-mapping.dmp

Download
memory/2020-159-0x0000000000000000-mapping.dmp

Download
memory/2032-207-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads