metasploit | 67e07368739819c893c0752d8dc1bc0c1f87764a711f18ceb9507162644a9393

Analysis

max time kernel
188s
max time network
128s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 20:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03c35e1ee1b0bf6340cdb45773c9fd3e.exe
Size

524KB
MD5

03c35e1ee1b0bf6340cdb45773c9fd3e
SHA1

1338fb2e480eb7a42cc6e299948583012c48cad5
SHA256

67e07368739819c893c0752d8dc1bc0c1f87764a711f18ceb9507162644a9393
SHA512

36ed40208275a2e13704cd73ab61a58f1f5deb02d80e91c3840a8836b6070228ebdf0c017955a84912aaa64a14511f3032468e3c648b64f9db13af79d77fcad4
SSDEEP

12288:JI0As/dcwf0e/GQAPCqtKbFeEFk88ho1RFR25Au14qsYBKBgMVkJoQg:W0F1cwfR/4tYk8HxR25+TYki1JoQg

Score

10^/10

metasploit backdoor evasion trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 64 IoCs

pid	Process
2164	jwhpvta.exe
2468	gepaqnp.exe
1360	lriijob.exe
1548	vqvftnb.exe
2456	zzasjow.exe
2216	jjqderl.exe
2640	mqefujm.exe
1864	jrotqmy.exe
572	tmpdxoy.exe
2332	ggvtjtd.exe
2436	ktobcdq.exe
1228	xckwnyx.exe
2604	mvhjwlh.exe
2664	rpxinws.exe
2992	onwiodf.exe
1348	lhzeefd.exe
2448	lzaoysn.exe
2712	alxjigx.exe
2616	ksbgafx.exe
840	mfejvfl.exe
808	zhkzhrq.exe
2376	gpgrthz.exe
1720	tgatkpf.exe
388	dnmruoe.exe
1080	dfnjoao.exe
2760	srkwyoz.exe
2012	cbzhlrf.exe
2908	fxazamg.exe
1656	pzqjopm.exe
3024	zvruvkv.exe
364	jcvroiu.exe
2888	oszmkwg.exe
2740	yrejuvn.exe
2796	gkdkbcr.exe
2756	fophgta.exe
1752	kpfcoyg.exe
616	mvxnqsz.exe
1688	nkfisoy.exe
2772	wwlzjcc.exe
2884	bbfhcmh.exe
2256	pooxipg.exe
2628	ohxpccp.exe
2432	dlfpouz.exe
1992	iuckkik.exe
2136	ijapcrn.exe
2676	vhusszt.exe
1668	zmoadbx.exe
472	jxdczem.exe
1116	mgvaram.exe
1680	gbiijtu.exe
2652	wvfdshe.exe
2152	gujalge.exe
2084	fyvxifv.exe
1544	koaselg.exe
2980	uypyjbi.exe
556	fftvtai.exe
1380	lzcdprb.exe
2160	iybbzor.exe
752	hqcubbt.exe
1732	zbnwjtr.exe
2124	ripjgmk.exe
1488	bhthyls.exe
2504	iaamnna.exe
1880	nfuuhon.exe

Identifies Wine through registry keys 2 TTPs 64 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	iaamnna.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	jevpycf.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	htjaksl.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	xjqwvwo.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	cbzhlrf.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	ijapcrn.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	ripjgmk.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	cuokssr.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	pvnexnr.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	nkfisoy.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	vzfrvkq.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	pqcaufv.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	aoyzfdv.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	gbiijtu.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	txkvucb.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	owpktku.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	vpqrqlf.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	xeqosgx.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	kcmjnzy.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	mvhjwlh.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	wvfdshe.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	hwkhkni.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	xgjfdoz.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	ajnvopt.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	qblebpo.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	sebivoa.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	xgpixsu.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	rbuyplc.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	xktullm.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	evpbsqw.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	hihfbbw.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	jxdczem.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	gujalge.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	kejamgp.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	cgwniup.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	qpxopqa.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	eqqjrce.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	dvqrbbo.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	bnafxea.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	qtmoqmb.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	uyqpvsm.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	gpywuac.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	dbzgylq.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	ppdjkfh.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	xoqlkjo.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	lriijob.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	ktobcdq.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	koaselg.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	wrztlrn.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	wvhcdau.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	mfejvfl.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	aboefcy.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	xzprgyu.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	adgehwv.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	onwiodf.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	sjwlrzj.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	bbfhcmh.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	uypyjbi.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	srypdub.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	jebstru.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	cblbzgo.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	jjqderl.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	gpgrthz.exe
Key opened	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Wine	hqcubbt.exe

Loads dropped DLL 64 IoCs

pid	Process
2108	03c35e1ee1b0bf6340cdb45773c9fd3e.exe
2108	03c35e1ee1b0bf6340cdb45773c9fd3e.exe
2164	jwhpvta.exe
2164	jwhpvta.exe
2468	gepaqnp.exe
2468	gepaqnp.exe
1360	lriijob.exe
1360	lriijob.exe
1548	vqvftnb.exe
1548	vqvftnb.exe
2456	zzasjow.exe
2456	zzasjow.exe
2216	jjqderl.exe
2216	jjqderl.exe
2640	mqefujm.exe
2640	mqefujm.exe
1864	jrotqmy.exe
1864	jrotqmy.exe
572	tmpdxoy.exe
572	tmpdxoy.exe
2332	ggvtjtd.exe
2332	ggvtjtd.exe
2436	ktobcdq.exe
2436	ktobcdq.exe
1228	xckwnyx.exe
1228	xckwnyx.exe
2604	mvhjwlh.exe
2604	mvhjwlh.exe
2664	rpxinws.exe
2664	rpxinws.exe
2992	onwiodf.exe
2992	onwiodf.exe
1348	lhzeefd.exe
1348	lhzeefd.exe
2448	lzaoysn.exe
2448	lzaoysn.exe
2712	alxjigx.exe
2712	alxjigx.exe
2616	ksbgafx.exe
2616	ksbgafx.exe
840	mfejvfl.exe
840	mfejvfl.exe
808	zhkzhrq.exe
808	zhkzhrq.exe
2376	gpgrthz.exe
2376	gpgrthz.exe
1720	tgatkpf.exe
1720	tgatkpf.exe
388	dnmruoe.exe
388	dnmruoe.exe
1080	dfnjoao.exe
1080	dfnjoao.exe
2760	srkwyoz.exe
2760	srkwyoz.exe
2012	cbzhlrf.exe
2012	cbzhlrf.exe
2908	fxazamg.exe
2908	fxazamg.exe
1656	pzqjopm.exe
1656	pzqjopm.exe
3024	zvruvkv.exe
3024	zvruvkv.exe
364	jcvroiu.exe
364	jcvroiu.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\onwiodf.exe	rpxinws.exe
File created	C:\Windows\SysWOW64\yrejuvn.exe	oszmkwg.exe
File opened for modification	C:\Windows\SysWOW64\bfcrvwt.exe	mprrwmp.exe
File opened for modification	C:\Windows\SysWOW64\tkwmoks.exe	jevpycf.exe
File created	C:\Windows\SysWOW64\fzzpokv.exe	dkxmfdc.exe
File created	C:\Windows\SysWOW64\fnxpkvm.exe	ozxzfzv.exe
File created	C:\Windows\SysWOW64\ktobcdq.exe	ggvtjtd.exe
File opened for modification	C:\Windows\SysWOW64\mvxnqsz.exe	kpfcoyg.exe
File opened for modification	C:\Windows\SysWOW64\wvfdshe.exe	gbiijtu.exe
File created	C:\Windows\SysWOW64\dznlfhx.exe	wrztlrn.exe
File opened for modification	C:\Windows\SysWOW64\koaselg.exe	fyvxifv.exe
File opened for modification	C:\Windows\SysWOW64\pzmwayd.exe	irregju.exe
File created	C:\Windows\SysWOW64\xeqosgx.exe	kkkhgut.exe
File opened for modification	C:\Windows\SysWOW64\bnafxea.exe	owxdpdv.exe
File opened for modification	C:\Windows\SysWOW64\uaealzs.exe	npgvogb.exe
File created	C:\Windows\SysWOW64\kpfcoyg.exe	fophgta.exe
File created	C:\Windows\SysWOW64\lqxjlqe.exe	rbzkimi.exe
File created	C:\Windows\SysWOW64\jevpycf.exe	wjdzsgg.exe
File created	C:\Windows\SysWOW64\nhdrwww.exe	jryeiik.exe
File opened for modification	C:\Windows\SysWOW64\evpbsqw.exe	xjqwvwo.exe
File created	C:\Windows\SysWOW64\ohxpccp.exe	pooxipg.exe
File created	C:\Windows\SysWOW64\ppdjkfh.exe	nqptnac.exe
File created	C:\Windows\SysWOW64\yqxmbsn.exe	vgywjwg.exe
File opened for modification	C:\Windows\SysWOW64\mqefujm.exe	jjqderl.exe
File opened for modification	C:\Windows\SysWOW64\pzqjopm.exe	fxazamg.exe
File created	C:\Windows\SysWOW64\koaselg.exe	fyvxifv.exe
File opened for modification	C:\Windows\SysWOW64\jxdczem.exe	zmoadbx.exe
File opened for modification	C:\Windows\SysWOW64\mppcams.exe	cuokssr.exe
File created	C:\Windows\SysWOW64\dwrwwko.exe	vdswpek.exe
File opened for modification	C:\Windows\SysWOW64\evvvigw.exe	jebstru.exe
File opened for modification	C:\Windows\SysWOW64\lzaoysn.exe	lhzeefd.exe
File opened for modification	C:\Windows\SysWOW64\wabudek.exe	dbzgylq.exe
File opened for modification	C:\Windows\SysWOW64\eqqjrce.exe	yoigbfy.exe
File created	C:\Windows\SysWOW64\gbiijtu.exe	mgvaram.exe
File created	C:\Windows\SysWOW64\kepvzuf.exe	owpktku.exe
File created	C:\Windows\SysWOW64\klvtmoi.exe	sizjkey.exe
File opened for modification	C:\Windows\SysWOW64\iwlaqwn.exe	wufkfji.exe
File opened for modification	C:\Windows\SysWOW64\jwhpvta.exe	03c35e1ee1b0bf6340cdb45773c9fd3e.exe
File opened for modification	C:\Windows\SysWOW64\jcvroiu.exe	zvruvkv.exe
File opened for modification	C:\Windows\SysWOW64\iybbzor.exe	lzcdprb.exe
File created	C:\Windows\SysWOW64\jjqderl.exe	zzasjow.exe
File opened for modification	C:\Windows\SysWOW64\oszmkwg.exe	jcvroiu.exe
File opened for modification	C:\Windows\SysWOW64\gbiijtu.exe	mgvaram.exe
File opened for modification	C:\Windows\SysWOW64\fftvtai.exe	uypyjbi.exe
File opened for modification	C:\Windows\SysWOW64\iaamnna.exe	bhthyls.exe
File created	C:\Windows\SysWOW64\sjwlrzj.exe	tymqbfg.exe
File opened for modification	C:\Windows\SysWOW64\uyqpvsm.exe	hwkhkni.exe
File opened for modification	C:\Windows\SysWOW64\epdzvxx.exe	xktullm.exe
File opened for modification	C:\Windows\SysWOW64\bkyjhte.exe	ztktjor.exe
File created	C:\Windows\SysWOW64\ypdztvx.exe	kcmjnzy.exe
File opened for modification	C:\Windows\SysWOW64\ajnvopt.exe	whfnpxj.exe
File opened for modification	C:\Windows\SysWOW64\nkfisoy.exe	mvxnqsz.exe
File opened for modification	C:\Windows\SysWOW64\srypdub.exe	neehrso.exe
File opened for modification	C:\Windows\SysWOW64\tkbggyi.exe	omeysfj.exe
File opened for modification	C:\Windows\SysWOW64\nqptnac.exe	adgehwv.exe
File opened for modification	C:\Windows\SysWOW64\xoqlkjo.exe	sjwlrzj.exe
File created	C:\Windows\SysWOW64\jnqrplu.exe	bfcrvwt.exe
File opened for modification	C:\Windows\SysWOW64\eohmyml.exe	aboefcy.exe
File opened for modification	C:\Windows\SysWOW64\ksbgafx.exe	alxjigx.exe
File created	C:\Windows\SysWOW64\yoigbfy.exe	ucogivu.exe
File opened for modification	C:\Windows\SysWOW64\jryeiik.exe	eqqjrce.exe
File opened for modification	C:\Windows\SysWOW64\ehkkboe.exe	xzprgyu.exe
File opened for modification	C:\Windows\SysWOW64\wjdzsgg.exe	rbhmwsu.exe
File opened for modification	C:\Windows\SysWOW64\zluucff.exe	xeqosgx.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 2164	2108	03c35e1ee1b0bf6340cdb45773c9fd3e.exe	29
PID 2108 wrote to memory of 2164	2108	03c35e1ee1b0bf6340cdb45773c9fd3e.exe	29
PID 2108 wrote to memory of 2164	2108	03c35e1ee1b0bf6340cdb45773c9fd3e.exe	29
PID 2108 wrote to memory of 2164	2108	03c35e1ee1b0bf6340cdb45773c9fd3e.exe	29
PID 2164 wrote to memory of 2468	2164	jwhpvta.exe	30
PID 2164 wrote to memory of 2468	2164	jwhpvta.exe	30
PID 2164 wrote to memory of 2468	2164	jwhpvta.exe	30
PID 2164 wrote to memory of 2468	2164	jwhpvta.exe	30
PID 2468 wrote to memory of 1360	2468	gepaqnp.exe	31
PID 2468 wrote to memory of 1360	2468	gepaqnp.exe	31
PID 2468 wrote to memory of 1360	2468	gepaqnp.exe	31
PID 2468 wrote to memory of 1360	2468	gepaqnp.exe	31
PID 1360 wrote to memory of 1548	1360	lriijob.exe	32
PID 1360 wrote to memory of 1548	1360	lriijob.exe	32
PID 1360 wrote to memory of 1548	1360	lriijob.exe	32
PID 1360 wrote to memory of 1548	1360	lriijob.exe	32
PID 1548 wrote to memory of 2456	1548	vqvftnb.exe	33
PID 1548 wrote to memory of 2456	1548	vqvftnb.exe	33
PID 1548 wrote to memory of 2456	1548	vqvftnb.exe	33
PID 1548 wrote to memory of 2456	1548	vqvftnb.exe	33
PID 2456 wrote to memory of 2216	2456	zzasjow.exe	34
PID 2456 wrote to memory of 2216	2456	zzasjow.exe	34
PID 2456 wrote to memory of 2216	2456	zzasjow.exe	34
PID 2456 wrote to memory of 2216	2456	zzasjow.exe	34
PID 2216 wrote to memory of 2640	2216	jjqderl.exe	35
PID 2216 wrote to memory of 2640	2216	jjqderl.exe	35
PID 2216 wrote to memory of 2640	2216	jjqderl.exe	35
PID 2216 wrote to memory of 2640	2216	jjqderl.exe	35
PID 2640 wrote to memory of 1864	2640	mqefujm.exe	36
PID 2640 wrote to memory of 1864	2640	mqefujm.exe	36
PID 2640 wrote to memory of 1864	2640	mqefujm.exe	36
PID 2640 wrote to memory of 1864	2640	mqefujm.exe	36
PID 1864 wrote to memory of 572	1864	jrotqmy.exe	37
PID 1864 wrote to memory of 572	1864	jrotqmy.exe	37
PID 1864 wrote to memory of 572	1864	jrotqmy.exe	37
PID 1864 wrote to memory of 572	1864	jrotqmy.exe	37
PID 572 wrote to memory of 2332	572	tmpdxoy.exe	38
PID 572 wrote to memory of 2332	572	tmpdxoy.exe	38
PID 572 wrote to memory of 2332	572	tmpdxoy.exe	38
PID 572 wrote to memory of 2332	572	tmpdxoy.exe	38
PID 2332 wrote to memory of 2436	2332	ggvtjtd.exe	39
PID 2332 wrote to memory of 2436	2332	ggvtjtd.exe	39
PID 2332 wrote to memory of 2436	2332	ggvtjtd.exe	39
PID 2332 wrote to memory of 2436	2332	ggvtjtd.exe	39
PID 2436 wrote to memory of 1228	2436	ktobcdq.exe	40
PID 2436 wrote to memory of 1228	2436	ktobcdq.exe	40
PID 2436 wrote to memory of 1228	2436	ktobcdq.exe	40
PID 2436 wrote to memory of 1228	2436	ktobcdq.exe	40
PID 1228 wrote to memory of 2604	1228	xckwnyx.exe	41
PID 1228 wrote to memory of 2604	1228	xckwnyx.exe	41
PID 1228 wrote to memory of 2604	1228	xckwnyx.exe	41
PID 1228 wrote to memory of 2604	1228	xckwnyx.exe	41
PID 2604 wrote to memory of 2664	2604	mvhjwlh.exe	42
PID 2604 wrote to memory of 2664	2604	mvhjwlh.exe	42
PID 2604 wrote to memory of 2664	2604	mvhjwlh.exe	42
PID 2604 wrote to memory of 2664	2604	mvhjwlh.exe	42
PID 2664 wrote to memory of 2992	2664	rpxinws.exe	43
PID 2664 wrote to memory of 2992	2664	rpxinws.exe	43
PID 2664 wrote to memory of 2992	2664	rpxinws.exe	43
PID 2664 wrote to memory of 2992	2664	rpxinws.exe	43
PID 2992 wrote to memory of 1348	2992	onwiodf.exe	44
PID 2992 wrote to memory of 1348	2992	onwiodf.exe	44
PID 2992 wrote to memory of 1348	2992	onwiodf.exe	44
PID 2992 wrote to memory of 1348	2992	onwiodf.exe	44

C:\Users\Admin\AppData\Local\Temp\03c35e1ee1b0bf6340cdb45773c9fd3e.exe
"C:\Users\Admin\AppData\Local\Temp\03c35e1ee1b0bf6340cdb45773c9fd3e.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Windows\SysWOW64\jwhpvta.exe
  C:\Windows\system32\jwhpvta.exe 664 "C:\Users\Admin\AppData\Local\Temp\03c35e1ee1b0bf6340cdb45773c9fd3e.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Windows\SysWOW64\gepaqnp.exe
    C:\Windows\system32\gepaqnp.exe 616 "C:\Windows\SysWOW64\jwhpvta.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2468
  - - C:\Windows\SysWOW64\lriijob.exe
      C:\Windows\system32\lriijob.exe 620 "C:\Windows\SysWOW64\gepaqnp.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1360
    - - C:\Windows\SysWOW64\vqvftnb.exe
        
        C:\Windows\system32\vqvftnb.exe 612 "C:\Windows\SysWOW64\lriijob.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1548
      - C:\Windows\SysWOW64\zzasjow.exe
        
        C:\Windows\system32\zzasjow.exe 624 "C:\Windows\SysWOW64\vqvftnb.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\jjqderl.exe
        
        C:\Windows\system32\jjqderl.exe 660 "C:\Windows\SysWOW64\zzasjow.exe"
        7⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\mqefujm.exe
        
        C:\Windows\system32\mqefujm.exe 632 "C:\Windows\SysWOW64\jjqderl.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\SysWOW64\jrotqmy.exe
        
        C:\Windows\system32\jrotqmy.exe 680 "C:\Windows\SysWOW64\mqefujm.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\tmpdxoy.exe
        
        C:\Windows\system32\tmpdxoy.exe 628 "C:\Windows\SysWOW64\jrotqmy.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:572
        
        C:\Windows\SysWOW64\ggvtjtd.exe
        
        C:\Windows\system32\ggvtjtd.exe 724 "C:\Windows\SysWOW64\tmpdxoy.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\SysWOW64\ktobcdq.exe
        
        C:\Windows\system32\ktobcdq.exe 676 "C:\Windows\SysWOW64\ggvtjtd.exe"
        12⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\SysWOW64\xckwnyx.exe
        
        C:\Windows\system32\xckwnyx.exe 732 "C:\Windows\SysWOW64\ktobcdq.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\SysWOW64\mvhjwlh.exe
        
        C:\Windows\system32\mvhjwlh.exe 740 "C:\Windows\SysWOW64\xckwnyx.exe"
        14⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\rpxinws.exe
        
        C:\Windows\system32\rpxinws.exe 736 "C:\Windows\SysWOW64\mvhjwlh.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\SysWOW64\onwiodf.exe
        
        C:\Windows\system32\onwiodf.exe 744 "C:\Windows\SysWOW64\rpxinws.exe"
        16⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\lhzeefd.exe
        
        C:\Windows\system32\lhzeefd.exe 748 "C:\Windows\SysWOW64\onwiodf.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1348
        
        C:\Windows\SysWOW64\lzaoysn.exe
        
        C:\Windows\system32\lzaoysn.exe 636 "C:\Windows\SysWOW64\lhzeefd.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2448
        
        C:\Windows\SysWOW64\alxjigx.exe
        
        C:\Windows\system32\alxjigx.exe 760 "C:\Windows\SysWOW64\lzaoysn.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2712
        
        C:\Windows\SysWOW64\ksbgafx.exe
        
        C:\Windows\system32\ksbgafx.exe 764 "C:\Windows\SysWOW64\alxjigx.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2616
        
        C:\Windows\SysWOW64\mfejvfl.exe
        
        C:\Windows\system32\mfejvfl.exe 768 "C:\Windows\SysWOW64\ksbgafx.exe"
        21⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        
        PID:840
        
        C:\Windows\SysWOW64\zhkzhrq.exe
        
        C:\Windows\system32\zhkzhrq.exe 756 "C:\Windows\SysWOW64\mfejvfl.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:808
        
        C:\Windows\SysWOW64\gpgrthz.exe
        
        C:\Windows\system32\gpgrthz.exe 640 "C:\Windows\SysWOW64\zhkzhrq.exe"
        23⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        
        PID:2376
        
        C:\Windows\SysWOW64\tgatkpf.exe
        
        C:\Windows\system32\tgatkpf.exe 776 "C:\Windows\SysWOW64\gpgrthz.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1720
        
        C:\Windows\SysWOW64\dnmruoe.exe
        
        C:\Windows\system32\dnmruoe.exe 788 "C:\Windows\SysWOW64\tgatkpf.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:388
        
        C:\Windows\SysWOW64\dfnjoao.exe
        
        C:\Windows\system32\dfnjoao.exe 644 "C:\Windows\SysWOW64\dnmruoe.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1080
        
        C:\Windows\SysWOW64\srkwyoz.exe
        
        C:\Windows\system32\srkwyoz.exe 792 "C:\Windows\SysWOW64\dfnjoao.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2760
        
        C:\Windows\SysWOW64\cbzhlrf.exe
        
        C:\Windows\system32\cbzhlrf.exe 796 "C:\Windows\SysWOW64\srkwyoz.exe"
        28⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        
        PID:2012
        
        C:\Windows\SysWOW64\fxazamg.exe
        
        C:\Windows\system32\fxazamg.exe 784 "C:\Windows\SysWOW64\cbzhlrf.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2908
        
        C:\Windows\SysWOW64\pzqjopm.exe
        
        C:\Windows\system32\pzqjopm.exe 808 "C:\Windows\SysWOW64\fxazamg.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1656
        
        C:\Windows\SysWOW64\zvruvkv.exe
        
        C:\Windows\system32\zvruvkv.exe 800 "C:\Windows\SysWOW64\pzqjopm.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:3024
        
        C:\Windows\SysWOW64\jcvroiu.exe
        
        C:\Windows\system32\jcvroiu.exe 804 "C:\Windows\SysWOW64\zvruvkv.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:364
        
        C:\Windows\SysWOW64\oszmkwg.exe
        
        C:\Windows\system32\oszmkwg.exe 712 "C:\Windows\SysWOW64\jcvroiu.exe"
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2888
        
        C:\Windows\SysWOW64\yrejuvn.exe
        
        C:\Windows\system32\yrejuvn.exe 820 "C:\Windows\SysWOW64\oszmkwg.exe"
        34⤵
        Executes dropped EXE
        
        PID:2740
        
        C:\Windows\SysWOW64\gkdkbcr.exe
        
        C:\Windows\system32\gkdkbcr.exe 720 "C:\Windows\SysWOW64\yrejuvn.exe"
        35⤵
        Executes dropped EXE
        
        PID:2796
        
        C:\Windows\SysWOW64\fophgta.exe
        
        C:\Windows\system32\fophgta.exe 648 "C:\Windows\SysWOW64\gkdkbcr.exe"
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2756
        
        C:\Windows\SysWOW64\kpfcoyg.exe
        
        C:\Windows\system32\kpfcoyg.exe 832 "C:\Windows\SysWOW64\fophgta.exe"
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1752
        
        C:\Windows\SysWOW64\mvxnqsz.exe
        
        C:\Windows\system32\mvxnqsz.exe 652 "C:\Windows\SysWOW64\kpfcoyg.exe"
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:616
        
        C:\Windows\SysWOW64\nkfisoy.exe
        
        C:\Windows\system32\nkfisoy.exe 840 "C:\Windows\SysWOW64\mvxnqsz.exe"
        39⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        
        PID:1688
        
        C:\Windows\SysWOW64\wwlzjcc.exe
        
        C:\Windows\system32\wwlzjcc.exe 684 "C:\Windows\SysWOW64\nkfisoy.exe"
        40⤵
        Executes dropped EXE
        
        PID:2772
        
        C:\Windows\SysWOW64\bbfhcmh.exe
        
        C:\Windows\system32\bbfhcmh.exe 656 "C:\Windows\SysWOW64\wwlzjcc.exe"
        41⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        
        PID:2884
        
        C:\Windows\SysWOW64\pooxipg.exe
        
        C:\Windows\system32\pooxipg.exe 728 "C:\Windows\SysWOW64\bbfhcmh.exe"
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2256
        
        C:\Windows\SysWOW64\ohxpccp.exe
        
        C:\Windows\system32\ohxpccp.exe 692 "C:\Windows\SysWOW64\pooxipg.exe"
        43⤵
        Executes dropped EXE
        
        PID:2628
        
        C:\Windows\SysWOW64\dlfpouz.exe
        
        C:\Windows\system32\dlfpouz.exe 856 "C:\Windows\SysWOW64\ohxpccp.exe"
        44⤵
        Executes dropped EXE
        
        PID:2432
        
        C:\Windows\SysWOW64\iuckkik.exe
        
        C:\Windows\system32\iuckkik.exe 864 "C:\Windows\SysWOW64\dlfpouz.exe"
        45⤵
        Executes dropped EXE
        
        PID:1992
        
        C:\Windows\SysWOW64\ijapcrn.exe
        
        C:\Windows\system32\ijapcrn.exe 672 "C:\Windows\SysWOW64\iuckkik.exe"
        46⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        
        PID:2136
        
        C:\Windows\SysWOW64\vhusszt.exe
        
        C:\Windows\system32\vhusszt.exe 868 "C:\Windows\SysWOW64\ijapcrn.exe"
        47⤵
        Executes dropped EXE
        
        PID:2676
        
        C:\Windows\SysWOW64\zmoadbx.exe
        
        C:\Windows\system32\zmoadbx.exe 872 "C:\Windows\SysWOW64\vhusszt.exe"
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1668
        
        C:\Windows\SysWOW64\jxdczem.exe
        
        C:\Windows\system32\jxdczem.exe 876 "C:\Windows\SysWOW64\zmoadbx.exe"
        49⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        
        PID:472
        
        C:\Windows\SysWOW64\mgvaram.exe
        
        C:\Windows\system32\mgvaram.exe 888 "C:\Windows\SysWOW64\jxdczem.exe"
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1116
        
        C:\Windows\SysWOW64\gbiijtu.exe
        
        C:\Windows\system32\gbiijtu.exe 688 "C:\Windows\SysWOW64\mgvaram.exe"
        51⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:1680
        
        C:\Windows\SysWOW64\wvfdshe.exe
        
        C:\Windows\system32\wvfdshe.exe 896 "C:\Windows\SysWOW64\gbiijtu.exe"
        52⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        
        PID:2652
        
        C:\Windows\SysWOW64\gujalge.exe
        
        C:\Windows\system32\gujalge.exe 892 "C:\Windows\SysWOW64\wvfdshe.exe"
        53⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        
        PID:2152
        
        C:\Windows\SysWOW64\fyvxifv.exe
        
        C:\Windows\system32\fyvxifv.exe 900 "C:\Windows\SysWOW64\gujalge.exe"
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2084
        
        C:\Windows\SysWOW64\koaselg.exe
        
        C:\Windows\system32\koaselg.exe 908 "C:\Windows\SysWOW64\fyvxifv.exe"
        55⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        
        PID:1544
        
        C:\Windows\SysWOW64\uypyjbi.exe
        
        C:\Windows\system32\uypyjbi.exe 700 "C:\Windows\SysWOW64\koaselg.exe"
        56⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:2980
        
        C:\Windows\SysWOW64\fftvtai.exe
        
        C:\Windows\system32\fftvtai.exe 924 "C:\Windows\SysWOW64\uypyjbi.exe"
        57⤵
        Executes dropped EXE
        
        PID:556
        
        C:\Windows\SysWOW64\lzcdprb.exe
        
        C:\Windows\system32\lzcdprb.exe 912 "C:\Windows\SysWOW64\fftvtai.exe"
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1380
        
        C:\Windows\SysWOW64\iybbzor.exe
        
        C:\Windows\system32\iybbzor.exe 904 "C:\Windows\SysWOW64\lzcdprb.exe"
        59⤵
        Executes dropped EXE
        
        PID:2160
        
        C:\Windows\SysWOW64\hqcubbt.exe
        
        C:\Windows\system32\hqcubbt.exe 920 "C:\Windows\SysWOW64\iybbzor.exe"
        60⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        
        PID:752
        
        C:\Windows\SysWOW64\zbnwjtr.exe
        
        C:\Windows\system32\zbnwjtr.exe 668 "C:\Windows\SysWOW64\hqcubbt.exe"
        61⤵
        Executes dropped EXE
        
        PID:1732
        
        C:\Windows\SysWOW64\ripjgmk.exe
        
        C:\Windows\system32\ripjgmk.exe 932 "C:\Windows\SysWOW64\zbnwjtr.exe"
        62⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        
        PID:2124
        
        C:\Windows\SysWOW64\bhthyls.exe
        
        C:\Windows\system32\bhthyls.exe 936 "C:\Windows\SysWOW64\ripjgmk.exe"
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1488
        
        C:\Windows\SysWOW64\iaamnna.exe
        
        C:\Windows\system32\iaamnna.exe 884 "C:\Windows\SysWOW64\bhthyls.exe"
        64⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        
        PID:2504
        
        C:\Windows\SysWOW64\nfuuhon.exe
        
        C:\Windows\system32\nfuuhon.exe 940 "C:\Windows\SysWOW64\iaamnna.exe"
        65⤵
        Executes dropped EXE
        
        PID:1880
        
        C:\Windows\SysWOW64\kkomulb.exe
        
        C:\Windows\system32\kkomulb.exe 848 "C:\Windows\SysWOW64\nfuuhon.exe"
        66⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\hwkhkni.exe
        
        C:\Windows\system32\hwkhkni.exe 708 "C:\Windows\SysWOW64\kkomulb.exe"
        67⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:2828
        
        C:\Windows\SysWOW64\uyqpvsm.exe
        
        C:\Windows\system32\uyqpvsm.exe 852 "C:\Windows\SysWOW64\hwkhkni.exe"
        68⤵
        Identifies Wine through registry keys
        
        PID:1480
        
        C:\Windows\SysWOW64\exumoru.exe
        
        C:\Windows\system32\exumoru.exe 956 "C:\Windows\SysWOW64\uyqpvsm.exe"
        69⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\bymzkcf.exe
        
        C:\Windows\system32\bymzkcf.exe 828 "C:\Windows\SysWOW64\exumoru.exe"
        70⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\idwmbni.exe
        
        C:\Windows\system32\idwmbni.exe 968 "C:\Windows\SysWOW64\bymzkcf.exe"
        71⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\neehrso.exe
        
        C:\Windows\system32\neehrso.exe 964 "C:\Windows\SysWOW64\idwmbni.exe"
        72⤵
        Drops file in System32 directory
        
        PID:1224
        
        C:\Windows\SysWOW64\srypdub.exe
        
        C:\Windows\system32\srypdub.exe 972 "C:\Windows\SysWOW64\neehrso.exe"
        73⤵
        Identifies Wine through registry keys
        
        PID:2548
        
        C:\Windows\SysWOW64\ubpfvqb.exe
        
        C:\Windows\system32\ubpfvqb.exe 976 "C:\Windows\SysWOW64\srypdub.exe"
        74⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cuokssr.exe
        
        C:\Windows\system32\cuokssr.exe 984 "C:\Windows\SysWOW64\ubpfvqb.exe"
        75⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:1252
        
        C:\Windows\SysWOW64\mppcams.exe
        
        C:\Windows\system32\mppcams.exe 988 "C:\Windows\SysWOW64\cuokssr.exe"
        76⤵
        
        PID:908
        
        C:\Windows\SysWOW64\txkvucb.exe
        
        C:\Windows\system32\txkvucb.exe 980 "C:\Windows\SysWOW64\mppcams.exe"
        77⤵
        Identifies Wine through registry keys
        
        PID:564
        
        C:\Windows\SysWOW64\vzddgkt.exe
        
        C:\Windows\system32\vzddgkt.exe 812 "C:\Windows\SysWOW64\txkvucb.exe"
        78⤵
        
        PID:904
        
        C:\Windows\SysWOW64\sxkdhry.exe
        
        C:\Windows\system32\sxkdhry.exe 1000 "C:\Windows\SysWOW64\vzddgkt.exe"
        79⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\kejamgp.exe
        
        C:\Windows\system32\kejamgp.exe 704 "C:\Windows\SysWOW64\sxkdhry.exe"
        80⤵
        Identifies Wine through registry keys
        
        PID:1444
        
        C:\Windows\SysWOW64\xgpixsu.exe
        
        C:\Windows\system32\xgpixsu.exe 860 "C:\Windows\SysWOW64\kejamgp.exe"
        81⤵
        Identifies Wine through registry keys
        
        PID:2284
        
        C:\Windows\SysWOW64\hbqafmu.exe
        
        C:\Windows\system32\hbqafmu.exe 880 "C:\Windows\SysWOW64\xgpixsu.exe"
        82⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\rbuyplc.exe
        
        C:\Windows\system32\rbuyplc.exe 1016 "C:\Windows\SysWOW64\hbqafmu.exe"
        83⤵
        Identifies Wine through registry keys
        
        PID:1932
        
        C:\Windows\SysWOW64\wrztlrn.exe
        
        C:\Windows\system32\wrztlrn.exe 1012 "C:\Windows\SysWOW64\rbuyplc.exe"
        84⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:3004
        
        C:\Windows\SysWOW64\dznlfhx.exe
        
        C:\Windows\system32\dznlfhx.exe 1028 "C:\Windows\SysWOW64\wrztlrn.exe"
        85⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\ldxypaa.exe
        
        C:\Windows\system32\ldxypaa.exe 1032 "C:\Windows\SysWOW64\dznlfhx.exe"
        86⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\ptcllgl.exe
        
        C:\Windows\system32\ptcllgl.exe 1036 "C:\Windows\SysWOW64\ldxypaa.exe"
        87⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\apudsam.exe
        
        C:\Windows\system32\apudsam.exe 1048 "C:\Windows\SysWOW64\ptcllgl.exe"
        88⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\htfiktx.exe
        
        C:\Windows\system32\htfiktx.exe 1040 "C:\Windows\SysWOW64\apudsam.exe"
        89⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\rsrousw.exe
        
        C:\Windows\system32\rsrousw.exe 1020 "C:\Windows\SysWOW64\htfiktx.exe"
        90⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\jvfqwcg.exe
        
        C:\Windows\system32\jvfqwcg.exe 1052 "C:\Windows\SysWOW64\rsrousw.exe"
        91⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\ylojchz.exe
        
        C:\Windows\system32\ylojchz.exe 1008 "C:\Windows\SysWOW64\jvfqwcg.exe"
        92⤵
        
        PID:844
        
        C:\Windows\SysWOW64\gpywuac.exe
        
        C:\Windows\system32\gpywuac.exe 1064 "C:\Windows\SysWOW64\ylojchz.exe"
        93⤵
        Identifies Wine through registry keys
        
        PID:2804
        
        C:\Windows\SysWOW64\homlsxq.exe
        
        C:\Windows\system32\homlsxq.exe 1056 "C:\Windows\SysWOW64\gpywuac.exe"
        94⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\irregju.exe
        
        C:\Windows\system32\irregju.exe 1060 "C:\Windows\SysWOW64\homlsxq.exe"
        95⤵
        Drops file in System32 directory
        
        PID:2768
        
        C:\Windows\SysWOW64\pzmwayd.exe
        
        C:\Windows\system32\pzmwayd.exe 1072 "C:\Windows\SysWOW64\irregju.exe"
        96⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\mprrwmp.exe
        
        C:\Windows\system32\mprrwmp.exe 1068 "C:\Windows\SysWOW64\pzmwayd.exe"
        97⤵
        Drops file in System32 directory
        
        PID:2236
        
        C:\Windows\SysWOW64\bfcrvwt.exe
        
        C:\Windows\system32\bfcrvwt.exe 1084 "C:\Windows\SysWOW64\mprrwmp.exe"
        98⤵
        Drops file in System32 directory
        
        PID:864
        
        C:\Windows\SysWOW64\jnqrplu.exe
        
        C:\Windows\system32\jnqrplu.exe 1088 "C:\Windows\SysWOW64\bfcrvwt.exe"
        99⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\tiqbxgd.exe
        
        C:\Windows\system32\tiqbxgd.exe 1076 "C:\Windows\SysWOW64\jnqrplu.exe"
        100⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\vzfrvkq.exe
        
        C:\Windows\system32\vzfrvkq.exe 1104 "C:\Windows\SysWOW64\tiqbxgd.exe"
        101⤵
        Identifies Wine through registry keys
        
        PID:2496
        
        C:\Windows\SysWOW64\sxlrwrv.exe
        
        C:\Windows\system32\sxlrwrv.exe 1092 "C:\Windows\SysWOW64\vzfrvkq.exe"
        102⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\aboefcy.exe
        
        C:\Windows\system32\aboefcy.exe 1080 "C:\Windows\SysWOW64\sxlrwrv.exe"
        103⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:1924
        
        C:\Windows\SysWOW64\eohmyml.exe
        
        C:\Windows\system32\eohmyml.exe 1100 "C:\Windows\SysWOW64\aboefcy.exe"
        104⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\pntjjls.exe
        
        C:\Windows\system32\pntjjls.exe 1108 "C:\Windows\SysWOW64\eohmyml.exe"
        105⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\wvhcdau.exe
        
        C:\Windows\system32\wvhcdau.exe 1112 "C:\Windows\SysWOW64\pntjjls.exe"
        106⤵
        Identifies Wine through registry keys
        
        PID:2480
        
        C:\Windows\SysWOW64\ezrpvlf.exe
        
        C:\Windows\system32\ezrpvlf.exe 1120 "C:\Windows\SysWOW64\wvhcdau.exe"
        107⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\oydmfke.exe
        
        C:\Windows\system32\oydmfke.exe 1096 "C:\Windows\SysWOW64\ezrpvlf.exe"
        108⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\yxhkpjm.exe
        
        C:\Windows\system32\yxhkpjm.exe 1116 "C:\Windows\SysWOW64\oydmfke.exe"
        109⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\pqcaufv.exe
        
        C:\Windows\system32\pqcaufv.exe 1132 "C:\Windows\SysWOW64\yxhkpjm.exe"
        110⤵
        Identifies Wine through registry keys
        
        PID:1700
        
        C:\Windows\SysWOW64\wfigryo.exe
        
        C:\Windows\system32\wfigryo.exe 1124 "C:\Windows\SysWOW64\pqcaufv.exe"
        111⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\rnwjtqz.exe
        
        C:\Windows\system32\rnwjtqz.exe 780 "C:\Windows\SysWOW64\wfigryo.exe"
        112⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\vdswpek.exe
        
        C:\Windows\system32\vdswpek.exe 952 "C:\Windows\SysWOW64\rnwjtqz.exe"
        113⤵
        Drops file in System32 directory
        
        PID:1236
        
        C:\Windows\SysWOW64\dwrwwko.exe
        
        C:\Windows\system32\dwrwwko.exe 948 "C:\Windows\SysWOW64\vdswpek.exe"
        114⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\imwrsya.exe
        
        C:\Windows\system32\imwrsya.exe 1148 "C:\Windows\SysWOW64\dwrwwko.exe"
        115⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\keohkvi.exe
        
        C:\Windows\system32\keohkvi.exe 696 "C:\Windows\SysWOW64\imwrsya.exe"
        116⤵
        
        PID:636
        
        C:\Windows\SysWOW64\monecrq.exe
        
        C:\Windows\system32\monecrq.exe 1152 "C:\Windows\SysWOW64\keohkvi.exe"
        117⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\rbhmwsu.exe
        
        C:\Windows\system32\rbhmwsu.exe 716 "C:\Windows\SysWOW64\monecrq.exe"
        118⤵
        Drops file in System32 directory
        
        PID:2476
        
        C:\Windows\SysWOW64\wjdzsgg.exe
        
        C:\Windows\system32\wjdzsgg.exe 928 "C:\Windows\SysWOW64\rbhmwsu.exe"
        119⤵
        Drops file in System32 directory
        
        PID:2452
        
        C:\Windows\SysWOW64\jevpycf.exe
        
        C:\Windows\system32\jevpycf.exe 752 "C:\Windows\SysWOW64\wjdzsgg.exe"
        120⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:524
        
        C:\Windows\SysWOW64\tkwmoks.exe
        
        C:\Windows\system32\tkwmoks.exe 1168 "C:\Windows\SysWOW64\jevpycf.exe"
        121⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\aoyzfdv.exe
        
        C:\Windows\system32\aoyzfdv.exe 1176 "C:\Windows\SysWOW64\tkwmoks.exe"
        122⤵
        Identifies Wine through registry keys
        
        PID:2776
        
        C:\Windows\SysWOW64\nuqzftd.exe
        
        C:\Windows\system32\nuqzftd.exe 824 "C:\Windows\SysWOW64\aoyzfdv.exe"
        123⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\awwpqyq.exe
        
        C:\Windows\system32\awwpqyq.exe 1180 "C:\Windows\SysWOW64\nuqzftd.exe"
        124⤵
        
        PID:756
        
        C:\Windows\SysWOW64\cgwniup.exe
        
        C:\Windows\system32\cgwniup.exe 992 "C:\Windows\SysWOW64\awwpqyq.exe"
        125⤵
        Identifies Wine through registry keys
        
        PID:868
        
        C:\Windows\SysWOW64\picuugc.exe
        
        C:\Windows\system32\picuugc.exe 960 "C:\Windows\SysWOW64\cgwniup.exe"
        126⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\tyzpqmn.exe
        
        C:\Windows\system32\tyzpqmn.exe 772 "C:\Windows\SysWOW64\picuugc.exe"
        127⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\dxlniln.exe
        
        C:\Windows\system32\dxlniln.exe 1200 "C:\Windows\SysWOW64\tyzpqmn.exe"
        128⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\owpktku.exe
        
        C:\Windows\system32\owpktku.exe 1204 "C:\Windows\SysWOW64\dxlniln.exe"
        129⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:2232
        
        C:\Windows\SysWOW64\kepvzuf.exe
        
        C:\Windows\system32\kepvzuf.exe 1216 "C:\Windows\SysWOW64\owpktku.exe"
        130⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\qpxopqa.exe
        
        C:\Windows\system32\qpxopqa.exe 1196 "C:\Windows\SysWOW64\kepvzuf.exe"
        131⤵
        Identifies Wine through registry keys
        
        PID:2556
        
        C:\Windows\SysWOW64\ucogivu.exe
        
        C:\Windows\system32\ucogivu.exe 1212 "C:\Windows\SysWOW64\qpxopqa.exe"
        132⤵
        Drops file in System32 directory
        
        PID:2180
        
        C:\Windows\SysWOW64\yoigbfy.exe
        
        C:\Windows\system32\yoigbfy.exe 836 "C:\Windows\SysWOW64\ucogivu.exe"
        133⤵
        Drops file in System32 directory
        
        PID:1072
        
        C:\Windows\SysWOW64\eqqjrce.exe
        
        C:\Windows\system32\eqqjrce.exe 1184 "C:\Windows\SysWOW64\yoigbfy.exe"
        134⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:2088
        
        C:\Windows\SysWOW64\jryeiik.exe
        
        C:\Windows\system32\jryeiik.exe 1228 "C:\Windows\SysWOW64\eqqjrce.exe"
        135⤵
        Drops file in System32 directory
        
        PID:1468
        
        C:\Windows\SysWOW64\nhdrwww.exe
        
        C:\Windows\system32\nhdrwww.exe 1232 "C:\Windows\SysWOW64\jryeiik.exe"
        136⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\vpqrqlf.exe
        
        C:\Windows\system32\vpqrqlf.exe 1224 "C:\Windows\SysWOW64\nhdrwww.exe"
        137⤵
        Identifies Wine through registry keys
        
        PID:2404
        
        C:\Windows\SysWOW64\xktullm.exe
        
        C:\Windows\system32\xktullm.exe 816 "C:\Windows\SysWOW64\vpqrqlf.exe"
        138⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:1744
        
        C:\Windows\SysWOW64\epdzvxx.exe
        
        C:\Windows\system32\epdzvxx.exe 1244 "C:\Windows\SysWOW64\xktullm.exe"
        139⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\mhczjlt.exe
        
        C:\Windows\system32\mhczjlt.exe 844 "C:\Windows\SysWOW64\epdzvxx.exe"
        140⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\biwesul.exe
        
        C:\Windows\system32\biwesul.exe 1252 "C:\Windows\SysWOW64\mhczjlt.exe"
        141⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\rmfzwap.exe
        
        C:\Windows\system32\rmfzwap.exe 1248 "C:\Windows\SysWOW64\biwesul.exe"
        142⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\vgnzvsa.exe
        
        C:\Windows\system32\vgnzvsa.exe 1256 "C:\Windows\SysWOW64\rmfzwap.exe"
        143⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\dkxmfdc.exe
        
        C:\Windows\system32\dkxmfdc.exe 1260 "C:\Windows\SysWOW64\vgnzvsa.exe"
        144⤵
        Drops file in System32 directory
        
        PID:1788
        
        C:\Windows\SysWOW64\fzzpokv.exe
        
        C:\Windows\system32\fzzpokv.exe 1004 "C:\Windows\SysWOW64\dkxmfdc.exe"
        145⤵
        
        PID:800
        
        C:\Windows\SysWOW64\sxtsxst.exe
        
        C:\Windows\system32\sxtsxst.exe 1264 "C:\Windows\SysWOW64\fzzpokv.exe"
        146⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\ocpkeil.exe
        
        C:\Windows\system32\ocpkeil.exe 1272 "C:\Windows\SysWOW64\sxtsxst.exe"
        147⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\joqibio.exe
        
        C:\Windows\system32\joqibio.exe 1268 "C:\Windows\SysWOW64\ocpkeil.exe"
        148⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\quxdeda.exe
        
        C:\Windows\system32\quxdeda.exe 1284 "C:\Windows\SysWOW64\joqibio.exe"
        149⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\rtltchn.exe
        
        C:\Windows\system32\rtltchn.exe 1280 "C:\Windows\SysWOW64\quxdeda.exe"
        150⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\ztktjor.exe
        
        C:\Windows\system32\ztktjor.exe 1292 "C:\Windows\SysWOW64\rtltchn.exe"
        151⤵
        Drops file in System32 directory
        
        PID:1996
        
        C:\Windows\SysWOW64\bkyjhte.exe
        
        C:\Windows\system32\bkyjhte.exe 1208 "C:\Windows\SysWOW64\ztktjor.exe"
        152⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\omeysfj.exe
        
        C:\Windows\system32\omeysfj.exe 1300 "C:\Windows\SysWOW64\bkyjhte.exe"
        153⤵
        Drops file in System32 directory
        
        PID:1076
        
        C:\Windows\SysWOW64\tkbggyi.exe
        
        C:\Windows\system32\tkbggyi.exe 1236 "C:\Windows\SysWOW64\omeysfj.exe"
        154⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\dvqrbbo.exe
        
        C:\Windows\system32\dvqrbbo.exe 1308 "C:\Windows\SysWOW64\tkbggyi.exe"
        155⤵
        Identifies Wine through registry keys
        
        PID:2564
        
        C:\Windows\SysWOW64\kcmjnzy.exe
        
        C:\Windows\system32\kcmjnzy.exe 916 "C:\Windows\SysWOW64\dvqrbbo.exe"
        156⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:1328
        
        C:\Windows\SysWOW64\ypdztvx.exe
        
        C:\Windows\system32\ypdztvx.exe 944 "C:\Windows\SysWOW64\kcmjnzy.exe"
        157⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cjlgsnp.exe
        
        C:\Windows\system32\cjlgsnp.exe 1304 "C:\Windows\SysWOW64\ypdztvx.exe"
        158⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\kkkhgut.exe
        
        C:\Windows\system32\kkkhgut.exe 1044 "C:\Windows\SysWOW64\cjlgsnp.exe"
        159⤵
        Drops file in System32 directory
        
        PID:2340
        
        C:\Windows\SysWOW64\xeqosgx.exe
        
        C:\Windows\system32\xeqosgx.exe 1328 "C:\Windows\SysWOW64\kkkhgut.exe"
        160⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:3040
        
        C:\Windows\SysWOW64\zluucff.exe
        
        C:\Windows\system32\zluucff.exe 1128 "C:\Windows\SysWOW64\xeqosgx.exe"
        161⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\dbzgylq.exe
        
        C:\Windows\system32\dbzgylq.exe 1188 "C:\Windows\SysWOW64\zluucff.exe"
        162⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:296
        
        C:\Windows\SysWOW64\wabudek.exe
        
        C:\Windows\system32\wabudek.exe 1336 "C:\Windows\SysWOW64\dbzgylq.exe"
        163⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\dflznxu.exe
        
        C:\Windows\system32\dflznxu.exe 1344 "C:\Windows\SysWOW64\wabudek.exe"
        164⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\xonhsri.exe
        
        C:\Windows\system32\xonhsri.exe 1296 "C:\Windows\SysWOW64\dflznxu.exe"
        165⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\fspuckl.exe
        
        C:\Windows\system32\fspuckl.exe 1136 "C:\Windows\SysWOW64\xonhsri.exe"
        166⤵
        
        PID:936
        
        C:\Windows\SysWOW64\pvnexnr.exe
        
        C:\Windows\system32\pvnexnr.exe 1352 "C:\Windows\SysWOW64\fspuckl.exe"
        167⤵
        Identifies Wine through registry keys
        
        PID:2868
        
        C:\Windows\SysWOW64\xzprgyu.exe
        
        C:\Windows\system32\xzprgyu.exe 1140 "C:\Windows\SysWOW64\pvnexnr.exe"
        168⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:2920
        
        C:\Windows\SysWOW64\ehkkboe.exe
        
        C:\Windows\system32\ehkkboe.exe 1364 "C:\Windows\SysWOW64\xzprgyu.exe"
        169⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\ozxzfzv.exe
        
        C:\Windows\system32\ozxzfzv.exe 1220 "C:\Windows\SysWOW64\ehkkboe.exe"
        170⤵
        Drops file in System32 directory
        
        PID:308
        
        C:\Windows\SysWOW64\fnxpkvm.exe
        
        C:\Windows\system32\fnxpkvm.exe 1156 "C:\Windows\SysWOW64\ozxzfzv.exe"
        171⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\uojplss.exe
        
        C:\Windows\system32\uojplss.exe 1144 "C:\Windows\SysWOW64\fnxpkvm.exe"
        172⤵
        
        PID:628
        
        C:\Windows\SysWOW64\xgjfdoz.exe
        
        C:\Windows\system32\xgjfdoz.exe 1340 "C:\Windows\SysWOW64\uojplss.exe"
        173⤵
        Identifies Wine through registry keys
        
        PID:1584
        
        C:\Windows\SysWOW64\jebstru.exe
        
        C:\Windows\system32\jebstru.exe 996 "C:\Windows\SysWOW64\xgjfdoz.exe"
        174⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:2524
        
        C:\Windows\SysWOW64\evvvigw.exe
        
        C:\Windows\system32\evvvigw.exe 1376 "C:\Windows\SysWOW64\jebstru.exe"
        175⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\nqtpxwu.exe
        
        C:\Windows\system32\nqtpxwu.exe 1160 "C:\Windows\SysWOW64\evvvigw.exe"
        176⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\paknqsc.exe
        
        C:\Windows\system32\paknqsc.exe 1316 "C:\Windows\SysWOW64\nqtpxwu.exe"
        177⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cyfqyaa.exe
        
        C:\Windows\system32\cyfqyaa.exe 1400 "C:\Windows\SysWOW64\paknqsc.exe"
        178⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\owxdpdv.exe
        
        C:\Windows\system32\owxdpdv.exe 1192 "C:\Windows\SysWOW64\cyfqyaa.exe"
        179⤵
        Drops file in System32 directory
        
        PID:592
        
        C:\Windows\SysWOW64\bnafxea.exe
        
        C:\Windows\system32\bnafxea.exe 1164 "C:\Windows\SysWOW64\owxdpdv.exe"
        180⤵
        Identifies Wine through registry keys
        
        PID:1144
        
        C:\Windows\SysWOW64\whfnpxj.exe
        
        C:\Windows\system32\whfnpxj.exe 1380 "C:\Windows\SysWOW64\bnafxea.exe"
        181⤵
        Drops file in System32 directory
        
        PID:1484
        
        C:\Windows\SysWOW64\ajnvopt.exe
        
        C:\Windows\system32\ajnvopt.exe 1416 "C:\Windows\SysWOW64\whfnpxj.exe"
        182⤵
        Identifies Wine through registry keys
        
        PID:1168
        
        C:\Windows\SysWOW64\aqltfxe.exe
        
        C:\Windows\system32\aqltfxe.exe 1240 "C:\Windows\SysWOW64\ajnvopt.exe"
        183⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\npgvogb.exe
        
        C:\Windows\system32\npgvogb.exe 1424 "C:\Windows\SysWOW64\aqltfxe.exe"
        184⤵
        Drops file in System32 directory
        
        PID:2788
        
        C:\Windows\SysWOW64\uaealzs.exe
        
        C:\Windows\system32\uaealzs.exe 1332 "C:\Windows\SysWOW64\npgvogb.exe"
        185⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cblbzgo.exe
        
        C:\Windows\system32\cblbzgo.exe 1172 "C:\Windows\SysWOW64\uaealzs.exe"
        186⤵
        Identifies Wine through registry keys
        
        PID:3016
        
        C:\Windows\SysWOW64\jizbmex.exe
        
        C:\Windows\system32\jizbmex.exe 1312 "C:\Windows\SysWOW64\cblbzgo.exe"
        187⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\zqkbsnb.exe
        
        C:\Windows\system32\zqkbsnb.exe 1436 "C:\Windows\SysWOW64\jizbmex.exe"
        188⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\jxwgdmi.exe
        
        C:\Windows\system32\jxwgdmi.exe 1392 "C:\Windows\SysWOW64\zqkbsnb.exe"
        189⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\sizjkey.exe
        
        C:\Windows\system32\sizjkey.exe 1448 "C:\Windows\SysWOW64\jxwgdmi.exe"
        190⤵
        Drops file in System32 directory
        
        PID:1780
        
        C:\Windows\SysWOW64\klvtmoi.exe
        
        C:\Windows\system32\klvtmoi.exe 1320 "C:\Windows\SysWOW64\sizjkey.exe"
        191⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\xjqwvwo.exe
        
        C:\Windows\system32\xjqwvwo.exe 1456 "C:\Windows\SysWOW64\klvtmoi.exe"
        192⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:992
        
        C:\Windows\SysWOW64\evpbsqw.exe
        
        C:\Windows\system32\evpbsqw.exe 1412 "C:\Windows\SysWOW64\xjqwvwo.exe"
        193⤵
        Identifies Wine through registry keys
        
        PID:2644
        
        C:\Windows\SysWOW64\jhijlab.exe
        
        C:\Windows\system32\jhijlab.exe 1276 "C:\Windows\SysWOW64\evpbsqw.exe"
        194⤵
        
        PID:768
        
        C:\Windows\SysWOW64\ofnrrbi.exe
        
        C:\Windows\system32\ofnrrbi.exe 1360 "C:\Windows\SysWOW64\jhijlab.exe"
        195⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\blxlnkl.exe
        
        C:\Windows\system32\blxlnkl.exe 1472 "C:\Windows\SysWOW64\ofnrrbi.exe"
        196⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\adgehwv.exe
        
        C:\Windows\system32\adgehwv.exe 1348 "C:\Windows\SysWOW64\blxlnkl.exe"
        197⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:2816
        
        C:\Windows\SysWOW64\nqptnac.exe
        
        C:\Windows\system32\nqptnac.exe 1484 "C:\Windows\SysWOW64\adgehwv.exe"
        198⤵
        Drops file in System32 directory
        
        PID:1508
        
        C:\Windows\SysWOW64\ppdjkfh.exe
        
        C:\Windows\system32\ppdjkfh.exe 1476 "C:\Windows\SysWOW64\nqptnac.exe"
        199⤵
        Identifies Wine through registry keys
        
        PID:2184
        
        C:\Windows\SysWOW64\sebivoa.exe
        
        C:\Windows\system32\sebivoa.exe 1480 "C:\Windows\SysWOW64\ppdjkfh.exe"
        200⤵
        Identifies Wine through registry keys
        
        PID:2352
        
        C:\Windows\SysWOW64\htjaksl.exe
        
        C:\Windows\system32\htjaksl.exe 1488 "C:\Windows\SysWOW64\sebivoa.exe"
        201⤵
        Identifies Wine through registry keys
        
        PID:1748
        
        C:\Windows\SysWOW64\hihfbbw.exe
        
        C:\Windows\system32\hihfbbw.exe 1496 "C:\Windows\SysWOW64\htjaksl.exe"
        202⤵
        Identifies Wine through registry keys
        
        PID:1324
        
        C:\Windows\SysWOW64\obgkqce.exe
        
        C:\Windows\system32\obgkqce.exe 1500 "C:\Windows\SysWOW64\hihfbbw.exe"
        203⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\wufkfji.exe
        
        C:\Windows\system32\wufkfji.exe 1508 "C:\Windows\SysWOW64\obgkqce.exe"
        204⤵
        Drops file in System32 directory
        
        PID:3036
        
        C:\Windows\SysWOW64\iwlaqwn.exe
        
        C:\Windows\system32\iwlaqwn.exe 1492 "C:\Windows\SysWOW64\wufkfji.exe"
        205⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\ppgllnk.exe
        
        C:\Windows\system32\ppgllnk.exe 1324 "C:\Windows\SysWOW64\iwlaqwn.exe"
        206⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\mbbdsuv.exe
        
        C:\Windows\system32\mbbdsuv.exe 1372 "C:\Windows\SysWOW64\ppgllnk.exe"
        207⤵
        
        PID:584
        
        C:\Windows\SysWOW64\tymqbfg.exe
        
        C:\Windows\system32\tymqbfg.exe 1520 "C:\Windows\SysWOW64\mbbdsuv.exe"
        208⤵
        Drops file in System32 directory
        
        PID:2004
        
        C:\Windows\SysWOW64\sjwlrzj.exe
        
        C:\Windows\system32\sjwlrzj.exe 1516 "C:\Windows\SysWOW64\tymqbfg.exe"
        209⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:2224
        
        C:\Windows\SysWOW64\xoqlkjo.exe
        
        C:\Windows\system32\xoqlkjo.exe 1528 "C:\Windows\SysWOW64\sjwlrzj.exe"
        210⤵
        Identifies Wine through registry keys
        
        PID:1536
        
        C:\Windows\SysWOW64\rbzkimi.exe
        
        C:\Windows\system32\rbzkimi.exe 1524 "C:\Windows\SysWOW64\xoqlkjo.exe"
        211⤵
        Drops file in System32 directory
        
        PID:912
        
        C:\Windows\SysWOW64\lqxjlqe.exe
        
        C:\Windows\system32\lqxjlqe.exe 1532 "C:\Windows\SysWOW64\rbzkimi.exe"
        212⤵
        
        PID:344
        
        C:\Windows\SysWOW64\qtmoqmb.exe
        
        C:\Windows\system32\qtmoqmb.exe 1540 "C:\Windows\SysWOW64\lqxjlqe.exe"
        213⤵
        Identifies Wine through registry keys
        
        PID:2668
        
        C:\Windows\SysWOW64\vgywjwg.exe
        
        C:\Windows\system32\vgywjwg.exe 1288 "C:\Windows\SysWOW64\qtmoqmb.exe"
        214⤵
        Drops file in System32 directory
        
        PID:2176
        
        C:\Windows\SysWOW64\yqxmbsn.exe
        
        C:\Windows\system32\yqxmbsn.exe 1420 "C:\Windows\SysWOW64\vgywjwg.exe"
        215⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\qblebpo.exe
        
        C:\Windows\system32\qblebpo.exe 1548 "C:\Windows\SysWOW64\yqxmbsn.exe"
        216⤵
        Identifies Wine through registry keys
        
        PID:952
        
        C:\Windows\SysWOW64\pfxjggf.exe
        
        C:\Windows\system32\pfxjggf.exe 1408 "C:\Windows\SysWOW64\qblebpo.exe"
        217⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\csgzmkd.exe
        
        C:\Windows\system32\csgzmkd.exe 1560 "C:\Windows\SysWOW64\pfxjggf.exe"
        218⤵
        
        PID:976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\gepaqnp.exe

Filesize
193KB

MD5
ef2458518f62151a45c285440ef4e05e

SHA1
79a226334cf55f3038354d822fd7232f129fd120

SHA256
75924aef2daa6d2d7884564925ac267c4e8b54265223dafb72b000519144022a

SHA512
d80f691efe256527ce1b127e2e7f2e2300724daed48548cb6407cc5fb1dd165d950845df7646a7eea66ba9a6ce7b304ccf7d8dd7e53cbc18c6c3cdd0c75ac28e

Download Submit
C:\Windows\SysWOW64\ggvtjtd.exe

Filesize
438KB

MD5
6733a9daf778e900663ddd66d3ab5ed1

SHA1
5d542c5155223b6c9f4736de72621fe47c76b56c

SHA256
13cddc2d6fc5777e261452bf443c821f09c0d501b43236e91e05ad395378a750

SHA512
b126cf7147a4e0401e55e1e963a90c35908eef07654d66a507151de321f5f3c3a17d73d24518e8582709188ab3d2a5feaec0f509dcbe29fb53247b390b43e15e

Download Submit
C:\Windows\SysWOW64\ggvtjtd.exe

Filesize
383KB

MD5
336558f443521f4cbce8b0402e750b96

SHA1
23158483431bc53424a7c7964f9b2428ee5ad153

SHA256
ea3c939f23aed48ffe7418ffc60c865cb9790cd5d04cc9dc974ee02b4c613933

SHA512
e9226932fe41c7987007a26e424e4bad6400e0fdf3947f0e35678e930086dfda8e36133243194b5bb987ee84d301a0fda73021e7def6f1df08fd2ceec304010f

Download Submit
C:\Windows\SysWOW64\jjqderl.exe

Filesize
155KB

MD5
c436894cc6753ecf79a6174e7c7e2dfc

SHA1
54af83bf769fb72d6e7a3c75735d0e591009b9dc

SHA256
78e034c60cb9ec1400bd5f431bdc75a0309ca6c2d32e66777c8df6f67002a638

SHA512
85fd97c4c35913abf7b8def284f0af8b59161536b74ee8a3307921da550e6a62646805d54f99299e9758445ffad98b63a4b8b9a69082bc6cd5097487b48a4be0

Download Submit
C:\Windows\SysWOW64\jjqderl.exe

Filesize
108KB

MD5
c508f5f9632352bb0d7b22dded8a3d9d

SHA1
785850db076a0684bf452e18289e1c497a299e24

SHA256
f22660a3109566362f609acd77aed135371773d3e946128ff377486c1918d387

SHA512
14ab5823bc871e331bea178de9e636d4c86c4e78c30c485fc05ad88688bd686f6f638fbe27ab6e5e679117cd9d9f62b8a8753d0170bbd9a14ed2ca3bbbe9b01b

Download Submit
C:\Windows\SysWOW64\jrotqmy.exe

Filesize
89KB

MD5
d5cf1d64fa1ddc01190ad5b3c0c7f20b

SHA1
c9cbcf4ec056346e5e5fe77381ecd4f1dcd4696b

SHA256
a70d36ad2b0511a7a05fdeccb317ee179fc7ecd3e6f689beb620dd64733405aa

SHA512
5297aa0714d92d449acede343dc14cac22ab525c75ece8875e8ebf02478232ab8c43f297a7273ee8dd806c019ceb8f0b1a171b3a2a0e95949b36830a247117f2

Download Submit
C:\Windows\SysWOW64\jrotqmy.exe

Filesize
1KB

MD5
52cf8bb3c1d6bc753f1b58108cf3114a

SHA1
5974cbbfeaabf1d70d616cd8a2f769348252cf8c

SHA256
8b62a48ace772fc801a3bb6d478d493d8fe580f373265507477df0fdeaf33c78

SHA512
e268e0a58f93f52f3b8c20a83cdd042b7ec62560f75d4e3725ea46e80ecccc143625e4c741bbdbe2a77d8f92ee3b33fa18df36057971d2eaf90eb8cc771cdd71

Download Submit
C:\Windows\SysWOW64\jwhpvta.exe

Filesize
301KB

MD5
09cca2395186322bfd00708ef9dab0fd

SHA1
10f049b489a69edde55973bfd95724207bcff18a

SHA256
64864312caee4865befcffb9a375a777ef7d6c46d500943a3d9f09df7fb3bf9f

SHA512
6674cd48ec743512169cc9d116ce646f137f2367c0a4992d37ea0b0d024231e2281538db0bfd3f3ae3428291cd8a842a0e2dd1eb8b2fe0bf78f02c0ba06ec91a

Download Submit
C:\Windows\SysWOW64\ktobcdq.exe

Filesize
319KB

MD5
172e1f053f4de886d715fc498ee5a28d

SHA1
d074cd4c3ef6f4327cf260e552f26a1fb1bd69a9

SHA256
31ba0b4a56d28ddc2aae6d813588d4f8f13b133eec829e37f993e76965da448b

SHA512
a4a9728842739895d98977903b00b369b31ddece736609105405c632de47dfb798f29fad6ad7021c1dcfc168849bffde595f5c2eb422aaa67180fc5ab9386450

Download Submit
C:\Windows\SysWOW64\ktobcdq.exe

Filesize
239KB

MD5
50c4e422452703e389263318d11f053f

SHA1
c40c925a8a4a083bf271e53b54412c936c1162bf

SHA256
6ca700dad4a7df3ae9a08c08b01d2bbbd5edac4e7910d98e9dbf3a4fb09f114a

SHA512
76def1b13c851809cac86dc9614ac33594e1c0d1b449d31ee2affb63f58b9c1086e353c2281236dffcee177e9d4c52d178951301fc168056c08eb2329ad1dc66

Download Submit
C:\Windows\SysWOW64\lhzeefd.exe

Filesize
220KB

MD5
21e04c769a96b76eedb98d6b0840d107

SHA1
3373b3f355d84ada9673bdba5cf9620a4dfe9076

SHA256
0aead7f7daaeae64e7ab3dff6b88efae601cd9ccd76563cfccd92dbeba060240

SHA512
52cdec9e55dd8ecb19498a92beddbd4e2b72f0e80022d16cb9e105e8b4c1917810ba6078e252c5576dcc20a6306229b9c61551e5b2cad9d97f17b2e463502cdc

Download Submit
C:\Windows\SysWOW64\lhzeefd.exe

Filesize
268KB

MD5
ba7fb518b4b656162bfd1740f2c1d30b

SHA1
787423f0397d9d0faaa8f7e9b666c74acaec8b4e

SHA256
6c3be9e85dc86a14695e50b3cad45bdb49495412e0fb94617bc9377c6216801b

SHA512
8a442c7206cc0cbf0fdd3469333d68a9ca9155b509e945a11d6000e40abf79a1166963fb7b89cd5f169f0fc1714ad03c4f9a2446be4892a812c27f2cfed3439e

Download Submit
C:\Windows\SysWOW64\mqefujm.exe

Filesize
168KB

MD5
25c474f7264cafa2d6b7602a68852ae9

SHA1
46874478c2c10d16b5c3aa4f13de1a7f62b62541

SHA256
399b9415da63e77a74dda390de3a456c985442b78efc5ad8d39c4b3250ed20ab

SHA512
18f281f3a53c27074790d9e5870792768f8dcc3caa24a6452eb07e3a2bbd95fdadfb3547f4bfa640ee11557c62aee8e281616b036828e28b95182d3e83f5c56b

Download Submit
C:\Windows\SysWOW64\mqefujm.exe

Filesize
106KB

MD5
af60a961ad00a2e9051ed3ed4a949f67

SHA1
6cd8771e2546075d60802663eaa00bb9b48389a1

SHA256
cffde099e95ea85c97756cc97ffbf874683284492a17734265898d1301b40bb2

SHA512
6c100454b4d6a594d6971e410c8e5f56f6b366803411a12ced03a72bc2bb355e24f0f79cf52eba7698c3cf33e298026fbce30d85504445afcc153123f405a0e0

Download Submit
C:\Windows\SysWOW64\mvhjwlh.exe

Filesize
292KB

MD5
169d0f2da6c7a05c2184b19733b834e9

SHA1
70289a8bf3ac44c0e410be129738d739534cb8b6

SHA256
1990cad72d390d58f3b3e62ebad31da77c0a088eb688c0b8ff5b9bd47d5aebe3

SHA512
05ed56a97e4f86a3d3028b28f1f2fd297e7aa0c31b269952a790439f13aabad9d3233f8fb28060d9188cf7a0ae73f38c73bd2d5e837f3de1c15bf551320529fd

Download Submit
C:\Windows\SysWOW64\mvhjwlh.exe

Filesize
73KB

MD5
4cc0f60d832ea0e8633a17a5c29e3bf7

SHA1
f0b9d3fb8eaa5b0f58e08631f0099352256212da

SHA256
f34c2a5d337fc2061b54f77ca384302b356a2f5305ca3fad5e221a3843b324ce

SHA512
f01686d3611809c9bff8622e324f06d557852fcc145125902954057d81aec31e5da5819b29ea2a51155a06402f2aeba977af742967a095c24ec24135dd9b2cad

Download Submit
C:\Windows\SysWOW64\onwiodf.exe

Filesize
284KB

MD5
cbba0bcc99f9508bd8d62fd66586ea0d

SHA1
b5a1334fce4ef0e122509b75203b6a50badbd0a5

SHA256
ad58593ccd04058770474a8f53361db4060c116a037408870e9961c8b05cdba3

SHA512
8e646020fe875fa367e7d57d440a199238eb30966524314bf1fcebd0184503ec80e3febf18afd44882f9943fbba7c03b28f488fd07521255f882ad095358f5eb

Download Submit
C:\Windows\SysWOW64\rpxinws.exe

Filesize
183KB

MD5
2c432d23fb41926b4f5357a8ff9ab0d9

SHA1
3fe378769148a4e3afa3b9cd414d8b208ffc9c79

SHA256
2c046228cf4958e56606b4f238f5b7c2830395ae5bf3a8a503c7b5fef24c7e61

SHA512
9b6b786e850949a53641da3dc819460540319b28b8b0e8039d226103fb760f487f260a380268525ca89da6ba0627ad4a1ca1df20e99e1ec630a83741bd7e811a

Download Submit
C:\Windows\SysWOW64\rpxinws.exe

Filesize
123KB

MD5
1ded9bd519e94557ce165aef57f7d44a

SHA1
b93d5de1d58e0f2160d087e0974c5881d1b8115d

SHA256
a541571046c702eea8a53e567b4fc2a9e1688ed3355bfad4d65f324d95cb0865

SHA512
9b197023a7a625f8d3bf6e16ae6152f9801c23f3bc3f04e338d13007903ba78923ef2423574f32ba076bd7744e46a2ffe0983dcd96f2cdf122fa8c646d7263aa

Download Submit
C:\Windows\SysWOW64\tmpdxoy.exe

Filesize
374KB

MD5
d069c603d28658aa73e05fc36ba5207f

SHA1
249f9bba3ffba2def696bb1005648a7cbe70f123

SHA256
b2fcf02267e596478cd96a89a0200e7992957ae10aec69b9e829fb6256c1fbc3

SHA512
a740d954f6bfaec6a09a0991c59b8b69bbf3591654b6357f16ee426a423001c47800246d474ef36fb1d56e9e3ba10a947b85f490fa24f282e1cec7f17758c7e9

Download Submit
C:\Windows\SysWOW64\tmpdxoy.exe

Filesize
402KB

MD5
9d92f151b1ba053980a19d7df308ad8e

SHA1
2be7457e4d8befcf17cffa34bb4769d99287baf6

SHA256
ef7994268830a0879f9ad9e08a10d9875782727985ba5f0de16890b005d4bbc7

SHA512
c7dfd64e3e22562494e6e4b047cfd791115c4e7a32d101d95d409db875e6ef3ae36115519ef425db8fd2f8fc8e5a32be3d1aacbdb41de4ef321bf9ec5674a73a

Download Submit
C:\Windows\SysWOW64\vqvftnb.exe

Filesize
440KB

MD5
d8adc4abe9459afb0719a3a7c834c009

SHA1
ee95883fa98ef810f392c67c02898fa3c632fac6

SHA256
b592a8cdff0ac3aff48de291c41aaecdd68054ca723a4eb440f16160791ba759

SHA512
838dcf659b495d65a5e36c40a8563e3150e830eacb5070675217bca1a0f53117da992d8c36035decbeaf338263bacffb8c975bcf1679c52de6976b3664a71ebb

Download Submit
C:\Windows\SysWOW64\vqvftnb.exe

Filesize
192KB

MD5
d64305d60d80f91a5a402191da737ea0

SHA1
bec55c5d65668c60f6f4b262e3240dc0b0de9a6f

SHA256
97762c143c4c7ace12ba0fd9dc0fe024cb01545b7d9531e6906cf75b1ff92a4d

SHA512
7740524a45d8ac343cf0d0b649df17aac5efe2af15c9ff74582d500bde594f483d5777669eb97738b29640f59eae49def517ec0dc5b11d5b0b979fab5c4a9f55

Download Submit
C:\Windows\SysWOW64\xckwnyx.exe

Filesize
205KB

MD5
4095a01ff14374d1a5283a387754a83a

SHA1
ee96dc8f4d498680d1e429d14ee5f93b7d7a39e5

SHA256
05c175439eda7a537af9f08a0c51a9893a261a94d7950641da754b690660384b

SHA512
e87552ae96cd8e6b6946f99b163b4866526d6ab57271306d9e047bede95bf8fd08e385dfbd98b01c55063bb83b1b45e1ccff2adda81c732289861036a9263870

Download Submit
C:\Windows\SysWOW64\xckwnyx.exe

Filesize
205KB

MD5
1ee708bb86405f13482d45cfcb97eb5d

SHA1
c1600e2651996a1f06ed2568862fff43a4a70f07

SHA256
b673036e44ceeee3cde75cd98fb53896781d48fbbd26d52ba23ca4b0a9cc03ac

SHA512
2f7b66caf8d5731b8c2370da4e9bb201ee8058d0d7e299a52dd888098c822e7f1505b451d14f6df1216b25233cfcdfe8f49be3a2da76a1760f6ecdba5bbf954e

Download Submit
C:\Windows\SysWOW64\zzasjow.exe

Filesize
298KB

MD5
3123bed1cd37eec44105e80f46c9107e

SHA1
912226fdab1b17b8459af4b28d16a9e1fcab97d6

SHA256
757c10e2d0ca1a5e2cc2eb57deeced02fec5a9c8412bc1e954a9cd97d4f819b5

SHA512
af431b9b4133c147f20f4d4bb18d68ff8bcacc8840f70ac09251c9c62e25e18d3bc1a3d8fbc4cdf7f463955f6ddacee9cd905bcd28a1cbebdb145393b3cd02e6

Download Submit
C:\Windows\SysWOW64\zzasjow.exe

Filesize
179KB

MD5
3f5f6877c5f406886a6a6c8cb0901555

SHA1
accdc9a05f82482529ab2d74d8889ba0f70e1218

SHA256
4f4013544a8030bfbbaa81fecb1a517d82c8178fe76304af046863e4ec5e3b42

SHA512
3e487d8b0c001ac080e9487f843bd4e70f9015dde45ac07b4fa13a00faff339a32d12fb71d1e7d0b2f37cab2b68a3b93bc9de262ec8e1d9a2599716604ccfa41

Download Submit
\Windows\SysWOW64\gepaqnp.exe

Filesize
128KB

MD5
99f0e98922cba748d295d5e3c98dd508

SHA1
d9225f479e27249f5ec95e0e295419d5902c9ebb

SHA256
228547bc47f600d5b3f015c18a5536e5f6d7b57a1c85c7292da8dc44e8d632c9

SHA512
2ec2f89cef416eb65b8970160f6e03ca6cd694cc9dca5ba81aea66bdd5cd2c6f1fa3500c031b3ae8a421b1c08cb9121cc2cfaaffa6a68130fcacd10645569f12

Download Submit
\Windows\SysWOW64\gepaqnp.exe

Filesize
135KB

MD5
af3b9a9aeb95ffdf905e0c94edec0ae7

SHA1
e80b2243cc90323f34b018c1c091e63b145914c0

SHA256
a0fc4a9b5c098ec0d8206cbe74eca02f3afc471199ebaf6a33965159bf4d9a50

SHA512
840c7801de5a952a4986a16fab5305d6dd8ff759c94114482528f185e949db1a0072d33228ae8853d5f429d002d7b838f94697e9fbb758c5b235c5e1d4ad1406

Download Submit
\Windows\SysWOW64\ggvtjtd.exe

Filesize
382KB

MD5
d880fc56c9ef719df4f2fb5642f8a8c8

SHA1
64d4138d196e64d2bffb67ba4f320269e091bfe3

SHA256
21635ead981ca66e22356d3d51c18f677c8d11542944836ec6eab94d5ee1bedc

SHA512
cbed66e8e17d252f6ea9678cb128d2fbeb530e0a658ef1c0682b5703c82d2df9202dc56a0f7286f8577db782d9d8f7783e752a6bcac145586d8e82e6fe6268bd

Download Submit
\Windows\SysWOW64\ggvtjtd.exe

Filesize
371KB

MD5
8862e5118fbecdf98c937a34a7287dc2

SHA1
3b48702ee48557af73a8d1496972f99cc5b69a9a

SHA256
25f0c1153e3c1781b2ce5b950fd103f60a05f831d584a3468635356482ce2e46

SHA512
4c8d0fc1e9504e67f8f0b16869354835d93ea9208356131b7288bc5797ef76603126032d9d21071f47417df9052ca4c9d0903de2f99a5bb32ecafab2f45919cd

Download Submit
\Windows\SysWOW64\jjqderl.exe

Filesize
116KB

MD5
35bef9c418d35c983f576ac34cba9638

SHA1
ad2a9899001cdf174aef98db7835a0d3ac00ec72

SHA256
edf49f8e5eb7662d514a1aeb915d9a28a7913724cb9a41f48b6e9aef2391aeb6

SHA512
1c5f3f717f0439d25818ed75ee6344a160f1efad700afee918353f923b946848f982affe061e3b3372f5905b71b362683a28cc70c6af0ae1c8e0afd513c0600e

Download Submit
\Windows\SysWOW64\jjqderl.exe

Filesize
258KB

MD5
f2e8297f4027699030da5fa7f5b29593

SHA1
d31d544802fda41557d05a709c478b234152abff

SHA256
21e2f7d34651e6ed06751648af94810b8fbd28394825d74975f117dfc9a8837a

SHA512
de2b97f6aebad79f1448a7a0b733c4270c071c5f92d4024d0f0474106d09cb040bd565ce9ec19fdcbb4e0216db353d87c79045a27a13bd4e272ee56e9b237cfb

Download Submit
\Windows\SysWOW64\jrotqmy.exe

Filesize
75KB

MD5
81104baf09ee1a14fdfb94de3de57635

SHA1
2ea4804a39183542f1c90fc125a5d97485dd41fd

SHA256
5ed74ccb4a67ad08d87f09a2fdeadb655324ef339edba7fc52a2f5e752878095

SHA512
63df919083efba5e4a3734e4988f9750e7afee22b179856bd5392de81273e17c8f9af87107e59436cbcf6dd1271a6346f80e0307edb8fe165258bebbbb104d20

Download Submit
\Windows\SysWOW64\jrotqmy.exe

Filesize
131KB

MD5
f3e1eb421a27733f0d75a017ab4e47c1

SHA1
cda81a741b4883f36f564e53a969d328b0fb9d16

SHA256
58d9488dd0676dd5d3d3e48402ca1d5040c98d0aac9b0d3c63fde920f744aeef

SHA512
288a8b319c2ddca1566f7ed01dfd024c8fa5d5af31a58e3f99ab18a8b6c0ea31a016b3752b944e02aa54b772a2659cf390432979bebe173e3ccca9aea9c785dd

Download Submit
\Windows\SysWOW64\jwhpvta.exe

Filesize
524KB

MD5
03c35e1ee1b0bf6340cdb45773c9fd3e

SHA1
1338fb2e480eb7a42cc6e299948583012c48cad5

SHA256
67e07368739819c893c0752d8dc1bc0c1f87764a711f18ceb9507162644a9393

SHA512
36ed40208275a2e13704cd73ab61a58f1f5deb02d80e91c3840a8836b6070228ebdf0c017955a84912aaa64a14511f3032468e3c648b64f9db13af79d77fcad4

Download Submit
\Windows\SysWOW64\ktobcdq.exe

Filesize
354KB

MD5
df663aef7841ca151e6c52f7a195814e

SHA1
7fbd53faa2097ec6706a9bc0065fa0626e1ec094

SHA256
28f7e496e95106049680f50f0bc98c5bf375130d6c87152d163959467afcc459

SHA512
ed3c288d00fc3f91d83f2f75499ef998340ba96f54afc41508d37ce29dff8fdd4d682bcff93d53dae3ee92c3aa8d4dd3c412c6751dc2c88158c7eb4bc339684a

Download Submit
\Windows\SysWOW64\ktobcdq.exe

Filesize
420KB

MD5
faccf7d59e1c77eaebde6be34a37909a

SHA1
95e8ddf2af05e60fab94db5cd8ba8d9aa5b7efe5

SHA256
90f0a013520c4ece636a7447a64f988b83316086822c6ee3f091fcbd8457bd72

SHA512
c7e2981c76c88ac33a0665d7c6262c1edf6fde6bfc74feae52946eddf15384e145e72d622dac6c36dd14f4226dfabf79b37865218b0625bb9efac7c297f36a61

Download Submit
\Windows\SysWOW64\lhzeefd.exe

Filesize
386KB

MD5
f282908f5ca237a420b53967876c2a69

SHA1
651e132bfe180c4342ce8f1ac0cf9b7fd7c3bef0

SHA256
865930952b772b0a3cf647fdcbe7a18f74d2d96e1ccf0803534f0b94e9aa699c

SHA512
6145f934fff809caba64b04642c70a35fa06aec253446b102ea77e1781ac034f022d9c556ea72fbbf62ef16967b37a22d3b6483acb78bd3d5a712c9e67ef4846

Download Submit
\Windows\SysWOW64\lhzeefd.exe

Filesize
181KB

MD5
d65b060c444e5cab7c2960e5a4e54484

SHA1
fe0daa720b79c45652303a9f2746387eae9e02d3

SHA256
27d687e71463c9cba683fb5ffb5eef7b18127c2f0c996910f5e83143f566d6c6

SHA512
6558da537cdc43823f5da29df87a60df857f5cadb490f193a48a5161607889909a4ed0e4e1766fdc87a030c0ef75917bfcd48962d9aee2ac2da314193d5aee2d

Download Submit
\Windows\SysWOW64\mqefujm.exe

Filesize
143KB

MD5
9df31adb25b1af8a8c4b2f3bcda73264

SHA1
8d9a23e5176c02b29fd43c75500cdb2d268352ea

SHA256
816d9f38670aa1563eedaa46763ef3f3ef126be0ef700c26e52640f8b486897f

SHA512
9328690d0048c1dbcdc3bdd9df8048d38089eb9791d81c3f62da9a1167a0f380a682fe75c215dfc70ee508b573678b755bf9300099946bb3ce17b7644681542f

Download Submit
\Windows\SysWOW64\mqefujm.exe

Filesize
174KB

MD5
9fedb0878e763ea5a566ffd28473e1c0

SHA1
4fc22bc109c92cff62c04a4bb480e393565134a5

SHA256
75b4de9fbce5315308fcf03c115d2d9247baf5153e1965f904a3bd534e30abf9

SHA512
a89892154570e89e396f63ecbeae760d9195012f27f02e63e923b1c07183ebd91c9ea4deace424cccd84ebcbc124d8fa7ba8fcec459408b028d3fbdfa5a48622

Download Submit
\Windows\SysWOW64\mvhjwlh.exe

Filesize
136KB

MD5
7dc174bb0c33d6061fe871c9a3866c87

SHA1
a9f391d2e70f1925d31affc173b007ac79ec3455

SHA256
cfe4e2d444da0bb4cbf4bb9cb0742a98659eaa6d70947f98101899a6e4072c87

SHA512
5ea8ab44f114166646d6c1c6ce6ef0e3ce4f3b60f68b3d30e991ef371738ba6c1cc6842195c5a826da4a665985191d986a9f126ab029fab52711d0ea0de72ed0

Download Submit
\Windows\SysWOW64\mvhjwlh.exe

Filesize
305KB

MD5
15abb675bd9afe40145e9818a3af4d2c

SHA1
2fb2413351b80b6d5c909877009279ccc4aeea53

SHA256
0f66646ccb195c87b5e7abce181217835f7548a1c7fc0bb9b4bd27173b216e1e

SHA512
8d6460c4edd7e02465206e87bd543c30f95b532d3859382fe8efcfb3aa939d8b29f06a87f413a5397f696d442e07ceea7464864ff3b32128cfbc8bb5b900a6cb

Download Submit
\Windows\SysWOW64\onwiodf.exe

Filesize
262KB

MD5
4462de680c099cc0678b189748d2611e

SHA1
244a38bb37f04de391fbffc7a1c538d1c25cf554

SHA256
214e7a56d3e5f92870cfa65a0fd3cf5e19b186edcce3b15743d9e3e2fb47b158

SHA512
61715147ff63bb2046417c32efd18d3ace405966baae40d83e52d0e8d7dc6b4a13b5da877335a5c8c237c51b06abedbf69f4074b673303a260984227afc6215e

Download Submit
\Windows\SysWOW64\onwiodf.exe

Filesize
181KB

MD5
b586e35b39382f807a29494aef10bea3

SHA1
cfefd6014e5d9321422236bed87f746965e8cafd

SHA256
ff009529a8af404f4e342f3201471d9819b2e5b2efd3047a7907ea3c3b5dd945

SHA512
9f9501da9bc24fb9548acc8e1f1ba9832b8d0a2fb3cd7b226305c14cccf220dd45ab7a362133750de9bf54d557fe395686bb084d43aaa25ff3f6a2ae89d3ad04

Download Submit
\Windows\SysWOW64\rpxinws.exe

Filesize
114KB

MD5
699aa2aef78998214300bed0c2e75506

SHA1
e753cc51d31e1893f68a3f25ad1aafd7bfec7380

SHA256
21429b0df57dc3f168cde8c7f1ce360e96897de04f9c87fd17aa8b2236066734

SHA512
4d1c7716d187d105e47c4a291b64edb2041c19f740068ab6a04b3437b5fe4de931e6ba542b44f24707717b66246e98e7828b0eceab400ac68ecdde8740fbfb65

Download Submit
\Windows\SysWOW64\rpxinws.exe

Filesize
109KB

MD5
7a343e40e8acd2dd7b39a95c995dbcad

SHA1
fabcd7dda8d455574b97f47d5b3ed1afa7841894

SHA256
0133e884f8a72116de5f5c2f0bd77139346a7a2326b9d7d27878a3e69da1b16a

SHA512
36cba0379db131ffd477c1258f5d7c94461747c0e9f6a5bdb2805d574905b49ea2dd653b10d91320fdd408dfc798c55dd8765d199602c6063a14c6e05e1414e7

Download Submit
\Windows\SysWOW64\tmpdxoy.exe

Filesize
1KB

MD5
115c3429236be8a3a6283230b69ab58d

SHA1
402a53bb4ea0ae13e8feabf3826392cadf09971b

SHA256
af542be3e82dcefa2605f5da5ee5f4a84c7506c3893312837b6502db6319c22b

SHA512
3b84a656ae2af221ca9ec45652a181786c70c2d0c795949bd43b9dbbf498ac11aa07f68bdba083a63249aaf82493938c6941b61f005fc00dbabbd3f44d82a3de

Download Submit
\Windows\SysWOW64\tmpdxoy.exe

Filesize
464KB

MD5
79df7462cf66f7f3478041495d652faa

SHA1
4b7fd34a53663e6fcd4898618111aa9965f8cbdb

SHA256
375b4e39dcdcdd3c5366b9b14a8c1d27e88c05b22bb05f9dffd310c17ea6afc9

SHA512
95e13cf98361bab7e18feb8b6fe1767bc40642ccda511b53af9d6e8292e357b8578cc0bcf5b07668883ae10fa5e47330b85612c2c3b12b0562cc9c11ee0bab65

Download Submit
\Windows\SysWOW64\vqvftnb.exe

Filesize
260KB

MD5
87bc3b059e035add1ed677c2138b6931

SHA1
641ae1512d1ff1a4b8e353cee63e4b771173fe0a

SHA256
e2499b0b23e3be1250571c96cead103283b93d5586318609b69988af599b7d3e

SHA512
92e7317b81cd181314e5b18d06f49d47bd1a9b4500cde615a2f1b0e6187f57d39612f5f5676939b900b47e07b71219961f9351c1a8d0d3c5d33990eda5fd0f86

Download Submit
\Windows\SysWOW64\vqvftnb.exe

Filesize
450KB

MD5
1a66316265eaf987689c134d30249e61

SHA1
17f0e024f648f9ef2fe56b819e1a4cbbb9b4dfba

SHA256
7a285056f0c9d65d85b6190c06cc93a9dde7c6fe45367d57aeb350252ac22829

SHA512
3c29578be5828216a5d8c00c5c2429680721964009e4fe00a4892acc1076f62019109856ddddf28bd0185cb73fc717af55fec91b767ab978322bdeed41fc17a5

Download Submit
\Windows\SysWOW64\xckwnyx.exe

Filesize
111KB

MD5
c5c7fbcfda266f99508e427638bcfa45

SHA1
510d6776f2dda9454263057f0f80476d17833a3f

SHA256
03aeb5b69cc532e6ca04d701b6d1c2cc851c777801260add31d1e16f0b00084b

SHA512
6b69d46995227b30da5661ca16dc5b75627f1569bed24cc88f932076e080f6303e41215e08f8b3b652afde832977579d2727a37eb5113967e1c2d928c44f9aa4

Download Submit
\Windows\SysWOW64\xckwnyx.exe

Filesize
407KB

MD5
7181fd84517c7838714e2256464f95e1

SHA1
c37720585d18199029b1db4c60082c82fa7bc34b

SHA256
115ab3391d00886f30df408e03bec2f8a8c183409014813cc1149255796f2686

SHA512
ce1a53fb912568188057f09807df2f784405acd5c237638c796d31ccab17d9dd5465cf960be80fb4106f3b967aaf10143f6d5f78f1a2cd2b83508b61b36b59e7

Download Submit
\Windows\SysWOW64\zzasjow.exe

Filesize
187KB

MD5
79b8cda8d7f88d5104b6f4ab3bab242b

SHA1
d36ea2d7b6fd41ab211db9fc1c5908c5072e0a94

SHA256
bd0b8b1a37385b30a5d5d85479143b10e3ffbbf3ac7e31d1e3bad8c600fa41a3

SHA512
5f7a5e093ff4dd5782df85655fe4182fd1a79c85abe1cdf5d51d8420ef3e9d099365d6efc83b7f8fabfa3b9a8218ae048dd83b82346a29f286e34e42da1b74fe

Download Submit
\Windows\SysWOW64\zzasjow.exe

Filesize
226KB

MD5
b6fd7787a5150f703e2909621ec65233

SHA1
a9abb847d59fd999ff244f6d7269a71086c93728

SHA256
db338cd8230974b0169ceeabcaab7cc6c00bf9095bd0b821f80ea90ab75ab701

SHA512
01091bb34d9c7bc67765b8b66dd2cc6bcf6c0882ec29b398b6f5f9df4cd35301c73c68e1f59a71731d7db2778f5144e835c1a9359633854e29342a80cbddab8d

Download Submit
memory/364-855-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/472-1233-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/556-1441-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/572-291-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/616-980-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/752-1531-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/808-615-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/840-577-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1080-706-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1116-1276-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1228-366-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1348-495-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1360-102-0x0000000003D90000-0x0000000003D91000-memory.dmp

Filesize
4KB

Download
memory/1360-114-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1360-89-0x0000000003DE0000-0x0000000003DE2000-memory.dmp

Filesize
8KB

Download
memory/1360-105-0x0000000003D50000-0x0000000003D51000-memory.dmp

Filesize
4KB

Download
memory/1360-106-0x0000000003C80000-0x0000000003C81000-memory.dmp

Filesize
4KB

Download
memory/1360-101-0x0000000003CD0000-0x0000000003CD1000-memory.dmp

Filesize
4KB

Download
memory/1360-87-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1360-103-0x0000000003E00000-0x0000000003E01000-memory.dmp

Filesize
4KB

Download
memory/1360-86-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1360-104-0x0000000003C90000-0x0000000003C91000-memory.dmp

Filesize
4KB

Download
memory/1360-99-0x0000000003DF0000-0x0000000003DF1000-memory.dmp

Filesize
4KB

Download
memory/1380-1478-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1488-1611-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1544-1402-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1548-146-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1656-807-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1668-1221-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1680-1302-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1720-638-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1732-1558-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1752-967-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1864-277-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1992-1162-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2012-756-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2084-1363-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2108-19-0x0000000003DC0000-0x0000000003DC1000-memory.dmp

Filesize
4KB

Download
memory/2108-5-0x0000000003DA0000-0x0000000003DA1000-memory.dmp

Filesize
4KB

Download
memory/2108-10-0x0000000003D40000-0x0000000003D41000-memory.dmp

Filesize
4KB

Download
memory/2108-27-0x0000000004940000-0x0000000004B1B000-memory.dmp

Filesize
1.9MB

Download
memory/2108-14-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/2108-6-0x0000000003E10000-0x0000000003E11000-memory.dmp

Filesize
4KB

Download
memory/2108-2-0x0000000003DF0000-0x0000000003DF2000-memory.dmp

Filesize
8KB

Download
memory/2108-9-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/2108-8-0x0000000003D60000-0x0000000003D61000-memory.dmp

Filesize
4KB

Download
memory/2108-1-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2108-11-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/2108-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2108-13-0x0000000003DE0000-0x0000000003DE1000-memory.dmp

Filesize
4KB

Download
memory/2108-7-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/2108-12-0x0000000003DD0000-0x0000000003DD2000-memory.dmp

Filesize
8KB

Download
memory/2108-15-0x0000000003C90000-0x0000000003C91000-memory.dmp

Filesize
4KB

Download
memory/2108-29-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2108-4-0x0000000003D20000-0x0000000003D21000-memory.dmp

Filesize
4KB

Download
memory/2108-3-0x0000000003E00000-0x0000000003E01000-memory.dmp

Filesize
4KB

Download
memory/2124-1583-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2136-1187-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2152-1353-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2160-1490-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2164-46-0x0000000003D40000-0x0000000003D42000-memory.dmp

Filesize
8KB

Download
memory/2164-49-0x0000000003DD0000-0x0000000003DD1000-memory.dmp

Filesize
4KB

Download
memory/2164-31-0x0000000003D90000-0x0000000003D91000-memory.dmp

Filesize
4KB

Download
memory/2164-57-0x0000000004810000-0x00000000049EB000-memory.dmp

Filesize
1.9MB

Download
memory/2164-28-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2164-56-0x0000000003DB0000-0x0000000003DB1000-memory.dmp

Filesize
4KB

Download
memory/2164-58-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2164-55-0x0000000003D20000-0x0000000003D21000-memory.dmp

Filesize
4KB

Download
memory/2164-54-0x0000000003DF0000-0x0000000003DF1000-memory.dmp

Filesize
4KB

Download
memory/2164-30-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2164-53-0x0000000003DE0000-0x0000000003DE2000-memory.dmp

Filesize
8KB

Download
memory/2164-35-0x0000000003E00000-0x0000000003E01000-memory.dmp

Filesize
4KB

Download
memory/2164-50-0x0000000003DC0000-0x0000000003DC2000-memory.dmp

Filesize
8KB

Download
memory/2164-51-0x0000000003D00000-0x0000000003D01000-memory.dmp

Filesize
4KB

Download
memory/2164-48-0x0000000003CF0000-0x0000000003CF1000-memory.dmp

Filesize
4KB

Download
memory/2164-47-0x0000000003CE0000-0x0000000003CE1000-memory.dmp

Filesize
4KB

Download
memory/2164-45-0x0000000003C50000-0x0000000003C51000-memory.dmp

Filesize
4KB

Download
memory/2164-37-0x0000000003C40000-0x0000000003C41000-memory.dmp

Filesize
4KB

Download
memory/2164-44-0x0000000003D50000-0x0000000003D51000-memory.dmp

Filesize
4KB

Download
memory/2216-204-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2256-1098-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2376-625-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2432-1119-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2436-353-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2448-523-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2468-84-0x0000000003DB0000-0x0000000003DB1000-memory.dmp

Filesize
4KB

Download
memory/2468-74-0x0000000003E00000-0x0000000003E01000-memory.dmp

Filesize
4KB

Download
memory/2468-83-0x0000000003CD0000-0x0000000003CD1000-memory.dmp

Filesize
4KB

Download
memory/2468-82-0x0000000003CC0000-0x0000000003CC1000-memory.dmp

Filesize
4KB

Download
memory/2468-81-0x0000000003DC0000-0x0000000003DC2000-memory.dmp

Filesize
8KB

Download
memory/2468-80-0x0000000003CB0000-0x0000000003CB1000-memory.dmp

Filesize
4KB

Download
memory/2468-79-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/2468-78-0x0000000003D00000-0x0000000003D01000-memory.dmp

Filesize
4KB

Download
memory/2468-77-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/2468-76-0x0000000003D60000-0x0000000003D61000-memory.dmp

Filesize
4KB

Download
memory/2468-73-0x0000000003D90000-0x0000000003D91000-memory.dmp

Filesize
4KB

Download
memory/2468-71-0x0000000003DF0000-0x0000000003DF1000-memory.dmp

Filesize
4KB

Download
memory/2468-70-0x0000000003DE0000-0x0000000003DE2000-memory.dmp

Filesize
8KB

Download
memory/2468-85-0x00000000046D0000-0x00000000048AB000-memory.dmp

Filesize
1.9MB

Download
memory/2468-75-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/2468-52-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2468-62-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2468-72-0x0000000003CE0000-0x0000000003CE1000-memory.dmp

Filesize
4KB

Download
memory/2604-411-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2616-568-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2628-1115-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2652-1328-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2664-441-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2676-1211-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2712-544-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2740-877-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2756-930-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2760-730-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2772-1035-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2884-1056-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2888-872-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2908-782-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2980-1406-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2992-454-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3024-817-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads