76117165b342f0390a5b48c258c1342cd444ecafeddf4ff413acf2d04930219b

Analysis

max time kernel
151s
max time network
149s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 11:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16eaaea528f61ae90ad1cd1ba88100a0.exe
Size

90KB
MD5

16eaaea528f61ae90ad1cd1ba88100a0
SHA1

f144a0a6e60a5c79670852e44d4d7a7ff5eba345
SHA256

76117165b342f0390a5b48c258c1342cd444ecafeddf4ff413acf2d04930219b
SHA512

1d1204ba41005d4aec8240e26ebb60135a1521e0ebd2f0c3832afed49fad2c045b9f6932d76f7ee250281581739176f81da0e5b6b139c869790a9be8482ba7fa
SSDEEP

1536:BMOH5tCzvGdqVQXHQFmCGc+NAdZ07Zou13SeV1m69GfanGLQzzcQXqZ3pGf:BvHuSnXn3TqZyl3Se59GMGLQzFqqf

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2992	advlipnm.exe
2804	dllqjxoq.exe
2828	autoqyhx.exe
1616	fxsnuvrw.exe
2052	fxsixymw.exe
2952	apibgqoj.exe
1088	ipsdhgzb.exe
1468	drvydagf.exe
1940	netdgulu.exe
1636	apingcyl.exe
804	ialddwur.exe
2388	advugzcz.exe
1540	sysgeega.exe
1572	regmkpva.exe
2940	regaletz.exe
3016	xmldjcsk.exe
1092	regkxumz.exe
2056	ipscokfv.exe
1404	secaqkss.exe
2664	drvcwsdw.exe
2916	netonexw.exe
2556	cmdblekx.exe
2560	wingcxke.exe
328	reglhnwo.exe
2964	ipswckik.exe
2080	ialamprd.exe
1536	winzqnbc.exe
2604	ipsebatn.exe
2976	fxsilnky.exe
1208	winhplvx.exe
3020	ipsuisoh.exe
2372	drvklvwh.exe
1704	comvkalj.exe
1848	secqbqre.exe
1800	compgnkd.exe
1672	sysoudhi.exe
1720	regnyash.exe
2880	cmdarilq.exe
2132	dllflqes.exe
2148	capqyiep.exe
2104	apiuiwwi.exe
2220	winwolhn.exe
2908	autxxgxs.exe
2540	drvrtthg.exe
2332	autrqevq.exe
2580	netbfoit.exe
2972	iallxebp.exe
2524	winkjjlo.exe
456	seclibav.exe
2960	netwgopp.exe
524	advshzej.exe
1944	capdgetd.exe
2716	fxscbhkl.exe
1936	capxcrsf.exe
2260	cmdiaehz.exe
1592	apiimbzy.exe
1552	xmluyjsi.exe
2344	seccrjrr.exe
1548	congcwic.exe
1560	secfwzrl.exe
2456	adveujrg.exe
2116	comrdzwk.exe
1880	ialvpfbb.exe
2692	winuccmz.exe

Loads dropped DLL 64 IoCs

pid	Process
3052	16eaaea528f61ae90ad1cd1ba88100a0.exe
3052	16eaaea528f61ae90ad1cd1ba88100a0.exe
2992	advlipnm.exe
2992	advlipnm.exe
2804	dllqjxoq.exe
2804	dllqjxoq.exe
2828	autoqyhx.exe
2828	autoqyhx.exe
1616	fxsnuvrw.exe
1616	fxsnuvrw.exe
2052	fxsixymw.exe
2052	fxsixymw.exe
2952	apibgqoj.exe
2952	apibgqoj.exe
1088	ipsdhgzb.exe
1088	ipsdhgzb.exe
1468	drvydagf.exe
1468	drvydagf.exe
1940	netdgulu.exe
1940	netdgulu.exe
1636	apingcyl.exe
1636	apingcyl.exe
804	ialddwur.exe
804	ialddwur.exe
2388	advugzcz.exe
2388	advugzcz.exe
1540	sysgeega.exe
1540	sysgeega.exe
1572	regmkpva.exe
1572	regmkpva.exe
2940	regaletz.exe
2940	regaletz.exe
3016	xmldjcsk.exe
3016	xmldjcsk.exe
1092	regkxumz.exe
1092	regkxumz.exe
2056	ipscokfv.exe
2056	ipscokfv.exe
1404	secaqkss.exe
1404	secaqkss.exe
2664	drvcwsdw.exe
2664	drvcwsdw.exe
2916	netonexw.exe
2916	netonexw.exe
2556	cmdblekx.exe
2556	cmdblekx.exe
2560	wingcxke.exe
2560	wingcxke.exe
328	reglhnwo.exe
328	reglhnwo.exe
2964	ipswckik.exe
2964	ipswckik.exe
2080	ialamprd.exe
2080	ialamprd.exe
1536	winzqnbc.exe
1536	winzqnbc.exe
2604	ipsebatn.exe
2604	ipsebatn.exe
2976	fxsilnky.exe
2976	fxsilnky.exe
1208	winhplvx.exe
1208	winhplvx.exe
3020	ipsuisoh.exe
3020	ipsuisoh.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\cmdarilq.exe	regnyash.exe
File created	C:\Windows\SysWOW64\seclibav.exe	winkjjlo.exe
File opened for modification	C:\Windows\SysWOW64\comzolwa.exe	ialvmyfp.exe
File opened for modification	C:\Windows\SysWOW64\conkvqlu.exe	comzolwa.exe
File opened for modification	C:\Windows\SysWOW64\ialddwur.exe	apingcyl.exe
File opened for modification	C:\Windows\SysWOW64\secfwzrl.exe	congcwic.exe
File created	C:\Windows\SysWOW64\adveujrg.exe	secfwzrl.exe
File opened for modification	C:\Windows\SysWOW64\auturoqd.exe	connfmqz.exe
File created	C:\Windows\SysWOW64\drvcwsdw.exe	secaqkss.exe
File opened for modification	C:\Windows\SysWOW64\seccrjrr.exe	xmluyjsi.exe
File created	C:\Windows\SysWOW64\regkrfpj.exe	ialzusfn.exe
File created	C:\Windows\SysWOW64\drvydagf.exe	ipsdhgzb.exe
File opened for modification	C:\Windows\SysWOW64\apiimbzy.exe	cmdiaehz.exe
File created	C:\Windows\SysWOW64\xmluyjsi.exe	apiimbzy.exe
File created	C:\Windows\SysWOW64\comrdzwk.exe	adveujrg.exe
File created	C:\Windows\SysWOW64\xmlafomh.exe	cmdjkldg.exe
File created	C:\Windows\SysWOW64\dllqjxoq.exe	advlipnm.exe
File opened for modification	C:\Windows\SysWOW64\advugzcz.exe	ialddwur.exe
File created	C:\Windows\SysWOW64\regnyash.exe	sysoudhi.exe
File created	C:\Windows\SysWOW64\ipsiueqi.exe	xmljlwkf.exe
File opened for modification	C:\Windows\SysWOW64\advshzej.exe	netwgopp.exe
File created	C:\Windows\SysWOW64\seccdfyn.exe	fxsqemyg.exe
File opened for modification	C:\Windows\SysWOW64\cmdcjmuq.exe	winuouia.exe
File opened for modification	C:\Windows\SysWOW64\netonexw.exe	drvcwsdw.exe
File created	C:\Windows\SysWOW64\ipsuisoh.exe	winhplvx.exe
File created	C:\Windows\SysWOW64\iallxebp.exe	netbfoit.exe
File opened for modification	C:\Windows\SysWOW64\winkjjlo.exe	iallxebp.exe
File opened for modification	C:\Windows\SysWOW64\fxsnuvrw.exe	autoqyhx.exe
File opened for modification	C:\Windows\SysWOW64\winuccmz.exe	ialvpfbb.exe
File created	C:\Windows\SysWOW64\regaletz.exe	regmkpva.exe
File created	C:\Windows\SysWOW64\xmlcaubu.exe	ipsiueqi.exe
File created	C:\Windows\SysWOW64\reglhnwo.exe	wingcxke.exe
File created	C:\Windows\SysWOW64\ialamprd.exe	ipswckik.exe
File created	C:\Windows\SysWOW64\netwhydy.exe	auturoqd.exe
File opened for modification	C:\Windows\SysWOW64\cmdblekx.exe	netonexw.exe
File opened for modification	C:\Windows\SysWOW64\dllflqes.exe	cmdarilq.exe
File created	C:\Windows\SysWOW64\comvkalj.exe	drvklvwh.exe
File created	C:\Windows\SysWOW64\cmdkbgmz.exe	secxkqgv.exe
File opened for modification	C:\Windows\SysWOW64\apibgqoj.exe	fxsixymw.exe
File opened for modification	C:\Windows\SysWOW64\sysgeega.exe	advugzcz.exe
File opened for modification	C:\Windows\SysWOW64\cmdiaehz.exe	capxcrsf.exe
File opened for modification	C:\Windows\SysWOW64\xmlkzknx.exe	dlllumcy.exe
File opened for modification	C:\Windows\SysWOW64\ipsdhgzb.exe	apibgqoj.exe
File opened for modification	C:\Windows\SysWOW64\reglhnwo.exe	wingcxke.exe
File opened for modification	C:\Windows\SysWOW64\iallxebp.exe	netbfoit.exe
File created	C:\Windows\SysWOW64\advugzcz.exe	ialddwur.exe
File created	C:\Windows\SysWOW64\drvbtart.exe	igfwtzlb.exe
File opened for modification	C:\Windows\SysWOW64\clitdtbi.exe	xmlafomh.exe
File created	C:\Windows\SysWOW64\ipsdhgzb.exe	apibgqoj.exe
File opened for modification	C:\Windows\SysWOW64\netwgopp.exe	seclibav.exe
File opened for modification	C:\Windows\SysWOW64\congcwic.exe	seccrjrr.exe
File created	C:\Windows\SysWOW64\cliwjvwh.exe	ialazqnw.exe
File opened for modification	C:\Windows\SysWOW64\igfelljc.exe	netadqfx.exe
File created	C:\Windows\SysWOW64\ialzusfn.exe	comuzszg.exe
File opened for modification	C:\Windows\SysWOW64\dllqjxoq.exe	advlipnm.exe
File opened for modification	C:\Windows\SysWOW64\winhplvx.exe	fxsilnky.exe
File opened for modification	C:\Windows\SysWOW64\apiuiwwi.exe	capqyiep.exe
File created	C:\Windows\SysWOW64\cliaanlo.exe	seccdfyn.exe
File created	C:\Windows\SysWOW64\apiojanm.exe	autjznet.exe
File opened for modification	C:\Windows\SysWOW64\fxscbhkl.exe	capdgetd.exe
File created	C:\Windows\SysWOW64\clixgzsn.exe	netwhydy.exe
File opened for modification	C:\Windows\SysWOW64\cliwjvwh.exe	ialazqnw.exe
File created	C:\Windows\SysWOW64\ialvmyfp.exe	cliwjvwh.exe
File created	C:\Windows\SysWOW64\igfelljc.exe	netadqfx.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2992	3052	16eaaea528f61ae90ad1cd1ba88100a0.exe	28
PID 3052 wrote to memory of 2992	3052	16eaaea528f61ae90ad1cd1ba88100a0.exe	28
PID 3052 wrote to memory of 2992	3052	16eaaea528f61ae90ad1cd1ba88100a0.exe	28
PID 3052 wrote to memory of 2992	3052	16eaaea528f61ae90ad1cd1ba88100a0.exe	28
PID 2992 wrote to memory of 2804	2992	advlipnm.exe	29
PID 2992 wrote to memory of 2804	2992	advlipnm.exe	29
PID 2992 wrote to memory of 2804	2992	advlipnm.exe	29
PID 2992 wrote to memory of 2804	2992	advlipnm.exe	29
PID 2804 wrote to memory of 2828	2804	dllqjxoq.exe	30
PID 2804 wrote to memory of 2828	2804	dllqjxoq.exe	30
PID 2804 wrote to memory of 2828	2804	dllqjxoq.exe	30
PID 2804 wrote to memory of 2828	2804	dllqjxoq.exe	30
PID 2828 wrote to memory of 1616	2828	autoqyhx.exe	31
PID 2828 wrote to memory of 1616	2828	autoqyhx.exe	31
PID 2828 wrote to memory of 1616	2828	autoqyhx.exe	31
PID 2828 wrote to memory of 1616	2828	autoqyhx.exe	31
PID 1616 wrote to memory of 2052	1616	fxsnuvrw.exe	32
PID 1616 wrote to memory of 2052	1616	fxsnuvrw.exe	32
PID 1616 wrote to memory of 2052	1616	fxsnuvrw.exe	32
PID 1616 wrote to memory of 2052	1616	fxsnuvrw.exe	32
PID 2052 wrote to memory of 2952	2052	fxsixymw.exe	33
PID 2052 wrote to memory of 2952	2052	fxsixymw.exe	33
PID 2052 wrote to memory of 2952	2052	fxsixymw.exe	33
PID 2052 wrote to memory of 2952	2052	fxsixymw.exe	33
PID 2952 wrote to memory of 1088	2952	apibgqoj.exe	34
PID 2952 wrote to memory of 1088	2952	apibgqoj.exe	34
PID 2952 wrote to memory of 1088	2952	apibgqoj.exe	34
PID 2952 wrote to memory of 1088	2952	apibgqoj.exe	34
PID 1088 wrote to memory of 1468	1088	ipsdhgzb.exe	36
PID 1088 wrote to memory of 1468	1088	ipsdhgzb.exe	36
PID 1088 wrote to memory of 1468	1088	ipsdhgzb.exe	36
PID 1088 wrote to memory of 1468	1088	ipsdhgzb.exe	36
PID 1468 wrote to memory of 1940	1468	drvydagf.exe	38
PID 1468 wrote to memory of 1940	1468	drvydagf.exe	38
PID 1468 wrote to memory of 1940	1468	drvydagf.exe	38
PID 1468 wrote to memory of 1940	1468	drvydagf.exe	38
PID 1940 wrote to memory of 1636	1940	netdgulu.exe	39
PID 1940 wrote to memory of 1636	1940	netdgulu.exe	39
PID 1940 wrote to memory of 1636	1940	netdgulu.exe	39
PID 1940 wrote to memory of 1636	1940	netdgulu.exe	39
PID 1636 wrote to memory of 804	1636	apingcyl.exe	40
PID 1636 wrote to memory of 804	1636	apingcyl.exe	40
PID 1636 wrote to memory of 804	1636	apingcyl.exe	40
PID 1636 wrote to memory of 804	1636	apingcyl.exe	40
PID 804 wrote to memory of 2388	804	ialddwur.exe	41
PID 804 wrote to memory of 2388	804	ialddwur.exe	41
PID 804 wrote to memory of 2388	804	ialddwur.exe	41
PID 804 wrote to memory of 2388	804	ialddwur.exe	41
PID 2388 wrote to memory of 1540	2388	advugzcz.exe	42
PID 2388 wrote to memory of 1540	2388	advugzcz.exe	42
PID 2388 wrote to memory of 1540	2388	advugzcz.exe	42
PID 2388 wrote to memory of 1540	2388	advugzcz.exe	42
PID 1540 wrote to memory of 1572	1540	sysgeega.exe	43
PID 1540 wrote to memory of 1572	1540	sysgeega.exe	43
PID 1540 wrote to memory of 1572	1540	sysgeega.exe	43
PID 1540 wrote to memory of 1572	1540	sysgeega.exe	43
PID 1572 wrote to memory of 2940	1572	regmkpva.exe	44
PID 1572 wrote to memory of 2940	1572	regmkpva.exe	44
PID 1572 wrote to memory of 2940	1572	regmkpva.exe	44
PID 1572 wrote to memory of 2940	1572	regmkpva.exe	44
PID 2940 wrote to memory of 3016	2940	regaletz.exe	45
PID 2940 wrote to memory of 3016	2940	regaletz.exe	45
PID 2940 wrote to memory of 3016	2940	regaletz.exe	45
PID 2940 wrote to memory of 3016	2940	regaletz.exe	45

C:\Users\Admin\AppData\Local\Temp\16eaaea528f61ae90ad1cd1ba88100a0.exe
"C:\Users\Admin\AppData\Local\Temp\16eaaea528f61ae90ad1cd1ba88100a0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\SysWOW64\advlipnm.exe
  C:\Windows\system32\advlipnm.exe 516 "C:\Users\Admin\AppData\Local\Temp\16eaaea528f61ae90ad1cd1ba88100a0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\SysWOW64\dllqjxoq.exe
    C:\Windows\system32\dllqjxoq.exe 512 "C:\Windows\SysWOW64\advlipnm.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\SysWOW64\autoqyhx.exe
      C:\Windows\system32\autoqyhx.exe 432 "C:\Windows\SysWOW64\dllqjxoq.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2828
    - - C:\Windows\SysWOW64\fxsnuvrw.exe
        
        C:\Windows\system32\fxsnuvrw.exe 520 "C:\Windows\SysWOW64\autoqyhx.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1616
      - C:\Windows\SysWOW64\fxsixymw.exe
        
        C:\Windows\system32\fxsixymw.exe 524 "C:\Windows\SysWOW64\fxsnuvrw.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\apibgqoj.exe
        
        C:\Windows\system32\apibgqoj.exe 504 "C:\Windows\SysWOW64\fxsixymw.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\ipsdhgzb.exe
        
        C:\Windows\system32\ipsdhgzb.exe 436 "C:\Windows\SysWOW64\apibgqoj.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\SysWOW64\drvydagf.exe
        
        C:\Windows\system32\drvydagf.exe 536 "C:\Windows\SysWOW64\ipsdhgzb.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\SysWOW64\netdgulu.exe
        
        C:\Windows\system32\netdgulu.exe 540 "C:\Windows\SysWOW64\drvydagf.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\SysWOW64\apingcyl.exe
        
        C:\Windows\system32\apingcyl.exe 552 "C:\Windows\SysWOW64\netdgulu.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\ialddwur.exe
        
        C:\Windows\system32\ialddwur.exe 532 "C:\Windows\SysWOW64\apingcyl.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:804
        
        C:\Windows\SysWOW64\advugzcz.exe
        
        C:\Windows\system32\advugzcz.exe 560 "C:\Windows\SysWOW64\ialddwur.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\sysgeega.exe
        
        C:\Windows\system32\sysgeega.exe 548 "C:\Windows\SysWOW64\advugzcz.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\SysWOW64\regmkpva.exe
        
        C:\Windows\system32\regmkpva.exe 556 "C:\Windows\SysWOW64\sysgeega.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\SysWOW64\regaletz.exe
        
        C:\Windows\system32\regaletz.exe 440 "C:\Windows\SysWOW64\regmkpva.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\xmldjcsk.exe
        
        C:\Windows\system32\xmldjcsk.exe 568 "C:\Windows\SysWOW64\regaletz.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3016
        
        C:\Windows\SysWOW64\regkxumz.exe
        
        C:\Windows\system32\regkxumz.exe 572 "C:\Windows\SysWOW64\xmldjcsk.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1092
        
        C:\Windows\SysWOW64\ipscokfv.exe
        
        C:\Windows\system32\ipscokfv.exe 576 "C:\Windows\SysWOW64\regkxumz.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2056
        
        C:\Windows\SysWOW64\secaqkss.exe
        
        C:\Windows\system32\secaqkss.exe 564 "C:\Windows\SysWOW64\ipscokfv.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1404
        
        C:\Windows\SysWOW64\drvcwsdw.exe
        
        C:\Windows\system32\drvcwsdw.exe 584 "C:\Windows\SysWOW64\secaqkss.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2664
        
        C:\Windows\SysWOW64\netonexw.exe
        
        C:\Windows\system32\netonexw.exe 588 "C:\Windows\SysWOW64\drvcwsdw.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2916
        
        C:\Windows\SysWOW64\cmdblekx.exe
        
        C:\Windows\system32\cmdblekx.exe 592 "C:\Windows\SysWOW64\netonexw.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2556
        
        C:\Windows\SysWOW64\wingcxke.exe
        
        C:\Windows\system32\wingcxke.exe 600 "C:\Windows\SysWOW64\cmdblekx.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2560
        
        C:\Windows\SysWOW64\reglhnwo.exe
        
        C:\Windows\system32\reglhnwo.exe 596 "C:\Windows\SysWOW64\wingcxke.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:328
        
        C:\Windows\SysWOW64\ipswckik.exe
        
        C:\Windows\system32\ipswckik.exe 604 "C:\Windows\SysWOW64\reglhnwo.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2964
        
        C:\Windows\SysWOW64\ialamprd.exe
        
        C:\Windows\system32\ialamprd.exe 612 "C:\Windows\SysWOW64\ipswckik.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2080
        
        C:\Windows\SysWOW64\winzqnbc.exe
        
        C:\Windows\system32\winzqnbc.exe 624 "C:\Windows\SysWOW64\ialamprd.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1536
        
        C:\Windows\SysWOW64\ipsebatn.exe
        
        C:\Windows\system32\ipsebatn.exe 488 "C:\Windows\SysWOW64\winzqnbc.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2604
        
        C:\Windows\SysWOW64\fxsilnky.exe
        
        C:\Windows\system32\fxsilnky.exe 444 "C:\Windows\SysWOW64\ipsebatn.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2976
        
        C:\Windows\SysWOW64\winhplvx.exe
        
        C:\Windows\system32\winhplvx.exe 628 "C:\Windows\SysWOW64\fxsilnky.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1208
        
        C:\Windows\SysWOW64\ipsuisoh.exe
        
        C:\Windows\system32\ipsuisoh.exe 448 "C:\Windows\SysWOW64\winhplvx.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3020
        
        C:\Windows\SysWOW64\drvklvwh.exe
        
        C:\Windows\system32\drvklvwh.exe 632 "C:\Windows\SysWOW64\ipsuisoh.exe"
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2372
        
        C:\Windows\SysWOW64\comvkalj.exe
        
        C:\Windows\system32\comvkalj.exe 484 "C:\Windows\SysWOW64\drvklvwh.exe"
        34⤵
        Executes dropped EXE
        
        PID:1704
        
        C:\Windows\SysWOW64\secqbqre.exe
        
        C:\Windows\system32\secqbqre.exe 480 "C:\Windows\SysWOW64\comvkalj.exe"
        35⤵
        Executes dropped EXE
        
        PID:1848
        
        C:\Windows\SysWOW64\compgnkd.exe
        
        C:\Windows\system32\compgnkd.exe 580 "C:\Windows\SysWOW64\secqbqre.exe"
        36⤵
        Executes dropped EXE
        
        PID:1800
        
        C:\Windows\SysWOW64\sysoudhi.exe
        
        C:\Windows\system32\sysoudhi.exe 460 "C:\Windows\SysWOW64\compgnkd.exe"
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1672
        
        C:\Windows\SysWOW64\regnyash.exe
        
        C:\Windows\system32\regnyash.exe 616 "C:\Windows\SysWOW64\sysoudhi.exe"
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1720
        
        C:\Windows\SysWOW64\cmdarilq.exe
        
        C:\Windows\system32\cmdarilq.exe 668 "C:\Windows\SysWOW64\regnyash.exe"
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2880
        
        C:\Windows\SysWOW64\dllflqes.exe
        
        C:\Windows\system32\dllflqes.exe 680 "C:\Windows\SysWOW64\cmdarilq.exe"
        40⤵
        Executes dropped EXE
        
        PID:2132
        
        C:\Windows\SysWOW64\capqyiep.exe
        
        C:\Windows\system32\capqyiep.exe 672 "C:\Windows\SysWOW64\dllflqes.exe"
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2148
        
        C:\Windows\SysWOW64\apiuiwwi.exe
        
        C:\Windows\system32\apiuiwwi.exe 684 "C:\Windows\SysWOW64\capqyiep.exe"
        42⤵
        Executes dropped EXE
        
        PID:2104
        
        C:\Windows\SysWOW64\winwolhn.exe
        
        C:\Windows\system32\winwolhn.exe 664 "C:\Windows\SysWOW64\apiuiwwi.exe"
        43⤵
        Executes dropped EXE
        
        PID:2220
        
        C:\Windows\SysWOW64\autxxgxs.exe
        
        C:\Windows\system32\autxxgxs.exe 676 "C:\Windows\SysWOW64\winwolhn.exe"
        44⤵
        Executes dropped EXE
        
        PID:2908
        
        C:\Windows\SysWOW64\drvrtthg.exe
        
        C:\Windows\system32\drvrtthg.exe 688 "C:\Windows\SysWOW64\autxxgxs.exe"
        45⤵
        Executes dropped EXE
        
        PID:2540
        
        C:\Windows\SysWOW64\autrqevq.exe
        
        C:\Windows\system32\autrqevq.exe 452 "C:\Windows\SysWOW64\drvrtthg.exe"
        46⤵
        Executes dropped EXE
        
        PID:2332
        
        C:\Windows\SysWOW64\netbfoit.exe
        
        C:\Windows\system32\netbfoit.exe 692 "C:\Windows\SysWOW64\autrqevq.exe"
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2580
        
        C:\Windows\SysWOW64\iallxebp.exe
        
        C:\Windows\system32\iallxebp.exe 660 "C:\Windows\SysWOW64\netbfoit.exe"
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2972
        
        C:\Windows\SysWOW64\winkjjlo.exe
        
        C:\Windows\system32\winkjjlo.exe 700 "C:\Windows\SysWOW64\iallxebp.exe"
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2524
        
        C:\Windows\SysWOW64\seclibav.exe
        
        C:\Windows\system32\seclibav.exe 696 "C:\Windows\SysWOW64\winkjjlo.exe"
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:456
        
        C:\Windows\SysWOW64\netwgopp.exe
        
        C:\Windows\system32\netwgopp.exe 704 "C:\Windows\SysWOW64\seclibav.exe"
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2960
        
        C:\Windows\SysWOW64\advshzej.exe
        
        C:\Windows\system32\advshzej.exe 608 "C:\Windows\SysWOW64\netwgopp.exe"
        52⤵
        Executes dropped EXE
        
        PID:524
        
        C:\Windows\SysWOW64\capdgetd.exe
        
        C:\Windows\system32\capdgetd.exe 716 "C:\Windows\SysWOW64\advshzej.exe"
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1944
        
        C:\Windows\SysWOW64\fxscbhkl.exe
        
        C:\Windows\system32\fxscbhkl.exe 712 "C:\Windows\SysWOW64\capdgetd.exe"
        54⤵
        Executes dropped EXE
        
        PID:2716
        
        C:\Windows\SysWOW64\capxcrsf.exe
        
        C:\Windows\system32\capxcrsf.exe 724 "C:\Windows\SysWOW64\fxscbhkl.exe"
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1936
        
        C:\Windows\SysWOW64\cmdiaehz.exe
        
        C:\Windows\system32\cmdiaehz.exe 492 "C:\Windows\SysWOW64\capxcrsf.exe"
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2260
        
        C:\Windows\SysWOW64\apiimbzy.exe
        
        C:\Windows\system32\apiimbzy.exe 744 "C:\Windows\SysWOW64\cmdiaehz.exe"
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1592
        
        C:\Windows\SysWOW64\xmluyjsi.exe
        
        C:\Windows\system32\xmluyjsi.exe 456 "C:\Windows\SysWOW64\apiimbzy.exe"
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1552
        
        C:\Windows\SysWOW64\seccrjrr.exe
        
        C:\Windows\system32\seccrjrr.exe 732 "C:\Windows\SysWOW64\xmluyjsi.exe"
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2344
        
        C:\Windows\SysWOW64\congcwic.exe
        
        C:\Windows\system32\congcwic.exe 464 "C:\Windows\SysWOW64\seccrjrr.exe"
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1548
        
        C:\Windows\SysWOW64\secfwzrl.exe
        
        C:\Windows\system32\secfwzrl.exe 740 "C:\Windows\SysWOW64\congcwic.exe"
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1560
        
        C:\Windows\SysWOW64\adveujrg.exe
        
        C:\Windows\system32\adveujrg.exe 636 "C:\Windows\SysWOW64\secfwzrl.exe"
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2456
        
        C:\Windows\SysWOW64\comrdzwk.exe
        
        C:\Windows\system32\comrdzwk.exe 752 "C:\Windows\SysWOW64\adveujrg.exe"
        63⤵
        Executes dropped EXE
        
        PID:2116
        
        C:\Windows\SysWOW64\ialvpfbb.exe
        
        C:\Windows\system32\ialvpfbb.exe 468 "C:\Windows\SysWOW64\comrdzwk.exe"
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1880
        
        C:\Windows\SysWOW64\winuccmz.exe
        
        C:\Windows\system32\winuccmz.exe 764 "C:\Windows\SysWOW64\ialvpfbb.exe"
        65⤵
        Executes dropped EXE
        
        PID:2692
        
        C:\Windows\SysWOW64\dllugzwy.exe
        
        C:\Windows\system32\dllugzwy.exe 784 "C:\Windows\SysWOW64\winuccmz.exe"
        66⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\syswhteu.exe
        
        C:\Windows\system32\syswhteu.exe 760 "C:\Windows\SysWOW64\dllugzwy.exe"
        67⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\connfmqz.exe
        
        C:\Windows\system32\connfmqz.exe 772 "C:\Windows\SysWOW64\syswhteu.exe"
        68⤵
        Drops file in System32 directory
        
        PID:2984
        
        C:\Windows\SysWOW64\auturoqd.exe
        
        C:\Windows\system32\auturoqd.exe 768 "C:\Windows\SysWOW64\connfmqz.exe"
        69⤵
        Drops file in System32 directory
        
        PID:2444
        
        C:\Windows\SysWOW64\netwhydy.exe
        
        C:\Windows\system32\netwhydy.exe 780 "C:\Windows\SysWOW64\auturoqd.exe"
        70⤵
        Drops file in System32 directory
        
        PID:1844
        
        C:\Windows\SysWOW64\clixgzsn.exe
        
        C:\Windows\system32\clixgzsn.exe 776 "C:\Windows\SysWOW64\netwhydy.exe"
        71⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\igfwtzlb.exe
        
        C:\Windows\system32\igfwtzlb.exe 792 "C:\Windows\SysWOW64\clixgzsn.exe"
        72⤵
        Drops file in System32 directory
        
        PID:2068
        
        C:\Windows\SysWOW64\drvbtart.exe
        
        C:\Windows\system32\drvbtart.exe 788 "C:\Windows\SysWOW64\igfwtzlb.exe"
        73⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\xmlwpxug.exe
        
        C:\Windows\system32\xmlwpxug.exe 800 "C:\Windows\SysWOW64\drvbtart.exe"
        74⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\fxsqemyg.exe
        
        C:\Windows\system32\fxsqemyg.exe 812 "C:\Windows\SysWOW64\xmlwpxug.exe"
        75⤵
        Drops file in System32 directory
        
        PID:312
        
        C:\Windows\SysWOW64\seccdfyn.exe
        
        C:\Windows\system32\seccdfyn.exe 796 "C:\Windows\SysWOW64\fxsqemyg.exe"
        76⤵
        Drops file in System32 directory
        
        PID:1488
        
        C:\Windows\SysWOW64\cliaanlo.exe
        
        C:\Windows\system32\cliaanlo.exe 804 "C:\Windows\SysWOW64\seccdfyn.exe"
        77⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\ialmgspp.exe
        
        C:\Windows\system32\ialmgspp.exe 640 "C:\Windows\SysWOW64\cliaanlo.exe"
        78⤵
        
        PID:576
        
        C:\Windows\SysWOW64\ialazqnw.exe
        
        C:\Windows\system32\ialazqnw.exe 820 "C:\Windows\SysWOW64\ialmgspp.exe"
        79⤵
        Drops file in System32 directory
        
        PID:1464
        
        C:\Windows\SysWOW64\cliwjvwh.exe
        
        C:\Windows\system32\cliwjvwh.exe 828 "C:\Windows\SysWOW64\ialazqnw.exe"
        80⤵
        Drops file in System32 directory
        
        PID:2808
        
        C:\Windows\SysWOW64\ialvmyfp.exe
        
        C:\Windows\system32\ialvmyfp.exe 824 "C:\Windows\SysWOW64\cliwjvwh.exe"
        81⤵
        Drops file in System32 directory
        
        PID:2640
        
        C:\Windows\SysWOW64\comzolwa.exe
        
        C:\Windows\system32\comzolwa.exe 832 "C:\Windows\SysWOW64\ialvmyfp.exe"
        82⤵
        Drops file in System32 directory
        
        PID:560
        
        C:\Windows\SysWOW64\conkvqlu.exe
        
        C:\Windows\system32\conkvqlu.exe 816 "C:\Windows\SysWOW64\comzolwa.exe"
        83⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\autjznet.exe
        
        C:\Windows\system32\autjznet.exe 840 "C:\Windows\SysWOW64\conkvqlu.exe"
        84⤵
        Drops file in System32 directory
        
        PID:1984
        
        C:\Windows\SysWOW64\apiojanm.exe
        
        C:\Windows\system32\apiojanm.exe 836 "C:\Windows\SysWOW64\autjznet.exe"
        85⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmdjkldg.exe
        
        C:\Windows\system32\cmdjkldg.exe 844 "C:\Windows\SysWOW64\apiojanm.exe"
        86⤵
        Drops file in System32 directory
        
        PID:2128
        
        C:\Windows\SysWOW64\xmlafomh.exe
        
        C:\Windows\system32\xmlafomh.exe 848 "C:\Windows\SysWOW64\cmdjkldg.exe"
        87⤵
        Drops file in System32 directory
        
        PID:3000
        
        C:\Windows\SysWOW64\clitdtbi.exe
        
        C:\Windows\system32\clitdtbi.exe 620 "C:\Windows\SysWOW64\xmlafomh.exe"
        88⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\igfspqth.exe
        
        C:\Windows\system32\igfspqth.exe 860 "C:\Windows\SysWOW64\clitdtbi.exe"
        89⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\netadqfx.exe
        
        C:\Windows\system32\netadqfx.exe 868 "C:\Windows\SysWOW64\igfspqth.exe"
        90⤵
        Drops file in System32 directory
        
        PID:2004
        
        C:\Windows\SysWOW64\igfelljc.exe
        
        C:\Windows\system32\igfelljc.exe 864 "C:\Windows\SysWOW64\netadqfx.exe"
        91⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\secxkqgv.exe
        
        C:\Windows\system32\secxkqgv.exe 884 "C:\Windows\SysWOW64\igfelljc.exe"
        92⤵
        Drops file in System32 directory
        
        PID:2744
        
        C:\Windows\SysWOW64\cmdkbgmz.exe
        
        C:\Windows\system32\cmdkbgmz.exe 880 "C:\Windows\SysWOW64\secxkqgv.exe"
        93⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\advejgls.exe
        
        C:\Windows\system32\advejgls.exe 708 "C:\Windows\SysWOW64\cmdkbgmz.exe"
        94⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\apifigry.exe
        
        C:\Windows\system32\apifigry.exe 872 "C:\Windows\SysWOW64\advejgls.exe"
        95⤵
        
        PID:908
        
        C:\Windows\SysWOW64\xmlkajgp.exe
        
        C:\Windows\system32\xmlkajgp.exe 876 "C:\Windows\SysWOW64\apifigry.exe"
        96⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\xmljlwkf.exe
        
        C:\Windows\system32\xmljlwkf.exe 904 "C:\Windows\SysWOW64\xmlkajgp.exe"
        97⤵
        Drops file in System32 directory
        
        PID:2620
        
        C:\Windows\SysWOW64\ipsiueqi.exe
        
        C:\Windows\system32\ipsiueqi.exe 656 "C:\Windows\SysWOW64\xmljlwkf.exe"
        98⤵
        Drops file in System32 directory
        
        PID:1932
        
        C:\Windows\SysWOW64\xmlcaubu.exe
        
        C:\Windows\system32\xmlcaubu.exe 896 "C:\Windows\SysWOW64\ipsiueqi.exe"
        99⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\dlllumcy.exe
        
        C:\Windows\system32\dlllumcy.exe 648 "C:\Windows\SysWOW64\xmlcaubu.exe"
        100⤵
        Drops file in System32 directory
        
        PID:2996
        
        C:\Windows\SysWOW64\xmlkzknx.exe
        
        C:\Windows\system32\xmlkzknx.exe 916 "C:\Windows\SysWOW64\dlllumcy.exe"
        101⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\winuouia.exe
        
        C:\Windows\system32\winuouia.exe 908 "C:\Windows\SysWOW64\xmlkzknx.exe"
        102⤵
        Drops file in System32 directory
        
        PID:2800
        
        C:\Windows\SysWOW64\cmdcjmuq.exe
        
        C:\Windows\system32\cmdcjmuq.exe 900 "C:\Windows\SysWOW64\winuouia.exe"
        103⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\comuzszg.exe
        
        C:\Windows\system32\comuzszg.exe 912 "C:\Windows\SysWOW64\cmdcjmuq.exe"
        104⤵
        Drops file in System32 directory
        
        PID:2088
        
        C:\Windows\SysWOW64\ialzusfn.exe
        
        C:\Windows\system32\ialzusfn.exe 544 "C:\Windows\SysWOW64\comuzszg.exe"
        105⤵
        Drops file in System32 directory
        
        PID:2748
        
        C:\Windows\SysWOW64\regkrfpj.exe
        
        C:\Windows\system32\regkrfpj.exe 924 "C:\Windows\SysWOW64\ialzusfn.exe"
        106⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\regguhkk.exe
        
        C:\Windows\system32\regguhkk.exe 928 "C:\Windows\SysWOW64\regkrfpj.exe"
        107⤵
        
        PID:624
        
        C:\Windows\SysWOW64\convgprt.exe
        
        C:\Windows\system32\convgprt.exe 932 "C:\Windows\SysWOW64\regguhkk.exe"
        108⤵
        
        PID:516
        
        C:\Windows\SysWOW64\ipsxokzz.exe
        
        C:\Windows\system32\ipsxokzz.exe 936 "C:\Windows\SysWOW64\convgprt.exe"
        109⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\secloixy.exe
        
        C:\Windows\system32\secloixy.exe 644 "C:\Windows\SysWOW64\ipsxokzz.exe"
        110⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\xmlpznhr.exe
        
        C:\Windows\system32\xmlpznhr.exe 472 "C:\Windows\SysWOW64\secloixy.exe"
        111⤵
        
        PID:924
        
        C:\Windows\SysWOW64\advqhqxo.exe
        
        C:\Windows\system32\advqhqxo.exe 948 "C:\Windows\SysWOW64\xmlpznhr.exe"
        112⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cmdhmdtd.exe
        
        C:\Windows\system32\cmdhmdtd.exe 952 "C:\Windows\SysWOW64\advqhqxo.exe"
        113⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\dlltflmm.exe
        
        C:\Windows\system32\dlltflmm.exe 956 "C:\Windows\SysWOW64\cmdhmdtd.exe"
        114⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\advgpasi.exe
        
        C:\Windows\system32\advgpasi.exe 476 "C:\Windows\SysWOW64\dlltflmm.exe"
        115⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\apigmlsd.exe
        
        C:\Windows\system32\apigmlsd.exe 964 "C:\Windows\SysWOW64\advgpasi.exe"
        116⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\regkwyjw.exe
        
        C:\Windows\system32\regkwyjw.exe 496 "C:\Windows\SysWOW64\apigmlsd.exe"
        117⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\iallvyqd.exe
        
        C:\Windows\system32\iallvyqd.exe 500 "C:\Windows\SysWOW64\regkwyjw.exe"
        118⤵
        
        PID:788
        
        C:\Windows\SysWOW64\secfdypw.exe
        
        C:\Windows\system32\secfdypw.exe 508 "C:\Windows\SysWOW64\iallvyqd.exe"
        119⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\apiipqda.exe
        
        C:\Windows\system32\apiipqda.exe 528 "C:\Windows\SysWOW64\secfdypw.exe"
        120⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\seczmydr.exe
        
        C:\Windows\system32\seczmydr.exe 652 "C:\Windows\SysWOW64\apiipqda.exe"
        121⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\netzmgih.exe
        
        C:\Windows\system32\netzmgih.exe 988 "C:\Windows\SysWOW64\seczmydr.exe"
        122⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmdxncen.exe
        
        C:\Windows\system32\cmdxncen.exe 720 "C:\Windows\SysWOW64\netzmgih.exe"
        123⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\conopenv.exe
        
        C:\Windows\system32\conopenv.exe 728 "C:\Windows\SysWOW64\cmdxncen.exe"
        124⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\capuwhcn.exe
        
        C:\Windows\system32\capuwhcn.exe 736 "C:\Windows\SysWOW64\conopenv.exe"
        125⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\regompbf.exe
        
        C:\Windows\system32\regompbf.exe 748 "C:\Windows\SysWOW64\capuwhcn.exe"
        126⤵
        
        PID:2772

C:\Windows\SysWOW64\regihcra.exe
C:\Windows\system32\regihcra.exe 756 "C:\Windows\SysWOW64\regompbf.exe"
1⤵
PID:2352
- C:\Windows\SysWOW64\dllfrwgr.exe
  C:\Windows\system32\dllfrwgr.exe 920 "C:\Windows\SysWOW64\regihcra.exe"
  2⤵
  PID:1972
- - C:\Windows\SysWOW64\sysrdpuv.exe
    C:\Windows\system32\sysrdpuv.exe 808 "C:\Windows\SysWOW64\dllfrwgr.exe"
    3⤵
    PID:1456
  - - C:\Windows\SysWOW64\comfemsc.exe
      C:\Windows\system32\comfemsc.exe 960 "C:\Windows\SysWOW64\sysrdpuv.exe"
      4⤵
      PID:648
    - - C:\Windows\SysWOW64\capethch.exe
        
        C:\Windows\system32\capethch.exe 852 "C:\Windows\SysWOW64\comfemsc.exe"
        5⤵
        
        PID:1640
      - C:\Windows\SysWOW64\adviaftv.exe
        
        C:\Windows\system32\adviaftv.exe 940 "C:\Windows\SysWOW64\capethch.exe"
        6⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\dllepadg.exe
        
        C:\Windows\system32\dllepadg.exe 856 "C:\Windows\SysWOW64\adviaftv.exe"
        7⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\comevwqh.exe
        
        C:\Windows\system32\comevwqh.exe 1040 "C:\Windows\SysWOW64\dllepadg.exe"
        8⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cliuzzak.exe
        
        C:\Windows\system32\cliuzzak.exe 888 "C:\Windows\SysWOW64\comevwqh.exe"
        9⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\igftdwkj.exe
        
        C:\Windows\system32\igftdwkj.exe 984 "C:\Windows\SysWOW64\cliuzzak.exe"
        10⤵
        
        PID:996
        
        C:\Windows\SysWOW64\nethorzw.exe
        
        C:\Windows\system32\nethorzw.exe 892 "C:\Windows\SysWOW64\igftdwkj.exe"
        11⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\winspuck.exe
        
        C:\Windows\system32\winspuck.exe 976 "C:\Windows\SysWOW64\nethorzw.exe"
        12⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\comlymex.exe
        
        C:\Windows\system32\comlymex.exe 944 "C:\Windows\SysWOW64\winspuck.exe"
        13⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\sysfrkuv.exe
        
        C:\Windows\system32\sysfrkuv.exe 996 "C:\Windows\SysWOW64\comlymex.exe"
        14⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\syssumpv.exe
        
        C:\Windows\system32\syssumpv.exe 968 "C:\Windows\SysWOW64\sysfrkuv.exe"
        15⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\conahmjk.exe
        
        C:\Windows\system32\conahmjk.exe 972 "C:\Windows\SysWOW64\syssumpv.exe"
        16⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\advrfsmj.exe
        
        C:\Windows\system32\advrfsmj.exe 1076 "C:\Windows\SysWOW64\conahmjk.exe"
        17⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\conrzvvz.exe
        
        C:\Windows\system32\conrzvvz.exe 1016 "C:\Windows\SysWOW64\advrfsmj.exe"
        18⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\advgywhp.exe
        
        C:\Windows\system32\advgywhp.exe 1084 "C:\Windows\SysWOW64\conrzvvz.exe"
        19⤵
        
        PID:904
        
        C:\Windows\SysWOW64\secyluhq.exe
        
        C:\Windows\system32\secyluhq.exe 980 "C:\Windows\SysWOW64\advgywhp.exe"
        20⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\capkejzi.exe
        
        C:\Windows\system32\capkejzi.exe 992 "C:\Windows\SysWOW64\secyluhq.exe"
        21⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\fxsihmhi.exe
        
        C:\Windows\system32\fxsihmhi.exe 1032 "C:\Windows\SysWOW64\capkejzi.exe"
        22⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\comntuts.exe
        
        C:\Windows\system32\comntuts.exe 1000 "C:\Windows\SysWOW64\fxsihmhi.exe"
        23⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\fxsdmuzc.exe
        
        C:\Windows\system32\fxsdmuzc.exe 1004 "C:\Windows\SysWOW64\comntuts.exe"
        24⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\secewhdn.exe
        
        C:\Windows\system32\secewhdn.exe 1008 "C:\Windows\SysWOW64\fxsdmuzc.exe"
        25⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\comdjeom.exe
        
        C:\Windows\system32\comdjeom.exe 1052 "C:\Windows\SysWOW64\secewhdn.exe"
        26⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\cliqumho.exe
        
        C:\Windows\system32\cliqumho.exe 1072 "C:\Windows\SysWOW64\comdjeom.exe"
        27⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\conjdfbi.exe
        
        C:\Windows\system32\conjdfbi.exe 1020 "C:\Windows\SysWOW64\cliqumho.exe"
        28⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\clizasxo.exe
        
        C:\Windows\system32\clizasxo.exe 1012 "C:\Windows\SysWOW64\conjdfbi.exe"
        29⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\igfymphn.exe
        
        C:\Windows\system32\igfymphn.exe 1064 "C:\Windows\SysWOW64\clizasxo.exe"
        30⤵
        
        PID:864
        
        C:\Windows\SysWOW64\conrlpwu.exe
        
        C:\Windows\system32\conrlpwu.exe 1088 "C:\Windows\SysWOW64\igfymphn.exe"
        31⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\winwkidd.exe
        
        C:\Windows\system32\winwkidd.exe 1028 "C:\Windows\SysWOW64\conrlpwu.exe"
        32⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\ipsgvlle.exe
        
        C:\Windows\system32\ipsgvlle.exe 1036 "C:\Windows\SysWOW64\winwkidd.exe"
        33⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\sysnjvaw.exe
        
        C:\Windows\system32\sysnjvaw.exe 1044 "C:\Windows\SysWOW64\ipsgvlle.exe"
        34⤵
        
        PID:984
        
        C:\Windows\SysWOW64\sysimyvw.exe
        
        C:\Windows\system32\sysimyvw.exe 1048 "C:\Windows\SysWOW64\sysnjvaw.exe"
        35⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\fxstldkq.exe
        
        C:\Windows\system32\fxstldkq.exe 1056 "C:\Windows\SysWOW64\sysimyvw.exe"
        36⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmdukdzw.exe
        
        C:\Windows\system32\cmdukdzw.exe 1060 "C:\Windows\SysWOW64\fxstldkq.exe"
        37⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\autwkllf.exe
        
        C:\Windows\system32\autwkllf.exe 1068 "C:\Windows\SysWOW64\cmdukdzw.exe"
        38⤵
        
        PID:2072

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\advlipnm.exe

Filesize
90KB

MD5
16eaaea528f61ae90ad1cd1ba88100a0

SHA1
f144a0a6e60a5c79670852e44d4d7a7ff5eba345

SHA256
76117165b342f0390a5b48c258c1342cd444ecafeddf4ff413acf2d04930219b

SHA512
1d1204ba41005d4aec8240e26ebb60135a1521e0ebd2f0c3832afed49fad2c045b9f6932d76f7ee250281581739176f81da0e5b6b139c869790a9be8482ba7fa

Download Submit
memory/328-280-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/456-491-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/524-507-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/804-158-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/804-143-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/804-154-0x00000000007C0000-0x0000000000847000-memory.dmp

Filesize
540KB

Download
memory/804-156-0x00000000007C0000-0x0000000000847000-memory.dmp

Filesize
540KB

Download
memory/1088-111-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1088-99-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1088-93-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1092-223-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1092-214-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1208-334-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1208-322-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1208-330-0x0000000000680000-0x0000000000707000-memory.dmp

Filesize
540KB

Download
memory/1404-232-0x0000000000030000-0x0000000000034000-memory.dmp

Filesize
16KB

Download
memory/1404-240-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1404-231-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1468-107-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1468-121-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1536-296-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1536-306-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1536-297-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/1540-183-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1540-170-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1548-568-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1552-553-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1560-578-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1572-195-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1572-182-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1592-546-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1616-69-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1616-65-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1636-141-0x00000000026B0000-0x0000000002737000-memory.dmp

Filesize
540KB

Download
memory/1636-145-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1672-377-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1672-383-0x0000000002300000-0x0000000002387000-memory.dmp

Filesize
540KB

Download
memory/1672-388-0x0000000002300000-0x0000000002387000-memory.dmp

Filesize
540KB

Download
memory/1672-389-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1704-348-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1704-356-0x00000000025C0000-0x0000000002647000-memory.dmp

Filesize
540KB

Download
memory/1704-357-0x00000000025C0000-0x0000000002647000-memory.dmp

Filesize
540KB

Download
memory/1704-359-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1720-387-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1720-396-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1800-376-0x0000000000640000-0x00000000006C7000-memory.dmp

Filesize
540KB

Download
memory/1800-379-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1800-378-0x0000000000640000-0x00000000006C7000-memory.dmp

Filesize
540KB

Download
memory/1800-368-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1848-366-0x0000000002610000-0x0000000002697000-memory.dmp

Filesize
540KB

Download
memory/1848-358-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1848-369-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1848-367-0x0000000002610000-0x0000000002697000-memory.dmp

Filesize
540KB

Download
memory/1936-530-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1940-119-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1940-132-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1944-516-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2052-63-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/2052-64-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2052-76-0x0000000002590000-0x0000000002617000-memory.dmp

Filesize
540KB

Download
memory/2052-79-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2056-233-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2056-230-0x0000000002450000-0x00000000024D7000-memory.dmp

Filesize
540KB

Download
memory/2056-222-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2080-295-0x00000000025E0000-0x0000000002667000-memory.dmp

Filesize
540KB

Download
memory/2080-298-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2080-287-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2104-427-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2132-403-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2132-413-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2148-420-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2220-436-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2260-539-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2332-459-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2344-561-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2372-339-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2372-347-0x0000000000490000-0x0000000000517000-memory.dmp

Filesize
540KB

Download
memory/2372-349-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2388-171-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2388-169-0x00000000025F0000-0x0000000002677000-memory.dmp

Filesize
540KB

Download
memory/2388-157-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2456-584-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2524-483-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2540-452-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2556-265-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2556-255-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2560-274-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2560-264-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2580-468-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2604-314-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2604-305-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2664-249-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2664-247-0x0000000002470000-0x00000000024F7000-memory.dmp

Filesize
540KB

Download
memory/2716-523-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2804-26-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2804-37-0x00000000026A0000-0x0000000002727000-memory.dmp

Filesize
540KB

Download
memory/2804-41-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2828-40-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2828-52-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2828-39-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2828-91-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2880-405-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2908-444-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2916-248-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2916-257-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2940-205-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2952-90-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2952-78-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2952-92-0x0000000002660000-0x00000000026E7000-memory.dmp

Filesize
540KB

Download
memory/2952-95-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2960-499-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2964-288-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2964-279-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2972-476-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2976-313-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2976-323-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2976-321-0x0000000000490000-0x0000000000517000-memory.dmp

Filesize
540KB

Download
memory/2992-23-0x0000000002630000-0x00000000026B7000-memory.dmp

Filesize
540KB

Download
memory/2992-25-0x0000000002630000-0x00000000026B7000-memory.dmp

Filesize
540KB

Download
memory/2992-27-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3016-215-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3016-213-0x00000000025F0000-0x0000000002677000-memory.dmp

Filesize
540KB

Download
memory/3020-340-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3020-331-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3052-0-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3052-16-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3052-6-0x00000000026B0000-0x0000000002737000-memory.dmp

Filesize
540KB

Download
memory/3052-1-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads