844f174440af181e2dddc43a472053f754d80fc312366dd63f2278f8e5bc625f

Analysis

max time kernel
152s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31-12-2023 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a3dc2e0b15cf61b8308066b41171875.exe
Size

89KB
MD5

3a3dc2e0b15cf61b8308066b41171875
SHA1

974be0049b3b305bbcb6f4d61e103c18a41f5e7c
SHA256

844f174440af181e2dddc43a472053f754d80fc312366dd63f2278f8e5bc625f
SHA512

90f8dbba6d9e052da9c2be0ee9d72ac35afe51b6ab91117a960f191007f278ed9871bf376acb51c69fc992313f6f73ddb74f7bf87cb9af5c113ee9d5fd844397
SSDEEP

1536:D0GazZad8Qroy3pM5zpkopTnHGjKFW3KC2x26feC+2eE/SIx4NCch1y3VWA:DldTMym5zp1pTH+KvzZx10aAA

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
3240	regdgrjl.exe
4856	secvioog.exe
3448	drveyjfl.exe
1456	sysldchx.exe
4892	xmltqcbm.exe
2228	dllormih.exe
1500	syssbzaa.exe
2580	ipsockhu.exe
756	advdgcjg.exe
3696	dllkucev.exe
924	comdbvsc.exe
3752	ialaoqwn.exe
3124	ialorsrn.exe
2428	winloafo.exe
2016	igfqyooz.exe
4728	ipsedgyl.exe
1096	dllmyyka.exe
3428	dlltdrmu.exe
2088	secayjgk.exe
4260	coneiwqv.exe
1336	dllhduci.exe
840	regxzhot.exe
4536	capemzbi.exe
1900	xmlanrqd.exe
1520	ialjuutc.exe
1680	winiyreb.exe
1940	xmlezklv.exe
4740	capldheu.exe
4784	winvjkhu.exe
3592	secnikna.exe
624	fxsvdkhq.exe
3568	autrevpk.exe
2544	coneolvo.exe
4540	cmdqhsoy.exe
1340	fxsrgtdf.exe
1640	capnhdkz.exe
1108	xmliivsu.exe
4820	dllebgho.exe
4252	clioqlme.exe
4344	igfvcjxd.exe
2960	comrvbex.exe
4568	sysblzrw.exe
2000	regzqpxp.exe
448	autodhrm.exe
3552	capvqzty.exe
3628	ialuuxlx.exe
1080	cmdmjcqn.exe
3452	drvikmyh.exe
5068	xmlhoqft.exe
3360	xmlvqysi.exe
904	ialngefy.exe
3908	sysslpqc.exe
2360	conuenxb.exe
1800	conkneoe.exe
3944	netrbbub.exe
4468	regehupy.exe
1652	autfanfj.exe
832	netvnaxa.exe
1468	igfnokrn.exe
1196	cmdfdqwd.exe
216	secgwilo.exe
1408	advgotvx.exe
2472	wineewyu.exe
416	xmlqsuyg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xmlanrqd.exe	capemzbi.exe
File opened for modification	C:\Windows\SysWOW64\igffsmzp.exe	winjatrv.exe
File created	C:\Windows\SysWOW64\sysgdzwz.exe	cmdlackm.exe
File opened for modification	C:\Windows\SysWOW64\advqzjrx.exe	ialsccdw.exe
File opened for modification	C:\Windows\SysWOW64\winloafo.exe	ialorsrn.exe
File created	C:\Windows\SysWOW64\ialodvkw.exe	sysvuxqv.exe
File created	C:\Windows\SysWOW64\cmdyhhos.exe	advnegwc.exe
File created	C:\Windows\SysWOW64\secgndul.exe	reghjfkm.exe
File created	C:\Windows\SysWOW64\dllclult.exe	cmdpsgsc.exe
File created	C:\Windows\SysWOW64\xmliivsu.exe	capnhdkz.exe
File created	C:\Windows\SysWOW64\apiozove.exe	cmdgyteg.exe
File opened for modification	C:\Windows\SysWOW64\dllnrupm.exe	commsubf.exe
File opened for modification	C:\Windows\SysWOW64\dllarjry.exe	sysqzixs.exe
File created	C:\Windows\SysWOW64\consraoq.exe	winukavj.exe
File created	C:\Windows\SysWOW64\comohzgr.exe	autpmwxj.exe
File opened for modification	C:\Windows\SysWOW64\regpphhr.exe	conkwzwh.exe
File created	C:\Windows\SysWOW64\comrhvoi.exe	regqaslj.exe
File opened for modification	C:\Windows\SysWOW64\conkneoe.exe	conuenxb.exe
File created	C:\Windows\SysWOW64\drvtthqa.exe	ipsgptau.exe
File created	C:\Windows\SysWOW64\conooblq.exe	apikcjxm.exe
File created	C:\Windows\SysWOW64\seccermz.exe	igfsmtud.exe
File opened for modification	C:\Windows\SysWOW64\igfmbxzp.exe	regagkbn.exe
File opened for modification	C:\Windows\SysWOW64\regehupy.exe	netrbbub.exe
File opened for modification	C:\Windows\SysWOW64\conlxves.exe	advtiqzc.exe
File created	C:\Windows\SysWOW64\advhcoct.exe	igflqgvl.exe
File created	C:\Windows\SysWOW64\fxsdqvhw.exe	syslqfpa.exe
File opened for modification	C:\Windows\SysWOW64\convplbl.exe	conbuqlj.exe
File created	C:\Windows\SysWOW64\igfnokrn.exe	netvnaxa.exe
File created	C:\Windows\SysWOW64\cliwcwox.exe	netdeehq.exe
File created	C:\Windows\SysWOW64\clipescn.exe	igftdamt.exe
File opened for modification	C:\Windows\SysWOW64\ialxsiys.exe	secidcgc.exe
File created	C:\Windows\SysWOW64\advkrjge.exe	comdczrn.exe
File opened for modification	C:\Windows\SysWOW64\ipsoiswb.exe	xmlvjspv.exe
File created	C:\Windows\SysWOW64\igfvcfga.exe	igfizclz.exe
File opened for modification	C:\Windows\SysWOW64\netbwwvz.exe	apiblzwu.exe
File created	C:\Windows\SysWOW64\advnegwc.exe	secggybq.exe
File opened for modification	C:\Windows\SysWOW64\xmlagiva.exe	apivnacy.exe
File created	C:\Windows\SysWOW64\igfwzemp.exe	sysjqpyl.exe
File opened for modification	C:\Windows\SysWOW64\advtiqzc.exe	cliluyff.exe
File created	C:\Windows\SysWOW64\xmlqqgbm.exe	dllxojos.exe
File opened for modification	C:\Windows\SysWOW64\syslqfpa.exe	advntxkz.exe
File created	C:\Windows\SysWOW64\dllkucev.exe	advdgcjg.exe
File opened for modification	C:\Windows\SysWOW64\igfatxhi.exe	drvesmzn.exe
File opened for modification	C:\Windows\SysWOW64\ialnuhts.exe	advkrjge.exe
File opened for modification	C:\Windows\SysWOW64\dlludbkz.exe	ipsyeqoy.exe
File created	C:\Windows\SysWOW64\secrmaex.exe	cliwlhoc.exe
File opened for modification	C:\Windows\SysWOW64\drvtthqa.exe	ipsgptau.exe
File created	C:\Windows\SysWOW64\clipmunv.exe	autzyhjt.exe
File opened for modification	C:\Windows\SysWOW64\cmdmjcqn.exe	ialuuxlx.exe
File created	C:\Windows\SysWOW64\advqzjrx.exe	ialsccdw.exe
File opened for modification	C:\Windows\SysWOW64\ipsyeqoy.exe	winctdwn.exe
File created	C:\Windows\SysWOW64\sysbrlmu.exe	regfqbfz.exe
File opened for modification	C:\Windows\SysWOW64\xmlflilj.exe	ialxsiys.exe
File opened for modification	C:\Windows\SysWOW64\igfjxhia.exe	advfvuyp.exe
File opened for modification	C:\Windows\SysWOW64\advnegwc.exe	secggybq.exe
File opened for modification	C:\Windows\SysWOW64\capqyrea.exe	cliwcwox.exe
File created	C:\Windows\SysWOW64\dllhduci.exe	coneiwqv.exe
File created	C:\Windows\SysWOW64\ialhcggo.exe	drvdmykd.exe
File created	C:\Windows\SysWOW64\capffdgu.exe	igfswgaq.exe
File created	C:\Windows\SysWOW64\reghjfkm.exe	apilinur.exe
File created	C:\Windows\SysWOW64\fxsibrmw.exe	xmlzvojw.exe
File created	C:\Windows\SysWOW64\comviovh.exe	cmddjemy.exe
File created	C:\Windows\SysWOW64\dllebgho.exe	xmliivsu.exe
File opened for modification	C:\Windows\SysWOW64\secrmaex.exe	cliwlhoc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3812 wrote to memory of 3240	3812	3a3dc2e0b15cf61b8308066b41171875.exe	91
PID 3812 wrote to memory of 3240	3812	3a3dc2e0b15cf61b8308066b41171875.exe	91
PID 3812 wrote to memory of 3240	3812	3a3dc2e0b15cf61b8308066b41171875.exe	91
PID 3240 wrote to memory of 4856	3240	regdgrjl.exe	92
PID 3240 wrote to memory of 4856	3240	regdgrjl.exe	92
PID 3240 wrote to memory of 4856	3240	regdgrjl.exe	92
PID 4856 wrote to memory of 3448	4856	secvioog.exe	93
PID 4856 wrote to memory of 3448	4856	secvioog.exe	93
PID 4856 wrote to memory of 3448	4856	secvioog.exe	93
PID 3448 wrote to memory of 1456	3448	drveyjfl.exe	94
PID 3448 wrote to memory of 1456	3448	drveyjfl.exe	94
PID 3448 wrote to memory of 1456	3448	drveyjfl.exe	94
PID 1456 wrote to memory of 4892	1456	sysldchx.exe	95
PID 1456 wrote to memory of 4892	1456	sysldchx.exe	95
PID 1456 wrote to memory of 4892	1456	sysldchx.exe	95
PID 4892 wrote to memory of 2228	4892	xmltqcbm.exe	96
PID 4892 wrote to memory of 2228	4892	xmltqcbm.exe	96
PID 4892 wrote to memory of 2228	4892	xmltqcbm.exe	96
PID 2228 wrote to memory of 1500	2228	dllormih.exe	97
PID 2228 wrote to memory of 1500	2228	dllormih.exe	97
PID 2228 wrote to memory of 1500	2228	dllormih.exe	97
PID 1500 wrote to memory of 2580	1500	syssbzaa.exe	98
PID 1500 wrote to memory of 2580	1500	syssbzaa.exe	98
PID 1500 wrote to memory of 2580	1500	syssbzaa.exe	98
PID 2580 wrote to memory of 756	2580	ipsockhu.exe	99
PID 2580 wrote to memory of 756	2580	ipsockhu.exe	99
PID 2580 wrote to memory of 756	2580	ipsockhu.exe	99
PID 756 wrote to memory of 3696	756	advdgcjg.exe	100
PID 756 wrote to memory of 3696	756	advdgcjg.exe	100
PID 756 wrote to memory of 3696	756	advdgcjg.exe	100
PID 3696 wrote to memory of 924	3696	dllkucev.exe	101
PID 3696 wrote to memory of 924	3696	dllkucev.exe	101
PID 3696 wrote to memory of 924	3696	dllkucev.exe	101
PID 924 wrote to memory of 3752	924	comdbvsc.exe	102
PID 924 wrote to memory of 3752	924	comdbvsc.exe	102
PID 924 wrote to memory of 3752	924	comdbvsc.exe	102
PID 3752 wrote to memory of 3124	3752	ialaoqwn.exe	103
PID 3752 wrote to memory of 3124	3752	ialaoqwn.exe	103
PID 3752 wrote to memory of 3124	3752	ialaoqwn.exe	103
PID 3124 wrote to memory of 2428	3124	ialorsrn.exe	104
PID 3124 wrote to memory of 2428	3124	ialorsrn.exe	104
PID 3124 wrote to memory of 2428	3124	ialorsrn.exe	104
PID 2428 wrote to memory of 2016	2428	winloafo.exe	105
PID 2428 wrote to memory of 2016	2428	winloafo.exe	105
PID 2428 wrote to memory of 2016	2428	winloafo.exe	105
PID 2016 wrote to memory of 4728	2016	igfqyooz.exe	106
PID 2016 wrote to memory of 4728	2016	igfqyooz.exe	106
PID 2016 wrote to memory of 4728	2016	igfqyooz.exe	106
PID 4728 wrote to memory of 1096	4728	ipsedgyl.exe	107
PID 4728 wrote to memory of 1096	4728	ipsedgyl.exe	107
PID 4728 wrote to memory of 1096	4728	ipsedgyl.exe	107
PID 1096 wrote to memory of 3428	1096	dllmyyka.exe	108
PID 1096 wrote to memory of 3428	1096	dllmyyka.exe	108
PID 1096 wrote to memory of 3428	1096	dllmyyka.exe	108
PID 3428 wrote to memory of 2088	3428	dlltdrmu.exe	109
PID 3428 wrote to memory of 2088	3428	dlltdrmu.exe	109
PID 3428 wrote to memory of 2088	3428	dlltdrmu.exe	109
PID 2088 wrote to memory of 4260	2088	secayjgk.exe	110
PID 2088 wrote to memory of 4260	2088	secayjgk.exe	110
PID 2088 wrote to memory of 4260	2088	secayjgk.exe	110
PID 4260 wrote to memory of 1336	4260	coneiwqv.exe	111
PID 4260 wrote to memory of 1336	4260	coneiwqv.exe	111
PID 4260 wrote to memory of 1336	4260	coneiwqv.exe	111
PID 1336 wrote to memory of 840	1336	dllhduci.exe	112

C:\Users\Admin\AppData\Local\Temp\3a3dc2e0b15cf61b8308066b41171875.exe
"C:\Users\Admin\AppData\Local\Temp\3a3dc2e0b15cf61b8308066b41171875.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3812
- C:\Windows\SysWOW64\regdgrjl.exe
  C:\Windows\system32\regdgrjl.exe 1124 "C:\Users\Admin\AppData\Local\Temp\3a3dc2e0b15cf61b8308066b41171875.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3240
- - C:\Windows\SysWOW64\secvioog.exe
    C:\Windows\system32\secvioog.exe 992 "C:\Windows\SysWOW64\regdgrjl.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4856
  - - C:\Windows\SysWOW64\drveyjfl.exe
      C:\Windows\system32\drveyjfl.exe 1132 "C:\Windows\SysWOW64\secvioog.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3448
    - - C:\Windows\SysWOW64\sysldchx.exe
        
        C:\Windows\system32\sysldchx.exe 996 "C:\Windows\SysWOW64\drveyjfl.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1456
      - C:\Windows\SysWOW64\xmltqcbm.exe
        
        C:\Windows\system32\xmltqcbm.exe 1028 "C:\Windows\SysWOW64\sysldchx.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4892
        
        C:\Windows\SysWOW64\dllormih.exe
        
        C:\Windows\system32\dllormih.exe 1040 "C:\Windows\SysWOW64\xmltqcbm.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\syssbzaa.exe
        
        C:\Windows\system32\syssbzaa.exe 1144 "C:\Windows\SysWOW64\dllormih.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\SysWOW64\ipsockhu.exe
        
        C:\Windows\system32\ipsockhu.exe 1156 "C:\Windows\SysWOW64\syssbzaa.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\SysWOW64\advdgcjg.exe
        
        C:\Windows\system32\advdgcjg.exe 1152 "C:\Windows\SysWOW64\ipsockhu.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\SysWOW64\dllkucev.exe
        
        C:\Windows\system32\dllkucev.exe 1164 "C:\Windows\SysWOW64\advdgcjg.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Windows\SysWOW64\comdbvsc.exe
        
        C:\Windows\system32\comdbvsc.exe 1160 "C:\Windows\SysWOW64\dllkucev.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:924
        
        C:\Windows\SysWOW64\ialaoqwn.exe
        
        C:\Windows\system32\ialaoqwn.exe 1172 "C:\Windows\SysWOW64\comdbvsc.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\Windows\SysWOW64\ialorsrn.exe
        
        C:\Windows\system32\ialorsrn.exe 1168 "C:\Windows\SysWOW64\ialaoqwn.exe"
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\SysWOW64\winloafo.exe
        
        C:\Windows\system32\winloafo.exe 1176 "C:\Windows\SysWOW64\ialorsrn.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\igfqyooz.exe
        
        C:\Windows\system32\igfqyooz.exe 1180 "C:\Windows\SysWOW64\winloafo.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\ipsedgyl.exe
        
        C:\Windows\system32\ipsedgyl.exe 1032 "C:\Windows\SysWOW64\igfqyooz.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\SysWOW64\dllmyyka.exe
        
        C:\Windows\system32\dllmyyka.exe 1020 "C:\Windows\SysWOW64\ipsedgyl.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Windows\SysWOW64\dlltdrmu.exe
        
        C:\Windows\system32\dlltdrmu.exe 1000 "C:\Windows\SysWOW64\dllmyyka.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3428
        
        C:\Windows\SysWOW64\secayjgk.exe
        
        C:\Windows\system32\secayjgk.exe 1196 "C:\Windows\SysWOW64\dlltdrmu.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\SysWOW64\coneiwqv.exe
        
        C:\Windows\system32\coneiwqv.exe 1200 "C:\Windows\SysWOW64\secayjgk.exe"
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4260
        
        C:\Windows\SysWOW64\dllhduci.exe
        
        C:\Windows\system32\dllhduci.exe 1208 "C:\Windows\SysWOW64\coneiwqv.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\SysWOW64\regxzhot.exe
        
        C:\Windows\system32\regxzhot.exe 1212 "C:\Windows\SysWOW64\dllhduci.exe"
        23⤵
        Executes dropped EXE
        
        PID:840
        
        C:\Windows\SysWOW64\capemzbi.exe
        
        C:\Windows\system32\capemzbi.exe 1204 "C:\Windows\SysWOW64\regxzhot.exe"
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4536
        
        C:\Windows\SysWOW64\xmlanrqd.exe
        
        C:\Windows\system32\xmlanrqd.exe 1184 "C:\Windows\SysWOW64\capemzbi.exe"
        25⤵
        Executes dropped EXE
        
        PID:1900
        
        C:\Windows\SysWOW64\ialjuutc.exe
        
        C:\Windows\system32\ialjuutc.exe 1220 "C:\Windows\SysWOW64\xmlanrqd.exe"
        26⤵
        Executes dropped EXE
        
        PID:1520
        
        C:\Windows\SysWOW64\winiyreb.exe
        
        C:\Windows\system32\winiyreb.exe 1056 "C:\Windows\SysWOW64\ialjuutc.exe"
        27⤵
        Executes dropped EXE
        
        PID:1680
        
        C:\Windows\SysWOW64\xmlezklv.exe
        
        C:\Windows\system32\xmlezklv.exe 1228 "C:\Windows\SysWOW64\winiyreb.exe"
        28⤵
        Executes dropped EXE
        
        PID:1940
        
        C:\Windows\SysWOW64\capldheu.exe
        
        C:\Windows\system32\capldheu.exe 1232 "C:\Windows\SysWOW64\xmlezklv.exe"
        29⤵
        Executes dropped EXE
        
        PID:4740
        
        C:\Windows\SysWOW64\winvjkhu.exe
        
        C:\Windows\system32\winvjkhu.exe 1236 "C:\Windows\SysWOW64\capldheu.exe"
        30⤵
        Executes dropped EXE
        
        PID:4784
        
        C:\Windows\SysWOW64\secnikna.exe
        
        C:\Windows\system32\secnikna.exe 1048 "C:\Windows\SysWOW64\winvjkhu.exe"
        31⤵
        Executes dropped EXE
        
        PID:3592
        
        C:\Windows\SysWOW64\fxsvdkhq.exe
        
        C:\Windows\system32\fxsvdkhq.exe 1240 "C:\Windows\SysWOW64\secnikna.exe"
        32⤵
        Executes dropped EXE
        
        PID:624
        
        C:\Windows\SysWOW64\autrevpk.exe
        
        C:\Windows\system32\autrevpk.exe 1252 "C:\Windows\SysWOW64\fxsvdkhq.exe"
        33⤵
        Executes dropped EXE
        
        PID:3568
        
        C:\Windows\SysWOW64\coneolvo.exe
        
        C:\Windows\system32\coneolvo.exe 1248 "C:\Windows\SysWOW64\autrevpk.exe"
        34⤵
        Executes dropped EXE
        
        PID:2544
        
        C:\Windows\SysWOW64\cmdqhsoy.exe
        
        C:\Windows\system32\cmdqhsoy.exe 1256 "C:\Windows\SysWOW64\coneolvo.exe"
        35⤵
        Executes dropped EXE
        
        PID:4540
        
        C:\Windows\SysWOW64\fxsrgtdf.exe
        
        C:\Windows\system32\fxsrgtdf.exe 1260 "C:\Windows\SysWOW64\cmdqhsoy.exe"
        36⤵
        Executes dropped EXE
        
        PID:1340
        
        C:\Windows\SysWOW64\capnhdkz.exe
        
        C:\Windows\system32\capnhdkz.exe 1052 "C:\Windows\SysWOW64\fxsrgtdf.exe"
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1640
        
        C:\Windows\SysWOW64\xmliivsu.exe
        
        C:\Windows\system32\xmliivsu.exe 1268 "C:\Windows\SysWOW64\capnhdkz.exe"
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1108
        
        C:\Windows\SysWOW64\dllebgho.exe
        
        C:\Windows\system32\dllebgho.exe 1272 "C:\Windows\SysWOW64\xmliivsu.exe"
        39⤵
        Executes dropped EXE
        
        PID:4820
        
        C:\Windows\SysWOW64\clioqlme.exe
        
        C:\Windows\system32\clioqlme.exe 1016 "C:\Windows\SysWOW64\dllebgho.exe"
        40⤵
        Executes dropped EXE
        
        PID:4252
        
        C:\Windows\SysWOW64\igfvcjxd.exe
        
        C:\Windows\system32\igfvcjxd.exe 1280 "C:\Windows\SysWOW64\clioqlme.exe"
        41⤵
        Executes dropped EXE
        
        PID:4344
        
        C:\Windows\SysWOW64\comrvbex.exe
        
        C:\Windows\system32\comrvbex.exe 1076 "C:\Windows\SysWOW64\igfvcjxd.exe"
        42⤵
        Executes dropped EXE
        
        PID:2960
        
        C:\Windows\SysWOW64\sysblzrw.exe
        
        C:\Windows\system32\sysblzrw.exe 1284 "C:\Windows\SysWOW64\comrvbex.exe"
        43⤵
        Executes dropped EXE
        
        PID:4568
        
        C:\Windows\SysWOW64\regzqpxp.exe
        
        C:\Windows\system32\regzqpxp.exe 1292 "C:\Windows\SysWOW64\sysblzrw.exe"
        44⤵
        Executes dropped EXE
        
        PID:2000
        
        C:\Windows\SysWOW64\autodhrm.exe
        
        C:\Windows\system32\autodhrm.exe 1064 "C:\Windows\SysWOW64\regzqpxp.exe"
        45⤵
        Executes dropped EXE
        
        PID:448
        
        C:\Windows\SysWOW64\capvqzty.exe
        
        C:\Windows\system32\capvqzty.exe 1320 "C:\Windows\SysWOW64\autodhrm.exe"
        46⤵
        Executes dropped EXE
        
        PID:3552
        
        C:\Windows\SysWOW64\ialuuxlx.exe
        
        C:\Windows\system32\ialuuxlx.exe 1068 "C:\Windows\SysWOW64\capvqzty.exe"
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3628
        
        C:\Windows\SysWOW64\cmdmjcqn.exe
        
        C:\Windows\system32\cmdmjcqn.exe 1304 "C:\Windows\SysWOW64\ialuuxlx.exe"
        48⤵
        Executes dropped EXE
        
        PID:1080
        
        C:\Windows\SysWOW64\drvikmyh.exe
        
        C:\Windows\system32\drvikmyh.exe 1072 "C:\Windows\SysWOW64\cmdmjcqn.exe"
        49⤵
        Executes dropped EXE
        
        PID:3452
        
        C:\Windows\SysWOW64\xmlhoqft.exe
        
        C:\Windows\system32\xmlhoqft.exe 1080 "C:\Windows\SysWOW64\drvikmyh.exe"
        50⤵
        Executes dropped EXE
        
        PID:5068
        
        C:\Windows\SysWOW64\xmlvqysi.exe
        
        C:\Windows\system32\xmlvqysi.exe 1316 "C:\Windows\SysWOW64\xmlhoqft.exe"
        51⤵
        Executes dropped EXE
        
        PID:3360
        
        C:\Windows\SysWOW64\ialngefy.exe
        
        C:\Windows\system32\ialngefy.exe 1324 "C:\Windows\SysWOW64\xmlvqysi.exe"
        52⤵
        Executes dropped EXE
        
        PID:904
        
        C:\Windows\SysWOW64\sysslpqc.exe
        
        C:\Windows\system32\sysslpqc.exe 1332 "C:\Windows\SysWOW64\ialngefy.exe"
        53⤵
        Executes dropped EXE
        
        PID:3908
        
        C:\Windows\SysWOW64\conuenxb.exe
        
        C:\Windows\system32\conuenxb.exe 1004 "C:\Windows\SysWOW64\sysslpqc.exe"
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2360
        
        C:\Windows\SysWOW64\conkneoe.exe
        
        C:\Windows\system32\conkneoe.exe 1088 "C:\Windows\SysWOW64\conuenxb.exe"
        55⤵
        Executes dropped EXE
        
        PID:1800
        
        C:\Windows\SysWOW64\netrbbub.exe
        
        C:\Windows\system32\netrbbub.exe 1344 "C:\Windows\SysWOW64\conkneoe.exe"
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3944
        
        C:\Windows\SysWOW64\regehupy.exe
        
        C:\Windows\system32\regehupy.exe 1092 "C:\Windows\SysWOW64\netrbbub.exe"
        57⤵
        Executes dropped EXE
        
        PID:4468
        
        C:\Windows\SysWOW64\autfanfj.exe
        
        C:\Windows\system32\autfanfj.exe 1348 "C:\Windows\SysWOW64\regehupy.exe"
        58⤵
        Executes dropped EXE
        
        PID:1652
        
        C:\Windows\SysWOW64\netvnaxa.exe
        
        C:\Windows\system32\netvnaxa.exe 1352 "C:\Windows\SysWOW64\autfanfj.exe"
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:832
        
        C:\Windows\SysWOW64\igfnokrn.exe
        
        C:\Windows\system32\igfnokrn.exe 1008 "C:\Windows\SysWOW64\netvnaxa.exe"
        60⤵
        Executes dropped EXE
        
        PID:1468
        
        C:\Windows\SysWOW64\cmdfdqwd.exe
        
        C:\Windows\system32\cmdfdqwd.exe 1360 "C:\Windows\SysWOW64\igfnokrn.exe"
        61⤵
        Executes dropped EXE
        
        PID:1196
        
        C:\Windows\SysWOW64\secgwilo.exe
        
        C:\Windows\system32\secgwilo.exe 1368 "C:\Windows\SysWOW64\cmdfdqwd.exe"
        62⤵
        Executes dropped EXE
        
        PID:216
        
        C:\Windows\SysWOW64\advgotvx.exe
        
        C:\Windows\system32\advgotvx.exe 1364 "C:\Windows\SysWOW64\secgwilo.exe"
        63⤵
        Executes dropped EXE
        
        PID:1408
        
        C:\Windows\SysWOW64\wineewyu.exe
        
        C:\Windows\system32\wineewyu.exe 1380 "C:\Windows\SysWOW64\advgotvx.exe"
        64⤵
        Executes dropped EXE
        
        PID:2472
        
        C:\Windows\SysWOW64\xmlqsuyg.exe
        
        C:\Windows\system32\xmlqsuyg.exe 1372 "C:\Windows\SysWOW64\wineewyu.exe"
        65⤵
        Executes dropped EXE
        
        PID:416
        
        C:\Windows\SysWOW64\secuokse.exe
        
        C:\Windows\system32\secuokse.exe 1376 "C:\Windows\SysWOW64\xmlqsuyg.exe"
        66⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\sysycabr.exe
        
        C:\Windows\system32\sysycabr.exe 1044 "C:\Windows\SysWOW64\secuokse.exe"
        67⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\secywzku.exe
        
        C:\Windows\system32\secywzku.exe 1388 "C:\Windows\SysWOW64\sysycabr.exe"
        68⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\ialvwxhs.exe
        
        C:\Windows\system32\ialvwxhs.exe 1012 "C:\Windows\SysWOW64\secywzku.exe"
        69⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\autpmcyr.exe
        
        C:\Windows\system32\autpmcyr.exe 1104 "C:\Windows\SysWOW64\ialvwxhs.exe"
        70⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\fxsxstnx.exe
        
        C:\Windows\system32\fxsxstnx.exe 1036 "C:\Windows\SysWOW64\autpmcyr.exe"
        71⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\xmlrfifq.exe
        
        C:\Windows\system32\xmlrfifq.exe 1084 "C:\Windows\SysWOW64\fxsxstnx.exe"
        72⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\autbydrm.exe
        
        C:\Windows\system32\autbydrm.exe 1416 "C:\Windows\SysWOW64\xmlrfifq.exe"
        73⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\fxscibxg.exe
        
        C:\Windows\system32\fxscibxg.exe 1408 "C:\Windows\SysWOW64\autbydrm.exe"
        74⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\netuyhbw.exe
        
        C:\Windows\system32\netuyhbw.exe 1412 "C:\Windows\SysWOW64\fxscibxg.exe"
        75⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\apiblzwu.exe
        
        C:\Windows\system32\apiblzwu.exe 1120 "C:\Windows\SysWOW64\netuyhbw.exe"
        76⤵
        Drops file in System32 directory
        
        PID:3868
        
        C:\Windows\SysWOW64\netbwwvz.exe
        
        C:\Windows\system32\netbwwvz.exe 1060 "C:\Windows\SysWOW64\apiblzwu.exe"
        77⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\sysvuxqv.exe
        
        C:\Windows\system32\sysvuxqv.exe 1448 "C:\Windows\SysWOW64\netbwwvz.exe"
        78⤵
        Drops file in System32 directory
        
        PID:4800
        
        C:\Windows\SysWOW64\ialodvkw.exe
        
        C:\Windows\system32\ialodvkw.exe 1136 "C:\Windows\SysWOW64\sysvuxqv.exe"
        79⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\secggybq.exe
        
        C:\Windows\system32\secggybq.exe 1148 "C:\Windows\SysWOW64\ialodvkw.exe"
        80⤵
        Drops file in System32 directory
        
        PID:4908
        
        C:\Windows\SysWOW64\advnegwc.exe
        
        C:\Windows\system32\advnegwc.exe 1140 "C:\Windows\SysWOW64\secggybq.exe"
        81⤵
        Drops file in System32 directory
        
        PID:1668
        
        C:\Windows\SysWOW64\cmdyhhos.exe
        
        C:\Windows\system32\cmdyhhos.exe 1188 "C:\Windows\SysWOW64\advnegwc.exe"
        82⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\drvdmykd.exe
        
        C:\Windows\system32\drvdmykd.exe 1444 "C:\Windows\SysWOW64\cmdyhhos.exe"
        83⤵
        Drops file in System32 directory
        
        PID:1756
        
        C:\Windows\SysWOW64\ialhcggo.exe
        
        C:\Windows\system32\ialhcggo.exe 1096 "C:\Windows\SysWOW64\drvdmykd.exe"
        84⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\winfhotp.exe
        
        C:\Windows\system32\winfhotp.exe 1100 "C:\Windows\SysWOW64\ialhcggo.exe"
        85⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\netdeehq.exe
        
        C:\Windows\system32\netdeehq.exe 1460 "C:\Windows\SysWOW64\winfhotp.exe"
        86⤵
        Drops file in System32 directory
        
        PID:2100
        
        C:\Windows\SysWOW64\cliwcwox.exe
        
        C:\Windows\system32\cliwcwox.exe 1464 "C:\Windows\SysWOW64\netdeehq.exe"
        87⤵
        Drops file in System32 directory
        
        PID:4588
        
        C:\Windows\SysWOW64\capqyrea.exe
        
        C:\Windows\system32\capqyrea.exe 1468 "C:\Windows\SysWOW64\cliwcwox.exe"
        88⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\sysifssh.exe
        
        C:\Windows\system32\sysifssh.exe 1108 "C:\Windows\SysWOW64\capqyrea.exe"
        89⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\drvvrzmq.exe
        
        C:\Windows\system32\drvvrzmq.exe 1484 "C:\Windows\SysWOW64\sysifssh.exe"
        90⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\advzbfvb.exe
        
        C:\Windows\system32\advzbfvb.exe 1244 "C:\Windows\SysWOW64\drvvrzmq.exe"
        91⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\commsubf.exe
        
        C:\Windows\system32\commsubf.exe 1480 "C:\Windows\SysWOW64\advzbfvb.exe"
        92⤵
        Drops file in System32 directory
        
        PID:4088
        
        C:\Windows\SysWOW64\dllnrupm.exe
        
        C:\Windows\system32\dllnrupm.exe 1112 "C:\Windows\SysWOW64\commsubf.exe"
        93⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\conemxyu.exe
        
        C:\Windows\system32\conemxyu.exe 1128 "C:\Windows\SysWOW64\dllnrupm.exe"
        94⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\dlliwkif.exe
        
        C:\Windows\system32\dlliwkif.exe 1496 "C:\Windows\SysWOW64\conemxyu.exe"
        95⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\advvoavj.exe
        
        C:\Windows\system32\advvoavj.exe 1288 "C:\Windows\SysWOW64\dlliwkif.exe"
        96⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\apivnacy.exe
        
        C:\Windows\system32\apivnacy.exe 1276 "C:\Windows\SysWOW64\advvoavj.exe"
        97⤵
        Drops file in System32 directory
        
        PID:4548
        
        C:\Windows\SysWOW64\xmlagiva.exe
        
        C:\Windows\system32\xmlagiva.exe 1512 "C:\Windows\SysWOW64\apivnacy.exe"
        98⤵
        
        PID:384
        
        C:\Windows\SysWOW64\igfswgaq.exe
        
        C:\Windows\system32\igfswgaq.exe 1420 "C:\Windows\SysWOW64\xmlagiva.exe"
        99⤵
        Drops file in System32 directory
        
        PID:4700
        
        C:\Windows\SysWOW64\capffdgu.exe
        
        C:\Windows\system32\capffdgu.exe 1516 "C:\Windows\SysWOW64\igfswgaq.exe"
        100⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\xmlbgovo.exe
        
        C:\Windows\system32\xmlbgovo.exe 1520 "C:\Windows\SysWOW64\capffdgu.exe"
        101⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\regfqbfz.exe
        
        C:\Windows\system32\regfqbfz.exe 1300 "C:\Windows\SysWOW64\xmlbgovo.exe"
        102⤵
        Drops file in System32 directory
        
        PID:2868
        
        C:\Windows\SysWOW64\sysbrlmu.exe
        
        C:\Windows\system32\sysbrlmu.exe 1116 "C:\Windows\SysWOW64\regfqbfz.exe"
        103⤵
        
        PID:900
        
        C:\Windows\SysWOW64\winftyen.exe
        
        C:\Windows\system32\winftyen.exe 1312 "C:\Windows\SysWOW64\sysbrlmu.exe"
        104⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\apixjwjd.exe
        
        C:\Windows\system32\apixjwjd.exe 1328 "C:\Windows\SysWOW64\winftyen.exe"
        105⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cmdtkoqx.exe
        
        C:\Windows\system32\cmdtkoqx.exe 1308 "C:\Windows\SysWOW64\apixjwjd.exe"
        106⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\apisomjw.exe
        
        C:\Windows\system32\apisomjw.exe 1340 "C:\Windows\SysWOW64\cmdtkoqx.exe"
        107⤵
        
        PID:892
        
        C:\Windows\SysWOW64\ipskernm.exe
        
        C:\Windows\system32\ipskernm.exe 1548 "C:\Windows\SysWOW64\apisomjw.exe"
        108⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\sysjqpyl.exe
        
        C:\Windows\system32\sysjqpyl.exe 1552 "C:\Windows\SysWOW64\ipskernm.exe"
        109⤵
        Drops file in System32 directory
        
        PID:4824
        
        C:\Windows\SysWOW64\igfwzemp.exe
        
        C:\Windows\system32\igfwzemp.exe 1556 "C:\Windows\SysWOW64\sysjqpyl.exe"
        110⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\drvvlcwo.exe
        
        C:\Windows\system32\drvvlcwo.exe 1560 "C:\Windows\SysWOW64\igfwzemp.exe"
        111⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\drvesmzn.exe
        
        C:\Windows\system32\drvesmzn.exe 1564 "C:\Windows\SysWOW64\drvvlcwo.exe"
        112⤵
        Drops file in System32 directory
        
        PID:4028
        
        C:\Windows\SysWOW64\igfatxhi.exe
        
        C:\Windows\system32\igfatxhi.exe 1192 "C:\Windows\SysWOW64\drvesmzn.exe"
        113⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cliwlhoc.exe
        
        C:\Windows\system32\cliwlhoc.exe 1384 "C:\Windows\SysWOW64\igfatxhi.exe"
        114⤵
        Drops file in System32 directory
        
        PID:3992
        
        C:\Windows\SysWOW64\secrmaex.exe
        
        C:\Windows\system32\secrmaex.exe 1396 "C:\Windows\SysWOW64\cliwlhoc.exe"
        115⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\comqqxov.exe
        
        C:\Windows\system32\comqqxov.exe 1580 "C:\Windows\SysWOW64\secrmaex.exe"
        116⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\apilinur.exe
        
        C:\Windows\system32\apilinur.exe 1592 "C:\Windows\SysWOW64\comqqxov.exe"
        117⤵
        Drops file in System32 directory
        
        PID:1812
        
        C:\Windows\SysWOW64\reghjfkm.exe
        
        C:\Windows\system32\reghjfkm.exe 1392 "C:\Windows\SysWOW64\apilinur.exe"
        118⤵
        Drops file in System32 directory
        
        PID:3032
        
        C:\Windows\SysWOW64\secgndul.exe
        
        C:\Windows\system32\secgndul.exe 1400 "C:\Windows\SysWOW64\reghjfkm.exe"
        119⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\regconcf.exe
        
        C:\Windows\system32\regconcf.exe 1404 "C:\Windows\SysWOW64\secgndul.exe"
        120⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cliluyff.exe
        
        C:\Windows\system32\cliluyff.exe 1216 "C:\Windows\SysWOW64\regconcf.exe"
        121⤵
        Drops file in System32 directory
        
        PID:1136
        
        C:\Windows\SysWOW64\advtiqzc.exe
        
        C:\Windows\system32\advtiqzc.exe 1428 "C:\Windows\SysWOW64\cliluyff.exe"
        122⤵
        Drops file in System32 directory
        
        PID:1600
        
        C:\Windows\SysWOW64\conlxves.exe
        
        C:\Windows\system32\conlxves.exe 1608 "C:\Windows\SysWOW64\advtiqzc.exe"
        123⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\igfewwsz.exe
        
        C:\Windows\system32\igfewwsz.exe 1224 "C:\Windows\SysWOW64\conlxves.exe"
        124⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\clirolyd.exe
        
        C:\Windows\system32\clirolyd.exe 1604 "C:\Windows\SysWOW64\igfewwsz.exe"
        125⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\dllbdwlg.exe
        
        C:\Windows\system32\dllbdwlg.exe 1620 "C:\Windows\SysWOW64\clirolyd.exe"
        126⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\capljzof.exe
        
        C:\Windows\system32\capljzof.exe 1624 "C:\Windows\SysWOW64\dllbdwlg.exe"
        127⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\ialknwzw.exe
        
        C:\Windows\system32\ialknwzw.exe 1452 "C:\Windows\SysWOW64\capljzof.exe"
        128⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\winjatrv.exe
        
        C:\Windows\system32\winjatrv.exe 1632 "C:\Windows\SysWOW64\ialknwzw.exe"
        129⤵
        Drops file in System32 directory
        
        PID:2496
        
        C:\Windows\SysWOW64\igffsmzp.exe
        
        C:\Windows\system32\igffsmzp.exe 1356 "C:\Windows\SysWOW64\winjatrv.exe"
        130⤵
        
        PID:636
        
        C:\Windows\SysWOW64\capskbet.exe
        
        C:\Windows\system32\capskbet.exe 1440 "C:\Windows\SysWOW64\igffsmzp.exe"
        131⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\conncrkx.exe
        
        C:\Windows\system32\conncrkx.exe 1644 "C:\Windows\SysWOW64\capskbet.exe"
        132⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\sysalhqb.exe
        
        C:\Windows\system32\sysalhqb.exe 1488 "C:\Windows\SysWOW64\conncrkx.exe"
        133⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\regzxeia.exe
        
        C:\Windows\system32\regzxeia.exe 1656 "C:\Windows\SysWOW64\sysalhqb.exe"
        134⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\drvmhcow.exe
        
        C:\Windows\system32\drvmhcow.exe 1492 "C:\Windows\SysWOW64\regzxeia.exe"
        135⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\contcuat.exe
        
        C:\Windows\system32\contcuat.exe 1524 "C:\Windows\SysWOW64\drvmhcow.exe"
        136⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cliuzccu.exe
        
        C:\Windows\system32\cliuzccu.exe 1436 "C:\Windows\SysWOW64\contcuat.exe"
        137⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\igftdamt.exe
        
        C:\Windows\system32\igftdamt.exe 1472 "C:\Windows\SysWOW64\cliuzccu.exe"
        138⤵
        Drops file in System32 directory
        
        PID:1276
        
        C:\Windows\SysWOW64\clipescn.exe
        
        C:\Windows\system32\clipescn.exe 1424 "C:\Windows\SysWOW64\igftdamt.exe"
        139⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\auttoxlg.exe
        
        C:\Windows\system32\auttoxlg.exe 1584 "C:\Windows\SysWOW64\clipescn.exe"
        140⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\apixrkdr.exe
        
        C:\Windows\system32\apixrkdr.exe 1264 "C:\Windows\SysWOW64\auttoxlg.exe"
        141⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\ialhxvfr.exe
        
        C:\Windows\system32\ialhxvfr.exe 1532 "C:\Windows\SysWOW64\apixrkdr.exe"
        142⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\capcyfnl.exe
        
        C:\Windows\system32\capcyfnl.exe 1616 "C:\Windows\SysWOW64\ialhxvfr.exe"
        143⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cmdmpvfh.exe
        
        C:\Windows\system32\cmdmpvfh.exe 1736 "C:\Windows\SysWOW64\capcyfnl.exe"
        144⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\sysqzixs.exe
        
        C:\Windows\system32\sysqzixs.exe 1696 "C:\Windows\SysWOW64\cmdmpvfh.exe"
        145⤵
        Drops file in System32 directory
        
        PID:4176
        
        C:\Windows\SysWOW64\dllarjry.exe
        
        C:\Windows\system32\dllarjry.exe 1504 "C:\Windows\SysWOW64\sysqzixs.exe"
        146⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\xmlzvojw.exe
        
        C:\Windows\system32\xmlzvojw.exe 1508 "C:\Windows\SysWOW64\dllarjry.exe"
        147⤵
        Drops file in System32 directory
        
        PID:4880
        
        C:\Windows\SysWOW64\fxsibrmw.exe
        
        C:\Windows\system32\fxsibrmw.exe 1708 "C:\Windows\SysWOW64\xmlzvojw.exe"
        148⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\fxsuxecy.exe
        
        C:\Windows\system32\fxsuxecy.exe 1716 "C:\Windows\SysWOW64\fxsibrmw.exe"
        149⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\apifncjb.exe
        
        C:\Windows\system32\apifncjb.exe 1296 "C:\Windows\SysWOW64\fxsuxecy.exe"
        150⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\comteswm.exe
        
        C:\Windows\system32\comteswm.exe 1720 "C:\Windows\SysWOW64\apifncjb.exe"
        151⤵
        
        PID:404
        
        C:\Windows\SysWOW64\regdvhoi.exe
        
        C:\Windows\system32\regdvhoi.exe 988 "C:\Windows\SysWOW64\comteswm.exe"
        152⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\secidcgc.exe
        
        C:\Windows\system32\secidcgc.exe 1724 "C:\Windows\SysWOW64\regdvhoi.exe"
        153⤵
        Drops file in System32 directory
        
        PID:4112
        
        C:\Windows\SysWOW64\ialxsiys.exe
        
        C:\Windows\system32\ialxsiys.exe 1732 "C:\Windows\SysWOW64\secidcgc.exe"
        154⤵
        Drops file in System32 directory
        
        PID:4348
        
        C:\Windows\SysWOW64\xmlflilj.exe
        
        C:\Windows\system32\xmlflilj.exe 1728 "C:\Windows\SysWOW64\ialxsiys.exe"
        155⤵
        
        PID:784
        
        C:\Windows\SysWOW64\comwhdhx.exe
        
        C:\Windows\system32\comwhdhx.exe 1536 "C:\Windows\SysWOW64\xmlflilj.exe"
        156⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\regmcqzo.exe
        
        C:\Windows\system32\regmcqzo.exe 1744 "C:\Windows\SysWOW64\comwhdhx.exe"
        157⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\dllxojos.exe
        
        C:\Windows\system32\dllxojos.exe 1756 "C:\Windows\SysWOW64\regmcqzo.exe"
        158⤵
        Drops file in System32 directory
        
        PID:4320
        
        C:\Windows\SysWOW64\xmlqqgbm.exe
        
        C:\Windows\system32\xmlqqgbm.exe 1432 "C:\Windows\SysWOW64\dllxojos.exe"
        159⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\ipsqpgit.exe
        
        C:\Windows\system32\ipsqpgit.exe 1476 "C:\Windows\SysWOW64\xmlqqgbm.exe"
        160⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\commqrqn.exe
        
        C:\Windows\system32\commqrqn.exe 1572 "C:\Windows\SysWOW64\ipsqpgit.exe"
        161⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\dlleprec.exe
        
        C:\Windows\system32\dlleprec.exe 1800 "C:\Windows\SysWOW64\commqrqn.exe"
        162⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\sectnwvk.exe
        
        C:\Windows\system32\sectnwvk.exe 1500 "C:\Windows\SysWOW64\dlleprec.exe"
        163⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\capedmcv.exe
        
        C:\Windows\system32\capedmcv.exe 1540 "C:\Windows\SysWOW64\sectnwvk.exe"
        164⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\regvhcwd.exe
        
        C:\Windows\system32\regvhcwd.exe 1544 "C:\Windows\SysWOW64\capedmcv.exe"
        165⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\winukavj.exe
        
        C:\Windows\system32\winukavj.exe 1776 "C:\Windows\SysWOW64\regvhcwd.exe"
        166⤵
        Drops file in System32 directory
        
        PID:4808
        
        C:\Windows\SysWOW64\consraoq.exe
        
        C:\Windows\system32\consraoq.exe 1568 "C:\Windows\SysWOW64\winukavj.exe"
        167⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\secxyvzk.exe
        
        C:\Windows\system32\secxyvzk.exe 1612 "C:\Windows\SysWOW64\consraoq.exe"
        168⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\igflqgvl.exe
        
        C:\Windows\system32\igflqgvl.exe 1792 "C:\Windows\SysWOW64\secxyvzk.exe"
        169⤵
        Drops file in System32 directory
        
        PID:1292
        
        C:\Windows\SysWOW64\advhcoct.exe
        
        C:\Windows\system32\advhcoct.exe 1636 "C:\Windows\SysWOW64\igflqgvl.exe"
        170⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\comulmqp.exe
        
        C:\Windows\system32\comulmqp.exe 1796 "C:\Windows\SysWOW64\advhcoct.exe"
        171⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\autpmwxj.exe
        
        C:\Windows\system32\autpmwxj.exe 1588 "C:\Windows\SysWOW64\comulmqp.exe"
        172⤵
        Drops file in System32 directory
        
        PID:836
        
        C:\Windows\SysWOW64\comohzgr.exe
        
        C:\Windows\system32\comohzgr.exe 1596 "C:\Windows\SysWOW64\autpmwxj.exe"
        173⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\caprtruv.exe
        
        C:\Windows\system32\caprtruv.exe 1600 "C:\Windows\SysWOW64\comohzgr.exe"
        174⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\fxsqwude.exe
        
        C:\Windows\system32\fxsqwude.exe 1820 "C:\Windows\SysWOW64\caprtruv.exe"
        175⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cmdlackm.exe
        
        C:\Windows\system32\cmdlackm.exe 1816 "C:\Windows\SysWOW64\fxsqwude.exe"
        176⤵
        Drops file in System32 directory
        
        PID:3392
        
        C:\Windows\SysWOW64\sysgdzwz.exe
        
        C:\Windows\system32\sysgdzwz.exe 1576 "C:\Windows\SysWOW64\cmdlackm.exe"
        177⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\regnhxpy.exe
        
        C:\Windows\system32\regnhxpy.exe 1832 "C:\Windows\SysWOW64\sysgdzwz.exe"
        178⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\sysjipws.exe
        
        C:\Windows\system32\sysjipws.exe 1652 "C:\Windows\SysWOW64\regnhxpy.exe"
        179⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\winfscgd.exe
        
        C:\Windows\system32\winfscgd.exe 1528 "C:\Windows\SysWOW64\sysjipws.exe"
        180⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\winutlwo.exe
        
        C:\Windows\system32\winutlwo.exe 1672 "C:\Windows\SysWOW64\winfscgd.exe"
        181⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\fxshlbck.exe
        
        C:\Windows\system32\fxshlbck.exe 1640 "C:\Windows\SysWOW64\winutlwo.exe"
        182⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\regrtwsp.exe
        
        C:\Windows\system32\regrtwsp.exe 1660 "C:\Windows\SysWOW64\fxshlbck.exe"
        183⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\comcfrle.exe
        
        C:\Windows\system32\comcfrle.exe 1680 "C:\Windows\SysWOW64\regrtwsp.exe"
        184⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\capankqz.exe
        
        C:\Windows\system32\capankqz.exe 1456 "C:\Windows\SysWOW64\comcfrle.exe"
        185⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\xmlwcwwt.exe
        
        C:\Windows\system32\xmlwcwwt.exe 1628 "C:\Windows\SysWOW64\capankqz.exe"
        186⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\cmdvofhm.exe
        
        C:\Windows\system32\cmdvofhm.exe 1692 "C:\Windows\SysWOW64\xmlwcwwt.exe"
        187⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\autkmkzv.exe
        
        C:\Windows\system32\autkmkzv.exe 1700 "C:\Windows\SysWOW64\cmdvofhm.exe"
        188⤵
        
        PID:5872
        
        C:\Windows\SysWOW64\cmdgyteg.exe
        
        C:\Windows\system32\cmdgyteg.exe 1876 "C:\Windows\SysWOW64\autkmkzv.exe"
        189⤵
        Drops file in System32 directory
        
        PID:5944
        
        C:\Windows\SysWOW64\apiozove.exe
        
        C:\Windows\system32\apiozove.exe 1648 "C:\Windows\SysWOW64\cmdgyteg.exe"
        190⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\ipsgptau.exe
        
        C:\Windows\system32\ipsgptau.exe 1752 "C:\Windows\SysWOW64\apiozove.exe"
        191⤵
        Drops file in System32 directory
        
        PID:6132
        
        C:\Windows\SysWOW64\drvtthqa.exe
        
        C:\Windows\system32\drvtthqa.exe 1712 "C:\Windows\SysWOW64\ipsgptau.exe"
        192⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\xmlgaqzs.exe
        
        C:\Windows\system32\xmlgaqzs.exe 1664 "C:\Windows\SysWOW64\drvtthqa.exe"
        193⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\cmddjemy.exe
        
        C:\Windows\system32\cmddjemy.exe 1768 "C:\Windows\SysWOW64\xmlgaqzs.exe"
        194⤵
        Drops file in System32 directory
        
        PID:5352
        
        C:\Windows\SysWOW64\comviovh.exe
        
        C:\Windows\system32\comviovh.exe 1676 "C:\Windows\SysWOW64\cmddjemy.exe"
        195⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\fxsjzxhw.exe
        
        C:\Windows\system32\fxsjzxhw.exe 1900 "C:\Windows\SysWOW64\comviovh.exe"
        196⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\cappgoxu.exe
        
        C:\Windows\system32\cappgoxu.exe 1760 "C:\Windows\SysWOW64\fxsjzxhw.exe"
        197⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\autvfolz.exe
        
        C:\Windows\system32\autvfolz.exe 1784 "C:\Windows\SysWOW64\cappgoxu.exe"
        198⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\advfvuyp.exe
        
        C:\Windows\system32\advfvuyp.exe 1764 "C:\Windows\SysWOW64\autvfolz.exe"
        199⤵
        Drops file in System32 directory
        
        PID:5612
        
        C:\Windows\SysWOW64\igfjxhia.exe
        
        C:\Windows\system32\igfjxhia.exe 1748 "C:\Windows\SysWOW64\advfvuyp.exe"
        200⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\conkwzwh.exe
        
        C:\Windows\system32\conkwzwh.exe 1668 "C:\Windows\SysWOW64\igfjxhia.exe"
        201⤵
        Drops file in System32 directory
        
        PID:5812
        
        C:\Windows\SysWOW64\regpphhr.exe
        
        C:\Windows\system32\regpphhr.exe 1788 "C:\Windows\SysWOW64\conkwzwh.exe"
        202⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\condczrd.exe
        
        C:\Windows\system32\condczrd.exe 1688 "C:\Windows\SysWOW64\regpphhr.exe"
        203⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\advntxkz.exe
        
        C:\Windows\system32\advntxkz.exe 1684 "C:\Windows\SysWOW64\condczrd.exe"
        204⤵
        Drops file in System32 directory
        
        PID:5892
        
        C:\Windows\SysWOW64\syslqfpa.exe
        
        C:\Windows\system32\syslqfpa.exe 1812 "C:\Windows\SysWOW64\advntxkz.exe"
        205⤵
        Drops file in System32 directory
        
        PID:4556
        
        C:\Windows\SysWOW64\fxsdqvhw.exe
        
        C:\Windows\system32\fxsdqvhw.exe 1808 "C:\Windows\SysWOW64\syslqfpa.exe"
        206⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\dllwpvwc.exe
        
        C:\Windows\system32\dllwpvwc.exe 1944 "C:\Windows\SysWOW64\fxsdqvhw.exe"
        207⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\conlcian.exe
        
        C:\Windows\system32\conlcian.exe 1804 "C:\Windows\SysWOW64\dllwpvwc.exe"
        208⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\capayiuc.exe
        
        C:\Windows\system32\capayiuc.exe 1952 "C:\Windows\SysWOW64\conlcian.exe"
        209⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\xmlnkdfz.exe
        
        C:\Windows\system32\xmlnkdfz.exe 1956 "C:\Windows\SysWOW64\capayiuc.exe"
        210⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\advwagne.exe
        
        C:\Windows\system32\advwagne.exe 1836 "C:\Windows\SysWOW64\xmlnkdfz.exe"
        211⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\ipsjlggg.exe
        
        C:\Windows\system32\ipsjlggg.exe 1968 "C:\Windows\SysWOW64\advwagne.exe"
        212⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\apikcjxm.exe
        
        C:\Windows\system32\apikcjxm.exe 1828 "C:\Windows\SysWOW64\ipsjlggg.exe"
        213⤵
        Drops file in System32 directory
        
        PID:2764
        
        C:\Windows\SysWOW64\conooblq.exe
        
        C:\Windows\system32\conooblq.exe 1960 "C:\Windows\SysWOW64\apikcjxm.exe"
        214⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\comdczrn.exe
        
        C:\Windows\system32\comdczrn.exe 1976 "C:\Windows\SysWOW64\conooblq.exe"
        215⤵
        Drops file in System32 directory
        
        PID:5536
        
        C:\Windows\SysWOW64\advkrjge.exe
        
        C:\Windows\system32\advkrjge.exe 1772 "C:\Windows\SysWOW64\comdczrn.exe"
        216⤵
        Drops file in System32 directory
        
        PID:3036
        
        C:\Windows\SysWOW64\ialnuhts.exe
        
        C:\Windows\system32\ialnuhts.exe 1884 "C:\Windows\SysWOW64\advkrjge.exe"
        217⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\regfthah.exe
        
        C:\Windows\system32\regfthah.exe 1848 "C:\Windows\SysWOW64\ialnuhts.exe"
        218⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\netkdmrs.exe
        
        C:\Windows\system32\netkdmrs.exe 1844 "C:\Windows\SysWOW64\regfthah.exe"
        219⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\comllpzx.exe
        
        C:\Windows\system32\comllpzx.exe 1868 "C:\Windows\SysWOW64\netkdmrs.exe"
        220⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\igfizclz.exe
        
        C:\Windows\system32\igfizclz.exe 2000 "C:\Windows\SysWOW64\comllpzx.exe"
        221⤵
        Drops file in System32 directory
        
        PID:5916
        
        C:\Windows\SysWOW64\igfvcfga.exe
        
        C:\Windows\system32\igfvcfga.exe 856 "C:\Windows\SysWOW64\igfizclz.exe"
        222⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\drvcqiwr.exe
        
        C:\Windows\system32\drvcqiwr.exe 1856 "C:\Windows\SysWOW64\igfvcfga.exe"
        223⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\ipsxjadm.exe
        
        C:\Windows\system32\ipsxjadm.exe 1840 "C:\Windows\SysWOW64\drvcqiwr.exe"
        224⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\winvenpw.exe
        
        C:\Windows\system32\winvenpw.exe 2016 "C:\Windows\SysWOW64\ipsxjadm.exe"
        225⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\xmlfutun.exe
        
        C:\Windows\system32\xmlfutun.exe 1872 "C:\Windows\SysWOW64\winvenpw.exe"
        226⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\cmdandbh.exe
        
        C:\Windows\system32\cmdandbh.exe 2032 "C:\Windows\SysWOW64\xmlfutun.exe"
        227⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\igfsmtud.exe
        
        C:\Windows\system32\igfsmtud.exe 2024 "C:\Windows\SysWOW64\cmdandbh.exe"
        228⤵
        Drops file in System32 directory
        
        PID:6120
        
        C:\Windows\SysWOW64\seccermz.exe
        
        C:\Windows\system32\seccermz.exe 1860 "C:\Windows\SysWOW64\igfsmtud.exe"
        229⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\caprseyc.exe
        
        C:\Windows\system32\caprseyc.exe 1888 "C:\Windows\SysWOW64\seccermz.exe"
        230⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\xmlntofw.exe
        
        C:\Windows\system32\xmlntofw.exe 1852 "C:\Windows\SysWOW64\caprseyc.exe"
        231⤵
        
        PID:916
        
        C:\Windows\SysWOW64\advwbrwb.exe
        
        C:\Windows\system32\advwbrwb.exe 1740 "C:\Windows\SysWOW64\xmlntofw.exe"
        232⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\ialsccdw.exe
        
        C:\Windows\system32\ialsccdw.exe 1896 "C:\Windows\SysWOW64\advwbrwb.exe"
        233⤵
        Drops file in System32 directory
        
        PID:5468
        
        C:\Windows\SysWOW64\advqzjrx.exe
        
        C:\Windows\system32\advqzjrx.exe 2052 "C:\Windows\SysWOW64\ialsccdw.exe"
        234⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\autzyhjt.exe
        
        C:\Windows\system32\autzyhjt.exe 1880 "C:\Windows\SysWOW64\advqzjrx.exe"
        235⤵
        Drops file in System32 directory
        
        PID:5776
        
        C:\Windows\SysWOW64\clipmunv.exe
        
        C:\Windows\system32\clipmunv.exe 1780 "C:\Windows\SysWOW64\autzyhjt.exe"
        236⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\secknfdq.exe
        
        C:\Windows\system32\secknfdq.exe 1924 "C:\Windows\SysWOW64\clipmunv.exe"
        237⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\regggxkk.exe
        
        C:\Windows\system32\regggxkk.exe 1824 "C:\Windows\SysWOW64\secknfdq.exe"
        238⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\cliwkkgy.exe
        
        C:\Windows\system32\cliwkkgy.exe 2076 "C:\Windows\SysWOW64\regggxkk.exe"
        239⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\ialupamz.exe
        
        C:\Windows\system32\ialupamz.exe 2084 "C:\Windows\SysWOW64\cliwkkgy.exe"
        240⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmdmfxzq.exe
        
        C:\Windows\system32\cmdmfxzq.exe 2088 "C:\Windows\SysWOW64\ialupamz.exe"
        241⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\xmlkcner.exe
        
        C:\Windows\system32\xmlkcner.exe 2080 "C:\Windows\SysWOW64\cmdmfxzq.exe"
        242⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\winctdwn.exe
        
        C:\Windows\system32\winctdwn.exe 2028 "C:\Windows\SysWOW64\xmlkcner.exe"
        243⤵
        Drops file in System32 directory
        
        PID:5280
        
        C:\Windows\SysWOW64\ipsyeqoy.exe
        
        C:\Windows\system32\ipsyeqoy.exe 1908 "C:\Windows\SysWOW64\winctdwn.exe"
        244⤵
        Drops file in System32 directory
        
        PID:5320
        
        C:\Windows\SysWOW64\dlludbkz.exe
        
        C:\Windows\system32\dlludbkz.exe 1928 "C:\Windows\SysWOW64\ipsyeqoy.exe"
        245⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\drvbklzz.exe
        
        C:\Windows\system32\drvbklzz.exe 1932 "C:\Windows\SysWOW64\dlludbkz.exe"
        246⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\igfypzoy.exe
        
        C:\Windows\system32\igfypzoy.exe 1964 "C:\Windows\SysWOW64\drvbklzz.exe"
        247⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\igfsuhor.exe
        
        C:\Windows\system32\igfsuhor.exe 2112 "C:\Windows\SysWOW64\igfypzoy.exe"
        248⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\drvqrxbt.exe
        
        C:\Windows\system32\drvqrxbt.exe 1920 "C:\Windows\SysWOW64\igfsuhor.exe"
        249⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\regehnod.exe
        
        C:\Windows\system32\regehnod.exe 1912 "C:\Windows\SysWOW64\drvqrxbt.exe"
        250⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\captflfl.exe
        
        C:\Windows\system32\captflfl.exe 2124 "C:\Windows\SysWOW64\regehnod.exe"
        251⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\fxsrcasn.exe
        
        C:\Windows\system32\fxsrcasn.exe 2128 "C:\Windows\SysWOW64\captflfl.exe"
        252⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\conbuqlj.exe
        
        C:\Windows\system32\conbuqlj.exe 1948 "C:\Windows\SysWOW64\fxsrcasn.exe"
        253⤵
        Drops file in System32 directory
        
        PID:5940
        
        C:\Windows\SysWOW64\convplbl.exe
        
        C:\Windows\system32\convplbl.exe 1916 "C:\Windows\SysWOW64\conbuqlj.exe"
        254⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\ipswfgrj.exe
        
        C:\Windows\system32\ipswfgrj.exe 1904 "C:\Windows\SysWOW64\convplbl.exe"
        255⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\syseqmnn.exe
        
        C:\Windows\system32\syseqmnn.exe 2144 "C:\Windows\SysWOW64\ipswfgrj.exe"
        256⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\ipshtkab.exe
        
        C:\Windows\system32\ipshtkab.exe 2152 "C:\Windows\SysWOW64\syseqmnn.exe"
        257⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\netnznps.exe
        
        C:\Windows\system32\netnznps.exe 2156 "C:\Windows\SysWOW64\ipshtkab.exe"
        258⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\xmluoxfk.exe
        
        C:\Windows\system32\xmluoxfk.exe 1936 "C:\Windows\SysWOW64\netnznps.exe"
        259⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\ialmddka.exe
        
        C:\Windows\system32\ialmddka.exe 1988 "C:\Windows\SysWOW64\xmluoxfk.exe"
        260⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\clihwnzv.exe
        
        C:\Windows\system32\clihwnzv.exe 1864 "C:\Windows\SysWOW64\ialmddka.exe"
        261⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\netmqvke.exe
        
        C:\Windows\system32\netmqvke.exe 2168 "C:\Windows\SysWOW64\clihwnzv.exe"
        262⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\capeftxv.exe
        
        C:\Windows\system32\capeftxv.exe 2060 "C:\Windows\SysWOW64\netmqvke.exe"
        263⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\ialdryit.exe
        
        C:\Windows\system32\ialdryit.exe 1996 "C:\Windows\SysWOW64\capeftxv.exe"
        264⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\advcmbqc.exe
        
        C:\Windows\system32\advcmbqc.exe 2004 "C:\Windows\SysWOW64\ialdryit.exe"
        265⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\conltdtt.exe
        
        C:\Windows\system32\conltdtt.exe 2184 "C:\Windows\SysWOW64\advcmbqc.exe"
        266⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\autkxbms.exe
        
        C:\Windows\system32\autkxbms.exe 2008 "C:\Windows\SysWOW64\conltdtt.exe"
        267⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\cliovelr.exe
        
        C:\Windows\system32\cliovelr.exe 2192 "C:\Windows\SysWOW64\autkxbms.exe"
        268⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\netkxhmy.exe
        
        C:\Windows\system32\netkxhmy.exe 2012 "C:\Windows\SysWOW64\cliovelr.exe"
        269⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\dllqbaok.exe
        
        C:\Windows\system32\dllqbaok.exe 2200 "C:\Windows\SysWOW64\netkxhmy.exe"
        270⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\drvhhawy.exe
        
        C:\Windows\system32\drvhhawy.exe 2020 "C:\Windows\SysWOW64\dllqbaok.exe"
        271⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\ialpcsfc.exe
        
        C:\Windows\system32\ialpcsfc.exe 2208 "C:\Windows\SysWOW64\drvhhawy.exe"
        272⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\regqaslj.exe
        
        C:\Windows\system32\regqaslj.exe 2036 "C:\Windows\SysWOW64\ialpcsfc.exe"
        273⤵
        Drops file in System32 directory
        
        PID:1696
        
        C:\Windows\SysWOW64\comrhvoi.exe
        
        C:\Windows\system32\comrhvoi.exe 1892 "C:\Windows\SysWOW64\regqaslj.exe"
        274⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\regjytge.exe
        
        C:\Windows\system32\regjytge.exe 1984 "C:\Windows\SysWOW64\comrhvoi.exe"
        275⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\apiatnpm.exe
        
        C:\Windows\system32\apiatnpm.exe 2056 "C:\Windows\SysWOW64\regjytge.exe"
        276⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\apitzoki.exe
        
        C:\Windows\system32\apitzoki.exe 2228 "C:\Windows\SysWOW64\apiatnpm.exe"
        277⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\cmdpsgsc.exe
        
        C:\Windows\system32\cmdpsgsc.exe 2064 "C:\Windows\SysWOW64\apitzoki.exe"
        278⤵
        Drops file in System32 directory
        
        PID:5840
        
        C:\Windows\SysWOW64\dllclult.exe
        
        C:\Windows\system32\dllclult.exe 2236 "C:\Windows\SysWOW64\cmdpsgsc.exe"
        279⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\ialleuzr.exe
        
        C:\Windows\system32\ialleuzr.exe 1992 "C:\Windows\SysWOW64\dllclult.exe"
        280⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\ialyheur.exe
        
        C:\Windows\system32\ialyheur.exe 2248 "C:\Windows\SysWOW64\ialleuzr.exe"
        281⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\ialzhkug.exe
        
        C:\Windows\system32\ialzhkug.exe 2232 "C:\Windows\SysWOW64\ialyheur.exe"
        282⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\regagkbn.exe
        
        C:\Windows\system32\regagkbn.exe 2068 "C:\Windows\SysWOW64\ialzhkug.exe"
        283⤵
        Drops file in System32 directory
        
        PID:6076
        
        C:\Windows\SysWOW64\igfmbxzp.exe
        
        C:\Windows\system32\igfmbxzp.exe 2260 "C:\Windows\SysWOW64\regagkbn.exe"
        284⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\xmlvjspv.exe
        
        C:\Windows\system32\xmlvjspv.exe 1972 "C:\Windows\SysWOW64\igfmbxzp.exe"
        285⤵
        Drops file in System32 directory
        
        PID:5380
        
        C:\Windows\SysWOW64\ipsoiswb.exe
        
        C:\Windows\system32\ipsoiswb.exe 1940 "C:\Windows\SysWOW64\xmlvjspv.exe"
        286⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\secgiiox.exe
        
        C:\Windows\system32\secgiiox.exe 2268 "C:\Windows\SysWOW64\ipsoiswb.exe"
        287⤵
        
        PID:1316

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\autrevpk.exe

Filesize
77KB

MD5
52e123aec2258a9264b60b3ee843058b

SHA1
8ae430a40451425d9f8020ce95f55e372e78a878

SHA256
79c954f590a7afb2e1bb6ba1f26168087708741c86c1cbc1bcb106ec7cd5b7f3

SHA512
e50cb2196d9b83b072ff71966ee2e0a869bc035966f86baaacf7a73e6971c464eadafc01575ea5508aa149e13615ee628bac0b939567e2bb4b57af5a5f794fa7

Download Submit
C:\Windows\SysWOW64\autrevpk.exe

Filesize
83KB

MD5
be94664a2ea83f74afd9d72fc989f35f

SHA1
ee3b915a0f4cba59ee5e165b1e6f6b0457f9743a

SHA256
30f3b899c12a5627e43858ebec64b1781765659c01dd53e5c5d021377b82a647

SHA512
9bc6b1bebb0f29f1cbc36ed5e2b1c48d19c2f6efd4c9f4ca489319ce11fd4bbcda5acad8ca39d6dfd5d05b0eaccd5f1cf8006e3ef2704be40a89c3c5667a2b01

Download Submit
C:\Windows\SysWOW64\capemzbi.exe

Filesize
75KB

MD5
38e7687035dfd95eb32cad0d37814bc6

SHA1
9be6cf3d0a56b8e1a61e91e8808614f6db75f4ec

SHA256
2c70abc9cb4040648e84aed0218fa7196efa9ae7bb6a81af1d80a4f5adba7a1b

SHA512
85d6fe7367fe4574f80f21b9e55658da168ee65c5cfff9ea862528a8521b7cbaa4d3f2ba2eadfd56dd90b4648fee8eada810f963ebaf7e64d53a868d49e737f8

Download Submit
C:\Windows\SysWOW64\capemzbi.exe

Filesize
39KB

MD5
c879b1363934a425e4c4a814ba13f8c1

SHA1
b87d112df3057b7bd145cc967414fdfff2b940ee

SHA256
0fe8038bd15cf0e741e651325f20ac0ed8a483d0fbf4f7d318bd4804858af72a

SHA512
e91824533126d270710c326878922a186b72387adb9515af4d9dd825f9e31dcf7bdb0b9e7071d523cf42f9ea58488274b94427dba49a320f40c3ca25142f7d8f

Download Submit
C:\Windows\SysWOW64\comdbvsc.exe

Filesize
66KB

MD5
51bed84229b14f7e6c2553472c0b57df

SHA1
a82b15ed87479187e7b0d3739e9a6b033c923b36

SHA256
737667ad78818c8876a7c3ecbe9cecb82164c13af02e13bd380030aa3de02131

SHA512
1ed9bc9c5b12096b8b4417125887eab3d7757e3774c411bccbf1bb8ef8fe49eec1700b7c4dfbe0a0c67663758fd4c0abba88abee28363fbfff0a2843350e1eca

Download Submit
C:\Windows\SysWOW64\comdbvsc.exe

Filesize
62KB

MD5
39f7a29454f6e5127a16b64252c2dc34

SHA1
47161423877bb010e62f84a5e75426585e6e00a1

SHA256
94e545c29526088a5a10142cb63beb3e3d140988e86e1ccca94644bd51a8b266

SHA512
38fe6ea9f67659bd53a31e43399c721b78dd93ee043e7b19d9894aedd64eda3b4b4e2c1fc759e5dead90539731360e7aad023b5532fd2459f658af6f561a58e3

Download Submit
C:\Windows\SysWOW64\dllhduci.exe

Filesize
87KB

MD5
10dc473e4a32a1e900a65ce346dbeb5a

SHA1
2257f736c267913dd11de90106fcdcda034a6ae5

SHA256
6a27c41b61ed069f97619f6dbb09806df31e719bf41704f53344a10d97e6ee4a

SHA512
54ba6298ce617828021f96133847fe9ccd434e26e39581c3aee8b15f71b4bf4f3f38214256df98f9d2869f0f551a567009fbb4e147579640f5e7de75cb7e3027

Download Submit
C:\Windows\SysWOW64\dllhduci.exe

Filesize
85KB

MD5
d9d891960c4f379851d649b792760d96

SHA1
74220dad311108a9ac1741e5084fa29e43b2cac5

SHA256
f8d69f6df55b929e63270ddbf5e646d8c3f8b8edeec36120b8cd5cc1e6afc15c

SHA512
fe483f72ceb0be9ea1e687cee87422150fda76fa6275e17eeba73c2133f2593e693b1fe3b4a51309aced2582a9ed06c7e2f88cbc4f07fedd294ebb71639ac23e

Download Submit
C:\Windows\SysWOW64\dllmyyka.exe

Filesize
5KB

MD5
eeba08e106dcf23b1255b5b6dbbf7ce9

SHA1
a2409243d28d50180c6a49b3063267d3c3134330

SHA256
59de17c95e64fe34e1ec60656e4eb86865a8009c09c57c6bcb8f5ac112a74b06

SHA512
f6433290b25b4a9fa98f5adefa3ad55e01077e55bfb1473a65ead0fec16f525ad8b6a58cc7a9446301a1ad96a27376f931f53314e4507babe0f92f9e2683f9c0

Download Submit
C:\Windows\SysWOW64\dllmyyka.exe

Filesize
58KB

MD5
5a28ad1b9aedad79c0608e1a5ab03ab3

SHA1
d5256296b3f1ed565bf4f5c3c4e4a04b14c47929

SHA256
fc99813f60b015b9300991533514d3b2b65692d9d378cf0cfeaa18cbf20a8e09

SHA512
14cf9b64dc9672e92394ce458d68c088356afa3f2a689a88ada339c96a94647d206fa770de5004eb309c687dc0cc76e67a9c4c805580964b8331861e10c9e1b7

Download Submit
C:\Windows\SysWOW64\ialjuutc.exe

Filesize
27KB

MD5
19be17eb7134a5bf21795e169208ea69

SHA1
0d9d1db7562c95c383fe1b00928d9901ba324586

SHA256
9da5960659c0b186f3baca632fb99c5f9ded79068200b0457ab5156b2d93cb0a

SHA512
15e3128d532ee7210cb3da8477b11c0f76eb1658fed9706aa070bb5b165ad56d23ebafef303605df08b521c414df0db9c199302ce14efe95b5d859f2ac35f35b

Download Submit
C:\Windows\SysWOW64\ialjuutc.exe

Filesize
57KB

MD5
5cf1ec3e41195eecc2ffddd6a570468a

SHA1
b8235586c3ccc692626f6ab33a7f7649156f348c

SHA256
fdfb2538f928e05304a6bdcf9f557398b09c90068a887919ccfafe5477f83129

SHA512
370dcaabb4ad12dd9c23c0a6439a7878b8e56d39b5ef115a9ea1cb79253bde32a7c2087efde7ac64c2f583719e8dc1ab60fcd51c6115be484a47c2f11185d8cd

Download Submit
C:\Windows\SysWOW64\igfqyooz.exe

Filesize
36KB

MD5
e5a30a721c323ad0f8d93e53329533af

SHA1
a3bd4cdc4507e54bda9d1a7d96f12aceb8f3e12d

SHA256
9a496db57325f4e90d01dbbf6fce9920d374b45c0a76b9cdbf5446c36276ea6d

SHA512
6744ca730ecd35ad09ea83be0819425856eb20f343e359c15b69e0d829ec30eddd4fd5e247845de25a6af8d67aa0db29ba68b0059377d5aa0d6ef42d719dab09

Download Submit
C:\Windows\SysWOW64\ipsedgyl.exe

Filesize
75KB

MD5
318f46a45640ca06ffc600ba1a120886

SHA1
573c9a5f9f8def423f0d5c8c85ba38f8e5ae9b9e

SHA256
0d6f8cb6736dbcddfee06af985cf38a518faeb9f7cdec62761f949ac65deff26

SHA512
10f02738de79ca1213e95272c9ae68a8c1c40011fe5da905b96435cdca208e8a8e30d6d34d7e3bf946c81740d36e8e24da95e06bd7850c6945997275f50e1296

Download Submit
C:\Windows\SysWOW64\ipsedgyl.exe

Filesize
9KB

MD5
c1505de08b6c1e32dee9d6da9093f2c9

SHA1
4feb8edbc671363db04d5fc11d7d9488521fc652

SHA256
f49511df22e27236208ab11419df757a5730934c1891023d7ab59fbd52967b68

SHA512
85acef0218dfa2f938c3fea105e0d3e7e8ad82883d592eba82ad275a24ca77eb710dc7dc04d68c0a07e296c9a52aa74da012ce04ba33889b7d6487c3d32eaf9a

Download Submit
C:\Windows\SysWOW64\regdgrjl.exe

Filesize
89KB

MD5
3a3dc2e0b15cf61b8308066b41171875

SHA1
974be0049b3b305bbcb6f4d61e103c18a41f5e7c

SHA256
844f174440af181e2dddc43a472053f754d80fc312366dd63f2278f8e5bc625f

SHA512
90f8dbba6d9e052da9c2be0ee9d72ac35afe51b6ab91117a960f191007f278ed9871bf376acb51c69fc992313f6f73ddb74f7bf87cb9af5c113ee9d5fd844397

Download Submit
C:\Windows\SysWOW64\regxzhot.exe

Filesize
38KB

MD5
65ea4bcb744b129b9eb37b99b9e4fe30

SHA1
a5d3d03d38a7f3e155ee7426e52f408caa588121

SHA256
1414ce08d0f9bd8ffb142916ece40189df424239064086eb635715b5c14b18cd

SHA512
b49ec3072fc27a26098feae15250242c43daf92b135cabbd508a2f9c6861649e518c697decf65152400283f4fdb0e6b49d531753ab950e3b8619cc5d656cad0d

Download Submit
C:\Windows\SysWOW64\secnikna.exe

Filesize
21KB

MD5
c41ebf244344e7e1ecc3957f55d5450c

SHA1
45f2786bdf268c5307278786c74e3f196adb841a

SHA256
672cb2ed1e2c9a2aa4ff11d24d78985b1092bee7b86acae9a6b06520ad7af55a

SHA512
682fd12fd18fb55150a8ab920e5a492a85204ef52c25aafa30eb8cf166f7c4d1a63b856024955519620ef2c4448f02184900eb42a1d7f678ef3b5ff1c0cfdb84

Download Submit
C:\Windows\SysWOW64\secnikna.exe

Filesize
70KB

MD5
98ee949a56801be814de8ccc1e7d0b0f

SHA1
563d9f1bf5dcf297675f20f251fa329d645ae0cf

SHA256
d40c4df2bb52eaaaeabb4e915bfcc7568b185b2ec03a7fb220572463a69712b9

SHA512
756612baa6b644b4978539441333fb7b2cf5e42f69b07e2fd19152a05821c0ba1f8c41afd4ad3ec7ad7c308849ed02c7d8f7efea157b0a289dbe0c8e0e6d2973

Download Submit
C:\Windows\SysWOW64\sysldchx.exe

Filesize
50KB

MD5
00d2ac4f57aafb34fedf5f9937273d4c

SHA1
a4d99854a4ff6afe421efcb3b85340313121d7f0

SHA256
eee5d0c74a33a0d94415fbe816c9a8ed334e48895c36353d5e73512f6f9b5a11

SHA512
890308e84021b7f2cff18310f720758af9ba1cd35fbf3503b58bc5735268e319969448371173fcae1cc5c5329f4e4877e047c1b397a324d3049c79195bfad95d

Download Submit
C:\Windows\SysWOW64\sysldchx.exe

Filesize
65KB

MD5
716fb246d4a3c4acfb47a19bb205ebaa

SHA1
f2bb9e47e6c7c03c329db05b49c06f70d7ab0881

SHA256
eeb0de6cfd7c6cf5badc2ddfeb7322fb708833ae5a431ecd6e00c0a1eaf22b4d

SHA512
1a9a6577f796fe06f627e47153079ab99e29a5868effde57f02e31e236879e11b3b40a33b0ebe494acae67a210e2a7a7e558baf6b334fc44fba57111fb916547

Download Submit
C:\Windows\SysWOW64\xmlanrqd.exe

Filesize
21KB

MD5
359972e0cecdf275900c6475768768e4

SHA1
f128644f8ca7b1b7ffe69954a13102708a99ae99

SHA256
ca98c02547ad8202c1b6db535f6e79855f08860963fda0238ff3b62632ba470b

SHA512
1bd85102f4c271325495796e5482ed10eca5f6bc7d9f172fe2fad82b470af54b8b841730fa8f2b984658ef099a43ac13fbe62ea73a82d0369ed12d7b03b7c39f

Download Submit
C:\Windows\SysWOW64\xmlanrqd.exe

Filesize
28KB

MD5
61e194106198533c9ef9bd43c0e7ef5b

SHA1
b6df1ae273162fe23730d31dd70109779fe766e8

SHA256
3eac372b06fea67578f19055c58c446dbaed08cc8925e6fae3f4c054e07ce60a

SHA512
e4ac6095b5d100f82f3806f9b765123841b47787c86d40d5e810f89dd28c512cd13acf04f37c65b7279eb4eb46bc8fa05d899748254462fcd9dd89841d4f6c24

Download Submit
memory/216-338-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/416-351-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/448-262-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/624-206-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/624-198-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/756-59-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/756-66-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/832-321-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/832-326-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/840-148-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/904-290-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/904-296-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/924-72-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/924-79-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1080-277-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1080-271-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1096-109-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1096-116-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1108-232-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1180-390-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1196-334-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1200-376-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1200-383-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1224-453-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1240-414-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1240-407-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1324-489-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1336-140-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1340-224-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1340-218-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1408-342-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1456-35-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1468-330-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1500-53-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1520-158-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1520-166-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1640-228-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1640-223-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1652-322-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1668-437-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1676-393-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1680-173-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1680-165-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1700-471-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1700-480-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1756-445-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1800-309-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1900-159-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1940-172-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1940-179-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2000-257-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2016-103-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2088-128-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2100-461-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2192-372-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2228-47-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2360-304-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2428-97-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2472-346-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2544-214-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2580-60-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2960-249-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3124-91-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3240-16-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3336-398-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3360-285-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3360-291-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3428-122-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3440-378-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3440-370-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3448-28-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3452-283-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3452-276-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3520-366-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3552-267-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3552-261-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3560-503-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3560-493-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3568-205-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3568-210-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3592-199-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3592-191-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3628-266-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3628-272-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3652-361-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3696-73-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3748-486-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3752-85-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3812-1-0x0000000000490000-0x0000000000494000-memory.dmp

Filesize
16KB

Download
memory/3812-0-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3812-14-0x0000000000490000-0x0000000000494000-memory.dmp

Filesize
16KB

Download
memory/3812-8-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3868-409-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3908-295-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3908-300-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3944-313-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3944-308-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4024-403-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4088-495-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4088-487-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4216-356-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4252-240-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4260-134-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4272-449-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4272-456-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4344-244-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4468-317-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4476-440-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4536-152-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4540-219-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4568-248-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4568-253-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4572-473-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4572-465-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4588-470-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4668-425-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4728-110-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4740-185-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4784-194-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4800-419-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4820-236-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4856-15-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4856-22-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4892-41-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4892-34-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4908-430-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4908-423-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/5068-286-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads