1af46adfac967037ee474a30ad4dbc9c33f95d90cb3f9b9b0e859a46b11ffef3

Analysis

max time kernel
150s
max time network
128s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
31/12/2023, 00:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

224beb5a2b2dde8188376e6e0231fb5f.exe
Size

537KB
MD5

224beb5a2b2dde8188376e6e0231fb5f
SHA1

11bb3c6896c218b8227cedfbb3cae73b8ee712c5
SHA256

1af46adfac967037ee474a30ad4dbc9c33f95d90cb3f9b9b0e859a46b11ffef3
SHA512

e36b6d3e9c207c3f8ddc155349adde822c87d140203527be005310a88c16a03b2bb8dd3b730abe8af629914c7a4659fe97d7fd7f0b89d3310e867c714ae98742
SSDEEP

12288:0Q+GIv8sQR5uwICs87Auef1Ur4QyijM2e+K:09GIEtRcwI7CF4jd2rK

Score

7^/10

evasion themida

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2592	ttousfdaq.exe
2488	bkzmygmuy.exe
2676	gxrkdllis.exe
1504	haskrgnot.exe
1076	tfidqslxb.exe
516	mwaahxmww.exe
2304	zfevssbud.exe
2744	vvlgflyss.exe
2560	xmaofdode.exe
2692	uortpveaa.exe
1976	dcroyxekh.exe
1984	pakgsaewi.exe
828	yzuhepdab.exe
2960	mdtwckzrk.exe
2208	hnvrtmtkr.exe
1560	lhmkmrngz.exe
2032	sexhxozfa.exe
2860	khmszgsun.exe
2508	ztrxdhech.exe
1308	yahcuphyb.exe
2296	tgxxxnwqj.exe
2880	kqiaefmcv.exe
960	wlpikeacp.exe
2628	rfuqkyjzk.exe
2720	jurvbomwe.exe
2564	ayggdyelr.exe
1696	snfdimnvz.exe
1448	rfonczxmn.exe
2544	rypgethdt.exe
1740	lzqobvvwg.exe
292	itmbzqbju.exe
2600	xjvtgdulb.exe
2428	cvpbzeztv.exe
832	brbywdpfo.exe
1424	bdnrkhmzd.exe
2972	wbdtnfbyd.exe
2616	sgzmmntce.exe
2740	flruudcxy.exe
1212	fmsmoymoe.exe
1620	zkihivtne.exe
1804	goqeactrf.exe
2348	dilryerdt.exe
2604	monziyoig.exe
2980	hfhcfnyli.exe
2780	bttxnulhh.exe
1428	twgpcypbw.exe
772	rweswgofq.exe
2364	rhovsnifk.exe
1012	qwdajvtbe.exe
612	izsllndrz.exe
2328	xlxqooqrl.exe
2124	zklxmsduz.exe
1020	budveolsg.exe
1408	gvlqvujyo.exe
2280	vluibzcam.exe
1188	smmvfkoka.exe
2756	zixtiibqb.exe
2952	rmmdkrtgw.exe
3048	renommvwc.exe
2620	qiztjdlid.exe
2128	qmllxhqck.exe
1544	cklygllwq.exe
1752	ccmjixvne.exe
1672	oieriodjz.exe

Identifies Wine through registry keys 2 TTPs 64 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	pakgsaewi.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	rhovsnifk.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	dujhjnekj.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	ndpjqkqyn.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	hchkcumaw.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	fknyercsc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	khmszgsun.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	fwydbkkeb.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	ombvpyjay.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	ifxafawcz.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	zwykecvfy.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	monecrqkq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	thpdaktaz.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	xgtlartyv.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	fypjfuhmo.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	dwqgtaggm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	oxaqgiqki.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	meqedpemu.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	fcojyemjq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	brbywdpfo.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	zklxmsduz.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	ccmjixvne.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	bmpkylbkr.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	toxakejqz.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	cyohhwrrd.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	wdqxzjdnn.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	nfzfmupua.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	ayggdyelr.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	glempzwtu.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	znucxuehq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	lttmdcbdb.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	wbdtnfbyd.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	vluibzcam.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	gypbaecqs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	pfiqhhyno.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	tsdvvyfdq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	rfonczxmn.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	dzzgwiorf.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	tbktqrhbz.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	funvjaisd.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	djkjnyqlt.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	idkyugqkx.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	sccrhhles.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	berligxki.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	xcjnoitoq.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	xemcetoua.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	oewtayiim.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	awycynyjk.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	bkzmygmuy.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	cvpbzeztv.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	flruudcxy.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	losazlqoe.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	ospkuvkzx.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	ebxihzjab.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	wstytgejx.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	hvpfbbcuk.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	xacgevrko.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	lvyaexnuz.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	csmmvwhfd.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	ecucotmtj.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	tahwkkgam.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	zkzoavese.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	xlrednndn.exe
Key opened	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine	arknmfkgq.exe

Loads dropped DLL 64 IoCs

pid	Process
2052	224beb5a2b2dde8188376e6e0231fb5f.exe
2052	224beb5a2b2dde8188376e6e0231fb5f.exe
2592	ttousfdaq.exe
2592	ttousfdaq.exe
2488	bkzmygmuy.exe
2488	bkzmygmuy.exe
2676	gxrkdllis.exe
2676	gxrkdllis.exe
1504	haskrgnot.exe
1504	haskrgnot.exe
1076	tfidqslxb.exe
1076	tfidqslxb.exe
516	mwaahxmww.exe
516	mwaahxmww.exe
2304	zfevssbud.exe
2304	zfevssbud.exe
2744	vvlgflyss.exe
2744	vvlgflyss.exe
2560	xmaofdode.exe
2560	xmaofdode.exe
2692	uortpveaa.exe
2692	uortpveaa.exe
1976	dcroyxekh.exe
1976	dcroyxekh.exe
1984	pakgsaewi.exe
1984	pakgsaewi.exe
828	yzuhepdab.exe
828	yzuhepdab.exe
2960	mdtwckzrk.exe
2960	mdtwckzrk.exe
2208	hnvrtmtkr.exe
2208	hnvrtmtkr.exe
1560	lhmkmrngz.exe
1560	lhmkmrngz.exe
2032	sexhxozfa.exe
2032	sexhxozfa.exe
2860	khmszgsun.exe
2860	khmszgsun.exe
2508	ztrxdhech.exe
2508	ztrxdhech.exe
1308	yahcuphyb.exe
1308	yahcuphyb.exe
2296	tgxxxnwqj.exe
2296	tgxxxnwqj.exe
2880	kqiaefmcv.exe
2880	kqiaefmcv.exe
960	wlpikeacp.exe
960	wlpikeacp.exe
2628	rfuqkyjzk.exe
2628	rfuqkyjzk.exe
2720	jurvbomwe.exe
2720	jurvbomwe.exe
2564	ayggdyelr.exe
2564	ayggdyelr.exe
1696	snfdimnvz.exe
1696	snfdimnvz.exe
1448	rfonczxmn.exe
1448	rfonczxmn.exe
2544	rypgethdt.exe
2544	rypgethdt.exe
1740	lzqobvvwg.exe
1740	lzqobvvwg.exe
292	itmbzqbju.exe
292	itmbzqbju.exe

Themida packer 52 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/2052-0-0x0000000000400000-0x00000000005D6000-memory.dmp	themida
behavioral1/memory/2052-2-0x0000000000400000-0x00000000005D6000-memory.dmp	themida
behavioral1/files/0x000a00000001224a-18.dat	themida
behavioral1/memory/2052-19-0x0000000004830000-0x0000000004A06000-memory.dmp	themida
behavioral1/memory/2052-28-0x0000000000400000-0x00000000005D6000-memory.dmp	themida
behavioral1/memory/2592-27-0x0000000000400000-0x00000000005D6000-memory.dmp	themida
behavioral1/memory/2592-33-0x0000000000400000-0x00000000005D6000-memory.dmp	themida
behavioral1/memory/2488-54-0x0000000000400000-0x00000000005D6000-memory.dmp	themida
behavioral1/memory/2592-55-0x0000000000400000-0x00000000005D6000-memory.dmp	themida
behavioral1/memory/2488-57-0x0000000000400000-0x00000000005D6000-memory.dmp	themida
behavioral1/memory/2488-71-0x0000000000400000-0x00000000005D6000-memory.dmp	themida
behavioral1/memory/2676-73-0x0000000000400000-0x00000000005D6000-memory.dmp	themida
behavioral1/memory/2676-75-0x0000000000400000-0x00000000005D6000-memory.dmp	themida
behavioral1/memory/1504-92-0x0000000000400000-0x00000000005D6000-memory.dmp	themida
behavioral1/memory/2676-90-0x0000000000400000-0x00000000005D6000-memory.dmp	themida
behavioral1/memory/1504-103-0x0000000000400000-0x00000000005D6000-memory.dmp	themida
behavioral1/memory/1504-116-0x0000000000400000-0x00000000005D6000-memory.dmp	themida
behavioral1/memory/1076-118-0x0000000000400000-0x00000000005D6000-memory.dmp	themida
behavioral1/memory/1076-141-0x0000000000400000-0x00000000005D6000-memory.dmp	themida
behavioral1/memory/2304-177-0x0000000000400000-0x00000000005D6000-memory.dmp	themida
behavioral1/memory/2744-194-0x0000000000400000-0x00000000005D6000-memory.dmp	themida
behavioral1/memory/2692-222-0x0000000000400000-0x00000000005D6000-memory.dmp	themida
behavioral1/memory/1976-233-0x0000000000400000-0x00000000005D6000-memory.dmp	themida
behavioral1/memory/1984-244-0x0000000000400000-0x00000000005D6000-memory.dmp	themida
behavioral1/memory/828-255-0x0000000000400000-0x00000000005D6000-memory.dmp	themida
behavioral1/memory/2960-270-0x0000000000400000-0x00000000005D6000-memory.dmp	themida
behavioral1/memory/2208-298-0x0000000000400000-0x00000000005D6000-memory.dmp	themida
behavioral1/memory/1560-322-0x0000000000400000-0x00000000005D6000-memory.dmp	themida
behavioral1/memory/2032-344-0x0000000000400000-0x00000000005D6000-memory.dmp	themida
behavioral1/memory/1308-410-0x0000000000400000-0x00000000005D6000-memory.dmp	themida
behavioral1/memory/2296-431-0x0000000000400000-0x00000000005D6000-memory.dmp	themida
behavioral1/memory/2880-452-0x0000000000400000-0x00000000005D6000-memory.dmp	themida
behavioral1/memory/2628-494-0x0000000000400000-0x00000000005D6000-memory.dmp	themida
behavioral1/memory/1448-580-0x0000000000400000-0x00000000005D6000-memory.dmp	themida
behavioral1/memory/2600-660-0x0000000000400000-0x00000000005D6000-memory.dmp	themida
behavioral1/memory/1424-720-0x0000000000400000-0x00000000005D6000-memory.dmp	themida
behavioral1/memory/2616-763-0x0000000000400000-0x00000000005D6000-memory.dmp	themida
behavioral1/memory/1212-805-0x0000000000400000-0x00000000005D6000-memory.dmp	themida
behavioral1/memory/1804-846-0x0000000000400000-0x00000000005D6000-memory.dmp	themida
behavioral1/memory/2348-868-0x0000000000400000-0x00000000005D6000-memory.dmp	themida
behavioral1/memory/2980-911-0x0000000000400000-0x00000000005D6000-memory.dmp	themida
behavioral1/memory/1428-927-0x0000000000400000-0x00000000005D6000-memory.dmp	themida
behavioral1/memory/2364-971-0x0000000000400000-0x00000000005D6000-memory.dmp	themida
behavioral1/memory/1012-991-0x0000000000400000-0x00000000005D6000-memory.dmp	themida
behavioral1/memory/612-1012-0x0000000000400000-0x00000000005D6000-memory.dmp	themida
behavioral1/memory/1020-1075-0x0000000000400000-0x00000000005D6000-memory.dmp	themida
behavioral1/memory/1408-1095-0x0000000000400000-0x00000000005D6000-memory.dmp	themida
behavioral1/memory/2280-1115-0x0000000000400000-0x00000000005D6000-memory.dmp	themida
behavioral1/memory/1188-1136-0x0000000000400000-0x00000000005D6000-memory.dmp	themida
behavioral1/memory/2620-1222-0x0000000000400000-0x00000000005D6000-memory.dmp	themida
behavioral1/memory/1544-1267-0x0000000000400000-0x00000000005D6000-memory.dmp	themida
behavioral1/memory/1752-1288-0x0000000000400000-0x00000000005D6000-memory.dmp	themida

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\djkjnyqlt.exe	ombvpyjay.exe
File opened for modification	C:\Windows\SysWOW64\zkzoavese.exe	izqlmwklk.exe
File created	C:\Windows\SysWOW64\cgatpjitd.exe	crcoysffb.exe
File created	C:\Windows\SysWOW64\nwkhsikcc.exe	nonpsnuop.exe
File created	C:\Windows\SysWOW64\votsockwo.exe	zrohnahbz.exe
File created	C:\Windows\SysWOW64\rwxpwzzwu.exe	wtshwfrzg.exe
File created	C:\Windows\SysWOW64\xmalzvpxo.exe	awulyocqn.exe
File created	C:\Windows\SysWOW64\qbtrcivzy.exe	znucxuehq.exe
File opened for modification	C:\Windows\SysWOW64\xmohwlcvn.exe	szvhdbpmt.exe
File opened for modification	C:\Windows\SysWOW64\hnvrtmtkr.exe	mdtwckzrk.exe
File created	C:\Windows\SysWOW64\uihuheihq.exe	hvpfbbcuk.exe
File created	C:\Windows\SysWOW64\wtshwfrzg.exe	nytepqtgf.exe
File opened for modification	C:\Windows\SysWOW64\monecrqkq.exe	csmmvwhfd.exe
File opened for modification	C:\Windows\SysWOW64\ifxafawcz.exe	oewtayiim.exe
File opened for modification	C:\Windows\SysWOW64\vmnztpfdn.exe	scvjatxfy.exe
File opened for modification	C:\Windows\SysWOW64\soqaqfamc.exe	nuhvgnkqo.exe
File opened for modification	C:\Windows\SysWOW64\idkyugqkx.exe	gphvzgjkd.exe
File created	C:\Windows\SysWOW64\wqzmnnxya.exe	fypjfuhmo.exe
File opened for modification	C:\Windows\SysWOW64\marxiwpwi.exe	ajwcgbzyb.exe
File created	C:\Windows\SysWOW64\voispdhln.exe	qmrfelrha.exe
File opened for modification	C:\Windows\SysWOW64\sgzmmntce.exe	wbdtnfbyd.exe
File created	C:\Windows\SysWOW64\nuhvgnkqo.exe	wcwkyuueu.exe
File created	C:\Windows\SysWOW64\nnuglamix.exe	kggvwbded.exe
File opened for modification	C:\Windows\SysWOW64\pfiqhhyno.exe	laoyulkof.exe
File created	C:\Windows\SysWOW64\lhmkmrngz.exe	hnvrtmtkr.exe
File created	C:\Windows\SysWOW64\kggvwbded.exe	berligxki.exe
File created	C:\Windows\SysWOW64\zwzlqiewl.exe	rspgypbhy.exe
File created	C:\Windows\SysWOW64\nhubtenks.exe	rdyjuwvgs.exe
File opened for modification	C:\Windows\SysWOW64\gszcaexav.exe	eihmhipbo.exe
File opened for modification	C:\Windows\SysWOW64\dewzlkiuh.exe	glempzwtu.exe
File opened for modification	C:\Windows\SysWOW64\kplyrjujx.exe	ootlvxiik.exe
File opened for modification	C:\Windows\SysWOW64\vxqxhopom.exe	zwykecvfy.exe
File opened for modification	C:\Windows\SysWOW64\rypgethdt.exe	rfonczxmn.exe
File opened for modification	C:\Windows\SysWOW64\twgpcypbw.exe	bttxnulhh.exe
File created	C:\Windows\SysWOW64\rtstxtwob.exe	udlteujha.exe
File created	C:\Windows\SysWOW64\kxpyywdag.exe	ifxafawcz.exe
File opened for modification	C:\Windows\SysWOW64\szvhdbpmt.exe	dkmowoekm.exe
File opened for modification	C:\Windows\SysWOW64\wvkfgztzj.exe	zcaskwhxw.exe
File opened for modification	C:\Windows\SysWOW64\flruudcxy.exe	sgzmmntce.exe
File created	C:\Windows\SysWOW64\twgpcypbw.exe	bttxnulhh.exe
File opened for modification	C:\Windows\SysWOW64\uihuheihq.exe	hvpfbbcuk.exe
File created	C:\Windows\SysWOW64\kaqnaalys.exe	bmpkylbkr.exe
File opened for modification	C:\Windows\SysWOW64\ospkuvkzx.exe	tboixgaxw.exe
File opened for modification	C:\Windows\SysWOW64\ztrxdhech.exe	khmszgsun.exe
File opened for modification	C:\Windows\SysWOW64\yahcuphyb.exe	ztrxdhech.exe
File created	C:\Windows\SysWOW64\qmllxhqck.exe	qiztjdlid.exe
File created	C:\Windows\SysWOW64\batbpntbp.exe	rtstxtwob.exe
File opened for modification	C:\Windows\SysWOW64\lkdoccdqm.exe	thpdaktaz.exe
File opened for modification	C:\Windows\SysWOW64\blsfgdtuh.exe	vjkkqxvoz.exe
File created	C:\Windows\SysWOW64\tsdvvyfdq.exe	ecucotmtj.exe
File opened for modification	C:\Windows\SysWOW64\xgtlartyv.exe	jtbvunuuh.exe
File opened for modification	C:\Windows\SysWOW64\pjulbtjol.exe	hivlumfsl.exe
File opened for modification	C:\Windows\SysWOW64\kaqnaalys.exe	bmpkylbkr.exe
File opened for modification	C:\Windows\SysWOW64\odpbdvtcz.exe	ewddswlkz.exe
File created	C:\Windows\SysWOW64\zrohnahbz.exe	ftgnkcacz.exe
File created	C:\Windows\SysWOW64\qmrfelrha.exe	wdqxzjdnn.exe
File created	C:\Windows\SysWOW64\wstytgejx.exe	ruzfgsikx.exe
File opened for modification	C:\Windows\SysWOW64\zwoeohktu.exe	xmohwlcvn.exe
File opened for modification	C:\Windows\SysWOW64\brbywdpfo.exe	cvpbzeztv.exe
File created	C:\Windows\SysWOW64\bdnrkhmzd.exe	brbywdpfo.exe
File created	C:\Windows\SysWOW64\xacgevrko.exe	nplqfsnyh.exe
File created	C:\Windows\SysWOW64\jrvaiyfwr.exe	cyohhwrrd.exe
File opened for modification	C:\Windows\SysWOW64\hfhcfnyli.exe	monziyoig.exe
File created	C:\Windows\SysWOW64\iyzudsola.exe	dwqgtaggm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2052	224beb5a2b2dde8188376e6e0231fb5f.exe
2592	ttousfdaq.exe
2488	bkzmygmuy.exe
2676	gxrkdllis.exe
1504	haskrgnot.exe
1076	tfidqslxb.exe
516	mwaahxmww.exe
2304	zfevssbud.exe
2744	vvlgflyss.exe
2560	xmaofdode.exe
2692	uortpveaa.exe
1976	dcroyxekh.exe
1984	pakgsaewi.exe
828	yzuhepdab.exe
2960	mdtwckzrk.exe
2208	hnvrtmtkr.exe
1560	lhmkmrngz.exe
2032	sexhxozfa.exe
2860	khmszgsun.exe
2508	ztrxdhech.exe
1308	yahcuphyb.exe
2296	tgxxxnwqj.exe
2880	kqiaefmcv.exe
960	wlpikeacp.exe
2628	rfuqkyjzk.exe
2720	jurvbomwe.exe
2564	ayggdyelr.exe
1696	snfdimnvz.exe
1448	rfonczxmn.exe
2544	rypgethdt.exe
1740	lzqobvvwg.exe
292	itmbzqbju.exe
2600	xjvtgdulb.exe
2428	cvpbzeztv.exe
832	brbywdpfo.exe
1424	bdnrkhmzd.exe
2972	wbdtnfbyd.exe
2616	sgzmmntce.exe
2740	flruudcxy.exe
1212	fmsmoymoe.exe
1620	zkihivtne.exe
1804	goqeactrf.exe
2348	dilryerdt.exe
2604	monziyoig.exe
2980	hfhcfnyli.exe
2780	bttxnulhh.exe
1428	twgpcypbw.exe
772	rweswgofq.exe
2364	rhovsnifk.exe
1012	qwdajvtbe.exe
612	izsllndrz.exe
2328	xlxqooqrl.exe
2124	zklxmsduz.exe
1020	budveolsg.exe
1408	gvlqvujyo.exe
2280	vluibzcam.exe
1188	smmvfkoka.exe
2756	zixtiibqb.exe
2952	rmmdkrtgw.exe
3048	renommvwc.exe
2620	qiztjdlid.exe
2128	qmllxhqck.exe
1544	cklygllwq.exe
1752	ccmjixvne.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 2592	2052	224beb5a2b2dde8188376e6e0231fb5f.exe	28
PID 2052 wrote to memory of 2592	2052	224beb5a2b2dde8188376e6e0231fb5f.exe	28
PID 2052 wrote to memory of 2592	2052	224beb5a2b2dde8188376e6e0231fb5f.exe	28
PID 2052 wrote to memory of 2592	2052	224beb5a2b2dde8188376e6e0231fb5f.exe	28
PID 2592 wrote to memory of 2488	2592	ttousfdaq.exe	29
PID 2592 wrote to memory of 2488	2592	ttousfdaq.exe	29
PID 2592 wrote to memory of 2488	2592	ttousfdaq.exe	29
PID 2592 wrote to memory of 2488	2592	ttousfdaq.exe	29
PID 2488 wrote to memory of 2676	2488	bkzmygmuy.exe	30
PID 2488 wrote to memory of 2676	2488	bkzmygmuy.exe	30
PID 2488 wrote to memory of 2676	2488	bkzmygmuy.exe	30
PID 2488 wrote to memory of 2676	2488	bkzmygmuy.exe	30
PID 2676 wrote to memory of 1504	2676	gxrkdllis.exe	31
PID 2676 wrote to memory of 1504	2676	gxrkdllis.exe	31
PID 2676 wrote to memory of 1504	2676	gxrkdllis.exe	31
PID 2676 wrote to memory of 1504	2676	gxrkdllis.exe	31
PID 1504 wrote to memory of 1076	1504	haskrgnot.exe	32
PID 1504 wrote to memory of 1076	1504	haskrgnot.exe	32
PID 1504 wrote to memory of 1076	1504	haskrgnot.exe	32
PID 1504 wrote to memory of 1076	1504	haskrgnot.exe	32
PID 1076 wrote to memory of 516	1076	tfidqslxb.exe	33
PID 1076 wrote to memory of 516	1076	tfidqslxb.exe	33
PID 1076 wrote to memory of 516	1076	tfidqslxb.exe	33
PID 1076 wrote to memory of 516	1076	tfidqslxb.exe	33
PID 516 wrote to memory of 2304	516	mwaahxmww.exe	34
PID 516 wrote to memory of 2304	516	mwaahxmww.exe	34
PID 516 wrote to memory of 2304	516	mwaahxmww.exe	34
PID 516 wrote to memory of 2304	516	mwaahxmww.exe	34
PID 2304 wrote to memory of 2744	2304	zfevssbud.exe	35
PID 2304 wrote to memory of 2744	2304	zfevssbud.exe	35
PID 2304 wrote to memory of 2744	2304	zfevssbud.exe	35
PID 2304 wrote to memory of 2744	2304	zfevssbud.exe	35
PID 2744 wrote to memory of 2560	2744	vvlgflyss.exe	36
PID 2744 wrote to memory of 2560	2744	vvlgflyss.exe	36
PID 2744 wrote to memory of 2560	2744	vvlgflyss.exe	36
PID 2744 wrote to memory of 2560	2744	vvlgflyss.exe	36
PID 2560 wrote to memory of 2692	2560	xmaofdode.exe	37
PID 2560 wrote to memory of 2692	2560	xmaofdode.exe	37
PID 2560 wrote to memory of 2692	2560	xmaofdode.exe	37
PID 2560 wrote to memory of 2692	2560	xmaofdode.exe	37
PID 2692 wrote to memory of 1976	2692	uortpveaa.exe	38
PID 2692 wrote to memory of 1976	2692	uortpveaa.exe	38
PID 2692 wrote to memory of 1976	2692	uortpveaa.exe	38
PID 2692 wrote to memory of 1976	2692	uortpveaa.exe	38
PID 1976 wrote to memory of 1984	1976	dcroyxekh.exe	39
PID 1976 wrote to memory of 1984	1976	dcroyxekh.exe	39
PID 1976 wrote to memory of 1984	1976	dcroyxekh.exe	39
PID 1976 wrote to memory of 1984	1976	dcroyxekh.exe	39
PID 1984 wrote to memory of 828	1984	pakgsaewi.exe	40
PID 1984 wrote to memory of 828	1984	pakgsaewi.exe	40
PID 1984 wrote to memory of 828	1984	pakgsaewi.exe	40
PID 1984 wrote to memory of 828	1984	pakgsaewi.exe	40
PID 828 wrote to memory of 2960	828	yzuhepdab.exe	41
PID 828 wrote to memory of 2960	828	yzuhepdab.exe	41
PID 828 wrote to memory of 2960	828	yzuhepdab.exe	41
PID 828 wrote to memory of 2960	828	yzuhepdab.exe	41
PID 2960 wrote to memory of 2208	2960	mdtwckzrk.exe	42
PID 2960 wrote to memory of 2208	2960	mdtwckzrk.exe	42
PID 2960 wrote to memory of 2208	2960	mdtwckzrk.exe	42
PID 2960 wrote to memory of 2208	2960	mdtwckzrk.exe	42
PID 2208 wrote to memory of 1560	2208	hnvrtmtkr.exe	43
PID 2208 wrote to memory of 1560	2208	hnvrtmtkr.exe	43
PID 2208 wrote to memory of 1560	2208	hnvrtmtkr.exe	43
PID 2208 wrote to memory of 1560	2208	hnvrtmtkr.exe	43

C:\Users\Admin\AppData\Local\Temp\224beb5a2b2dde8188376e6e0231fb5f.exe
"C:\Users\Admin\AppData\Local\Temp\224beb5a2b2dde8188376e6e0231fb5f.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Windows\SysWOW64\ttousfdaq.exe
  C:\Windows\system32\ttousfdaq.exe 664 "C:\Users\Admin\AppData\Local\Temp\224beb5a2b2dde8188376e6e0231fb5f.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\SysWOW64\bkzmygmuy.exe
    C:\Windows\system32\bkzmygmuy.exe 652 "C:\Windows\SysWOW64\ttousfdaq.exe"
    3⤵
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\Windows\SysWOW64\gxrkdllis.exe
      C:\Windows\system32\gxrkdllis.exe 648 "C:\Windows\SysWOW64\bkzmygmuy.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Windows\SysWOW64\haskrgnot.exe
        
        C:\Windows\system32\haskrgnot.exe 624 "C:\Windows\SysWOW64\gxrkdllis.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1504
      - C:\Windows\SysWOW64\tfidqslxb.exe
        
        C:\Windows\system32\tfidqslxb.exe 632 "C:\Windows\SysWOW64\haskrgnot.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\mwaahxmww.exe
        
        C:\Windows\system32\mwaahxmww.exe 628 "C:\Windows\SysWOW64\tfidqslxb.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:516
        
        C:\Windows\SysWOW64\zfevssbud.exe
        
        C:\Windows\system32\zfevssbud.exe 636 "C:\Windows\SysWOW64\mwaahxmww.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\vvlgflyss.exe
        
        C:\Windows\system32\vvlgflyss.exe 640 "C:\Windows\SysWOW64\zfevssbud.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\SysWOW64\xmaofdode.exe
        
        C:\Windows\system32\xmaofdode.exe 676 "C:\Windows\SysWOW64\vvlgflyss.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\uortpveaa.exe
        
        C:\Windows\system32\uortpveaa.exe 644 "C:\Windows\SysWOW64\xmaofdode.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\dcroyxekh.exe
        
        C:\Windows\system32\dcroyxekh.exe 728 "C:\Windows\SysWOW64\uortpveaa.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\pakgsaewi.exe
        
        C:\Windows\system32\pakgsaewi.exe 656 "C:\Windows\SysWOW64\dcroyxekh.exe"
        13⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\SysWOW64\yzuhepdab.exe
        
        C:\Windows\system32\yzuhepdab.exe 684 "C:\Windows\SysWOW64\pakgsaewi.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:828
        
        C:\Windows\SysWOW64\mdtwckzrk.exe
        
        C:\Windows\system32\mdtwckzrk.exe 660 "C:\Windows\SysWOW64\yzuhepdab.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\hnvrtmtkr.exe
        
        C:\Windows\system32\hnvrtmtkr.exe 692 "C:\Windows\SysWOW64\mdtwckzrk.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\lhmkmrngz.exe
        
        C:\Windows\system32\lhmkmrngz.exe 708 "C:\Windows\SysWOW64\hnvrtmtkr.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1560
        
        C:\Windows\SysWOW64\sexhxozfa.exe
        
        C:\Windows\system32\sexhxozfa.exe 672 "C:\Windows\SysWOW64\lhmkmrngz.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2032
        
        C:\Windows\SysWOW64\khmszgsun.exe
        
        C:\Windows\system32\khmszgsun.exe 668 "C:\Windows\SysWOW64\sexhxozfa.exe"
        19⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2860
        
        C:\Windows\SysWOW64\ztrxdhech.exe
        
        C:\Windows\system32\ztrxdhech.exe 704 "C:\Windows\SysWOW64\khmszgsun.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2508
        
        C:\Windows\SysWOW64\yahcuphyb.exe
        
        C:\Windows\system32\yahcuphyb.exe 688 "C:\Windows\SysWOW64\ztrxdhech.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1308
        
        C:\Windows\SysWOW64\tgxxxnwqj.exe
        
        C:\Windows\system32\tgxxxnwqj.exe 712 "C:\Windows\SysWOW64\yahcuphyb.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2296
        
        C:\Windows\SysWOW64\kqiaefmcv.exe
        
        C:\Windows\system32\kqiaefmcv.exe 740 "C:\Windows\SysWOW64\tgxxxnwqj.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2880
        
        C:\Windows\SysWOW64\wlpikeacp.exe
        
        C:\Windows\system32\wlpikeacp.exe 700 "C:\Windows\SysWOW64\kqiaefmcv.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:960
        
        C:\Windows\SysWOW64\rfuqkyjzk.exe
        
        C:\Windows\system32\rfuqkyjzk.exe 680 "C:\Windows\SysWOW64\wlpikeacp.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2628
        
        C:\Windows\SysWOW64\jurvbomwe.exe
        
        C:\Windows\system32\jurvbomwe.exe 716 "C:\Windows\SysWOW64\rfuqkyjzk.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2720
        
        C:\Windows\SysWOW64\ayggdyelr.exe
        
        C:\Windows\system32\ayggdyelr.exe 720 "C:\Windows\SysWOW64\jurvbomwe.exe"
        27⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2564
        
        C:\Windows\SysWOW64\snfdimnvz.exe
        
        C:\Windows\system32\snfdimnvz.exe 760 "C:\Windows\SysWOW64\ayggdyelr.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1696
        
        C:\Windows\SysWOW64\rfonczxmn.exe
        
        C:\Windows\system32\rfonczxmn.exe 732 "C:\Windows\SysWOW64\snfdimnvz.exe"
        29⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1448
        
        C:\Windows\SysWOW64\rypgethdt.exe
        
        C:\Windows\system32\rypgethdt.exe 696 "C:\Windows\SysWOW64\rfonczxmn.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2544
        
        C:\Windows\SysWOW64\lzqobvvwg.exe
        
        C:\Windows\system32\lzqobvvwg.exe 736 "C:\Windows\SysWOW64\rypgethdt.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1740
        
        C:\Windows\SysWOW64\itmbzqbju.exe
        
        C:\Windows\system32\itmbzqbju.exe 744 "C:\Windows\SysWOW64\lzqobvvwg.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:292
        
        C:\Windows\SysWOW64\xjvtgdulb.exe
        
        C:\Windows\system32\xjvtgdulb.exe 748 "C:\Windows\SysWOW64\itmbzqbju.exe"
        33⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2600
        
        C:\Windows\SysWOW64\cvpbzeztv.exe
        
        C:\Windows\system32\cvpbzeztv.exe 724 "C:\Windows\SysWOW64\xjvtgdulb.exe"
        34⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2428
        
        C:\Windows\SysWOW64\brbywdpfo.exe
        
        C:\Windows\system32\brbywdpfo.exe 756 "C:\Windows\SysWOW64\cvpbzeztv.exe"
        35⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:832
        
        C:\Windows\SysWOW64\bdnrkhmzd.exe
        
        C:\Windows\system32\bdnrkhmzd.exe 776 "C:\Windows\SysWOW64\brbywdpfo.exe"
        36⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1424
        
        C:\Windows\SysWOW64\wbdtnfbyd.exe
        
        C:\Windows\system32\wbdtnfbyd.exe 752 "C:\Windows\SysWOW64\bdnrkhmzd.exe"
        37⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2972
        
        C:\Windows\SysWOW64\sgzmmntce.exe
        
        C:\Windows\system32\sgzmmntce.exe 772 "C:\Windows\SysWOW64\wbdtnfbyd.exe"
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2616
        
        C:\Windows\SysWOW64\flruudcxy.exe
        
        C:\Windows\system32\flruudcxy.exe 800 "C:\Windows\SysWOW64\sgzmmntce.exe"
        39⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious behavior: EnumeratesProcesses
        
        PID:2740
        
        C:\Windows\SysWOW64\fmsmoymoe.exe
        
        C:\Windows\system32\fmsmoymoe.exe 764 "C:\Windows\SysWOW64\flruudcxy.exe"
        40⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1212
        
        C:\Windows\SysWOW64\zkihivtne.exe
        
        C:\Windows\system32\zkihivtne.exe 768 "C:\Windows\SysWOW64\fmsmoymoe.exe"
        41⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1620
        
        C:\Windows\SysWOW64\goqeactrf.exe
        
        C:\Windows\system32\goqeactrf.exe 780 "C:\Windows\SysWOW64\zkihivtne.exe"
        42⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1804
        
        C:\Windows\SysWOW64\dilryerdt.exe
        
        C:\Windows\system32\dilryerdt.exe 824 "C:\Windows\SysWOW64\goqeactrf.exe"
        43⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2348
        
        C:\Windows\SysWOW64\monziyoig.exe
        
        C:\Windows\system32\monziyoig.exe 788 "C:\Windows\SysWOW64\dilryerdt.exe"
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2604
        
        C:\Windows\SysWOW64\hfhcfnyli.exe
        
        C:\Windows\system32\hfhcfnyli.exe 784 "C:\Windows\SysWOW64\monziyoig.exe"
        45⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2980
        
        C:\Windows\SysWOW64\bttxnulhh.exe
        
        C:\Windows\system32\bttxnulhh.exe 812 "C:\Windows\SysWOW64\hfhcfnyli.exe"
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2780
        
        C:\Windows\SysWOW64\twgpcypbw.exe
        
        C:\Windows\system32\twgpcypbw.exe 820 "C:\Windows\SysWOW64\bttxnulhh.exe"
        47⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1428
        
        C:\Windows\SysWOW64\rweswgofq.exe
        
        C:\Windows\system32\rweswgofq.exe 808 "C:\Windows\SysWOW64\twgpcypbw.exe"
        48⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:772
        
        C:\Windows\SysWOW64\rhovsnifk.exe
        
        C:\Windows\system32\rhovsnifk.exe 792 "C:\Windows\SysWOW64\rweswgofq.exe"
        49⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious behavior: EnumeratesProcesses
        
        PID:2364
        
        C:\Windows\SysWOW64\qwdajvtbe.exe
        
        C:\Windows\system32\qwdajvtbe.exe 828 "C:\Windows\SysWOW64\rhovsnifk.exe"
        50⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1012
        
        C:\Windows\SysWOW64\izsllndrz.exe
        
        C:\Windows\system32\izsllndrz.exe 796 "C:\Windows\SysWOW64\qwdajvtbe.exe"
        51⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:612
        
        C:\Windows\SysWOW64\xlxqooqrl.exe
        
        C:\Windows\system32\xlxqooqrl.exe 816 "C:\Windows\SysWOW64\izsllndrz.exe"
        52⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2328
        
        C:\Windows\SysWOW64\zklxmsduz.exe
        
        C:\Windows\system32\zklxmsduz.exe 864 "C:\Windows\SysWOW64\xlxqooqrl.exe"
        53⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious behavior: EnumeratesProcesses
        
        PID:2124
        
        C:\Windows\SysWOW64\budveolsg.exe
        
        C:\Windows\system32\budveolsg.exe 832 "C:\Windows\SysWOW64\zklxmsduz.exe"
        54⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1020
        
        C:\Windows\SysWOW64\gvlqvujyo.exe
        
        C:\Windows\system32\gvlqvujyo.exe 804 "C:\Windows\SysWOW64\budveolsg.exe"
        55⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1408
        
        C:\Windows\SysWOW64\vluibzcam.exe
        
        C:\Windows\system32\vluibzcam.exe 840 "C:\Windows\SysWOW64\gvlqvujyo.exe"
        56⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious behavior: EnumeratesProcesses
        
        PID:2280
        
        C:\Windows\SysWOW64\smmvfkoka.exe
        
        C:\Windows\system32\smmvfkoka.exe 836 "C:\Windows\SysWOW64\vluibzcam.exe"
        57⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1188
        
        C:\Windows\SysWOW64\zixtiibqb.exe
        
        C:\Windows\system32\zixtiibqb.exe 848 "C:\Windows\SysWOW64\smmvfkoka.exe"
        58⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2756
        
        C:\Windows\SysWOW64\rmmdkrtgw.exe
        
        C:\Windows\system32\rmmdkrtgw.exe 844 "C:\Windows\SysWOW64\zixtiibqb.exe"
        59⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2952
        
        C:\Windows\SysWOW64\renommvwc.exe
        
        C:\Windows\system32\renommvwc.exe 856 "C:\Windows\SysWOW64\rmmdkrtgw.exe"
        60⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3048
        
        C:\Windows\SysWOW64\qiztjdlid.exe
        
        C:\Windows\system32\qiztjdlid.exe 852 "C:\Windows\SysWOW64\renommvwc.exe"
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2620
        
        C:\Windows\SysWOW64\qmllxhqck.exe
        
        C:\Windows\system32\qmllxhqck.exe 876 "C:\Windows\SysWOW64\qiztjdlid.exe"
        62⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2128
        
        C:\Windows\SysWOW64\cklygllwq.exe
        
        C:\Windows\system32\cklygllwq.exe 860 "C:\Windows\SysWOW64\qmllxhqck.exe"
        63⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1544
        
        C:\Windows\SysWOW64\ccmjixvne.exe
        
        C:\Windows\system32\ccmjixvne.exe 872 "C:\Windows\SysWOW64\cklygllwq.exe"
        64⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious behavior: EnumeratesProcesses
        
        PID:1752
        
        C:\Windows\SysWOW64\oieriodjz.exe
        
        C:\Windows\system32\oieriodjz.exe 924 "C:\Windows\SysWOW64\ccmjixvne.exe"
        65⤵
        Executes dropped EXE
        
        PID:1672
        
        C:\Windows\SysWOW64\scvjatxfy.exe
        
        C:\Windows\system32\scvjatxfy.exe 880 "C:\Windows\SysWOW64\oieriodjz.exe"
        66⤵
        Drops file in System32 directory
        
        PID:820
        
        C:\Windows\SysWOW64\vmnztpfdn.exe
        
        C:\Windows\system32\vmnztpfdn.exe 868 "C:\Windows\SysWOW64\scvjatxfy.exe"
        67⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\xlrednndn.exe
        
        C:\Windows\system32\xlrednndn.exe 884 "C:\Windows\SysWOW64\vmnztpfdn.exe"
        68⤵
        Identifies Wine through registry keys
        
        PID:1236
        
        C:\Windows\SysWOW64\glempzwtu.exe
        
        C:\Windows\system32\glempzwtu.exe 888 "C:\Windows\SysWOW64\xlrednndn.exe"
        69⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:1440
        
        C:\Windows\SysWOW64\dewzlkiuh.exe
        
        C:\Windows\system32\dewzlkiuh.exe 892 "C:\Windows\SysWOW64\glempzwtu.exe"
        70⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\ineucqoip.exe
        
        C:\Windows\system32\ineucqoip.exe 932 "C:\Windows\SysWOW64\dewzlkiuh.exe"
        71⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\nonpsnuop.exe
        
        C:\Windows\system32\nonpsnuop.exe 900 "C:\Windows\SysWOW64\ineucqoip.exe"
        72⤵
        Drops file in System32 directory
        
        PID:2300
        
        C:\Windows\SysWOW64\nwkhsikcc.exe
        
        C:\Windows\system32\nwkhsikcc.exe 896 "C:\Windows\SysWOW64\nonpsnuop.exe"
        73⤵
        
        PID:368
        
        C:\Windows\SysWOW64\xoaffylfd.exe
        
        C:\Windows\system32\xoaffylfd.exe 904 "C:\Windows\SysWOW64\nwkhsikcc.exe"
        74⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\barxxdgac.exe
        
        C:\Windows\system32\barxxdgac.exe 908 "C:\Windows\SysWOW64\xoaffylfd.exe"
        75⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\losazlqoe.exe
        
        C:\Windows\system32\losazlqoe.exe 912 "C:\Windows\SysWOW64\barxxdgac.exe"
        76⤵
        Identifies Wine through registry keys
        
        PID:1284
        
        C:\Windows\SysWOW64\imraasdvf.exe
        
        C:\Windows\system32\imraasdvf.exe 948 "C:\Windows\SysWOW64\losazlqoe.exe"
        77⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\kwrxsolum.exe
        
        C:\Windows\system32\kwrxsolum.exe 956 "C:\Windows\SysWOW64\imraasdvf.exe"
        78⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\kosimavks.exe
        
        C:\Windows\system32\kosimavks.exe 916 "C:\Windows\SysWOW64\kwrxsolum.exe"
        79⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\khbagvftg.exe
        
        C:\Windows\system32\khbagvftg.exe 936 "C:\Windows\SysWOW64\kosimavks.exe"
        80⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\gilnkyrcu.exe
        
        C:\Windows\system32\gilnkyrcu.exe 920 "C:\Windows\SysWOW64\khbagvftg.exe"
        81⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\jscdcuzbb.exe
        
        C:\Windows\system32\jscdcuzbb.exe 960 "C:\Windows\SysWOW64\gilnkyrcu.exe"
        82⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\fwydbkkeb.exe
        
        C:\Windows\system32\fwydbkkeb.exe 976 "C:\Windows\SysWOW64\jscdcuzbb.exe"
        83⤵
        Identifies Wine through registry keys
        
        PID:2028
        
        C:\Windows\SysWOW64\igxstgrdi.exe
        
        C:\Windows\system32\igxstgrdi.exe 940 "C:\Windows\SysWOW64\fwydbkkeb.exe"
        84⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\hhylnsbuo.exe
        
        C:\Windows\system32\hhylnsbuo.exe 928 "C:\Windows\SysWOW64\igxstgrdi.exe"
        85⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\pdiqfeejj.exe
        
        C:\Windows\system32\pdiqfeejj.exe 944 "C:\Windows\SysWOW64\hhylnsbuo.exe"
        86⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\ryltaetkc.exe
        
        C:\Windows\system32\ryltaetkc.exe 952 "C:\Windows\SysWOW64\pdiqfeejj.exe"
        87⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\goulgremj.exe
        
        C:\Windows\system32\goulgremj.exe 1004 "C:\Windows\SysWOW64\ryltaetkc.exe"
        88⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\ootlvxiik.exe
        
        C:\Windows\system32\ootlvxiik.exe 964 "C:\Windows\SysWOW64\goulgremj.exe"
        89⤵
        Drops file in System32 directory
        
        PID:304
        
        C:\Windows\SysWOW64\kplyrjujx.exe
        
        C:\Windows\system32\kplyrjujx.exe 972 "C:\Windows\SysWOW64\ootlvxiik.exe"
        90⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\hivlumfsl.exe
        
        C:\Windows\system32\hivlumfsl.exe 968 "C:\Windows\SysWOW64\kplyrjujx.exe"
        91⤵
        Drops file in System32 directory
        
        PID:1916
        
        C:\Windows\SysWOW64\pjulbtjol.exe
        
        C:\Windows\system32\pjulbtjol.exe 984 "C:\Windows\SysWOW64\hivlumfsl.exe"
        92⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\hcdwvntwz.exe
        
        C:\Windows\system32\hcdwvntwz.exe 992 "C:\Windows\SysWOW64\pjulbtjol.exe"
        93⤵
        
        PID:940
        
        C:\Windows\SysWOW64\gypbaecqs.exe
        
        C:\Windows\system32\gypbaecqs.exe 988 "C:\Windows\SysWOW64\hcdwvntwz.exe"
        94⤵
        Identifies Wine through registry keys
        
        PID:2452
        
        C:\Windows\SysWOW64\dzzgwiorf.exe
        
        C:\Windows\system32\dzzgwiorf.exe 980 "C:\Windows\SysWOW64\gypbaecqs.exe"
        95⤵
        Identifies Wine through registry keys
        
        PID:2092
        
        C:\Windows\SysWOW64\dkmhkuslm.exe
        
        C:\Windows\system32\dkmhkuslm.exe 1012 "C:\Windows\SysWOW64\dzzgwiorf.exe"
        96⤵
        
        PID:420
        
        C:\Windows\SysWOW64\fypjfuhmo.exe
        
        C:\Windows\system32\fypjfuhmo.exe 1052 "C:\Windows\SysWOW64\dkmhkuslm.exe"
        97⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:948
        
        C:\Windows\SysWOW64\wqzmnnxya.exe
        
        C:\Windows\system32\wqzmnnxya.exe 1032 "C:\Windows\SysWOW64\fypjfuhmo.exe"
        98⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\zarbfjfwh.exe
        
        C:\Windows\system32\zarbfjfwh.exe 1000 "C:\Windows\SysWOW64\wqzmnnxya.exe"
        99⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\raczeoijp.exe
        
        C:\Windows\system32\raczeoijp.exe 996 "C:\Windows\SysWOW64\zarbfjfwh.exe"
        100⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\dujhjnekj.exe
        
        C:\Windows\system32\dujhjnekj.exe 1016 "C:\Windows\SysWOW64\raczeoijp.exe"
        101⤵
        Identifies Wine through registry keys
        
        PID:2164
        
        C:\Windows\SysWOW64\kufrxxqsx.exe
        
        C:\Windows\system32\kufrxxqsx.exe 1036 "C:\Windows\SysWOW64\dujhjnekj.exe"
        102⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\hvpfbbcuk.exe
        
        C:\Windows\system32\hvpfbbcuk.exe 1048 "C:\Windows\SysWOW64\kufrxxqsx.exe"
        103⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:568
        
        C:\Windows\SysWOW64\uihuheihq.exe
        
        C:\Windows\system32\uihuheihq.exe 1020 "C:\Windows\SysWOW64\hvpfbbcuk.exe"
        104⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\bmpkylbkr.exe
        
        C:\Windows\system32\bmpkylbkr.exe 1008 "C:\Windows\SysWOW64\uihuheihq.exe"
        105⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:1596
        
        C:\Windows\SysWOW64\kaqnaalys.exe
        
        C:\Windows\system32\kaqnaalys.exe 1060 "C:\Windows\SysWOW64\bmpkylbkr.exe"
        106⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\cpqkeocqa.exe
        
        C:\Windows\system32\cpqkeocqa.exe 1044 "C:\Windows\SysWOW64\kaqnaalys.exe"
        107⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\wcwkyuueu.exe
        
        C:\Windows\system32\wcwkyuueu.exe 1064 "C:\Windows\SysWOW64\cpqkeocqa.exe"
        108⤵
        Drops file in System32 directory
        
        PID:1584
        
        C:\Windows\SysWOW64\nuhvgnkqo.exe
        
        C:\Windows\system32\nuhvgnkqo.exe 1028 "C:\Windows\SysWOW64\wcwkyuueu.exe"
        109⤵
        Drops file in System32 directory
        
        PID:1488
        
        C:\Windows\SysWOW64\soqaqfamc.exe
        
        C:\Windows\system32\soqaqfamc.exe 1068 "C:\Windows\SysWOW64\nuhvgnkqo.exe"
        110⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\mugdtchmc.exe
        
        C:\Windows\system32\mugdtchmc.exe 1092 "C:\Windows\SysWOW64\soqaqfamc.exe"
        111⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\efrfbvxyw.exe
        
        C:\Windows\system32\efrfbvxyw.exe 1080 "C:\Windows\SysWOW64\mugdtchmc.exe"
        112⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\arknmfkgq.exe
        
        C:\Windows\system32\arknmfkgq.exe 1100 "C:\Windows\SysWOW64\efrfbvxyw.exe"
        113⤵
        Identifies Wine through registry keys
        
        PID:2156
        
        C:\Windows\SysWOW64\gphvzgjkd.exe
        
        C:\Windows\system32\gphvzgjkd.exe 1096 "C:\Windows\SysWOW64\arknmfkgq.exe"
        114⤵
        Drops file in System32 directory
        
        PID:2140
        
        C:\Windows\SysWOW64\idkyugqkx.exe
        
        C:\Windows\system32\idkyugqkx.exe 1040 "C:\Windows\SysWOW64\gphvzgjkd.exe"
        115⤵
        Identifies Wine through registry keys
        
        PID:2732
        
        C:\Windows\SysWOW64\pwrdragxr.exe
        
        C:\Windows\system32\pwrdragxr.exe 1072 "C:\Windows\SysWOW64\idkyugqkx.exe"
        116⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\ewddswlkz.exe
        
        C:\Windows\system32\ewddswlkz.exe 1056 "C:\Windows\SysWOW64\pwrdragxr.exe"
        117⤵
        Drops file in System32 directory
        
        PID:1564
        
        C:\Windows\SysWOW64\odpbdvtcz.exe
        
        C:\Windows\system32\odpbdvtcz.exe 1120 "C:\Windows\SysWOW64\ewddswlkz.exe"
        118⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\tbktqrhbz.exe
        
        C:\Windows\system32\tbktqrhbz.exe 1084 "C:\Windows\SysWOW64\odpbdvtcz.exe"
        119⤵
        Identifies Wine through registry keys
        
        PID:1600
        
        C:\Windows\SysWOW64\ndpjqkqyn.exe
        
        C:\Windows\system32\ndpjqkqyn.exe 1088 "C:\Windows\SysWOW64\tbktqrhbz.exe"
        120⤵
        Identifies Wine through registry keys
        
        PID:1648
        
        C:\Windows\SysWOW64\udlteujha.exe
        
        C:\Windows\system32\udlteujha.exe 1076 "C:\Windows\SysWOW64\ndpjqkqyn.exe"
        121⤵
        Drops file in System32 directory
        
        PID:2636
        
        C:\Windows\SysWOW64\rtstxtwob.exe
        
        C:\Windows\system32\rtstxtwob.exe 1108 "C:\Windows\SysWOW64\udlteujha.exe"
        122⤵
        Drops file in System32 directory
        
        PID:1056
        
        C:\Windows\SysWOW64\batbpntbp.exe
        
        C:\Windows\system32\batbpntbp.exe 1104 "C:\Windows\SysWOW64\rtstxtwob.exe"
        123⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\nrxwsibzw.exe
        
        C:\Windows\system32\nrxwsibzw.exe 1116 "C:\Windows\SysWOW64\batbpntbp.exe"
        124⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\aatjvdqxd.exe
        
        C:\Windows\system32\aatjvdqxd.exe 1148 "C:\Windows\SysWOW64\nrxwsibzw.exe"
        125⤵
        
        PID:276
        
        C:\Windows\SysWOW64\wtmpsbmpx.exe
        
        C:\Windows\system32\wtmpsbmpx.exe 1124 "C:\Windows\SysWOW64\aatjvdqxd.exe"
        126⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\ypornbtqy.exe
        
        C:\Windows\system32\ypornbtqy.exe 1112 "C:\Windows\SysWOW64\wtmpsbmpx.exe"
        127⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\jkpcdwbnm.exe
        
        C:\Windows\system32\jkpcdwbnm.exe 1132 "C:\Windows\SysWOW64\ypornbtqy.exe"
        128⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\sccrhhles.exe
        
        C:\Windows\system32\sccrhhles.exe 1128 "C:\Windows\SysWOW64\jkpcdwbnm.exe"
        129⤵
        Identifies Wine through registry keys
        
        PID:2956
        
        C:\Windows\SysWOW64\ftgnkcacz.exe
        
        C:\Windows\system32\ftgnkcacz.exe 1140 "C:\Windows\SysWOW64\sccrhhles.exe"
        130⤵
        Drops file in System32 directory
        
        PID:2752
        
        C:\Windows\SysWOW64\zrohnahbz.exe
        
        C:\Windows\system32\zrohnahbz.exe 1172 "C:\Windows\SysWOW64\ftgnkcacz.exe"
        131⤵
        Drops file in System32 directory
        
        PID:2316
        
        C:\Windows\SysWOW64\votsockwo.exe
        
        C:\Windows\system32\votsockwo.exe 1160 "C:\Windows\SysWOW64\zrohnahbz.exe"
        132⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\xzjimfwhv.exe
        
        C:\Windows\system32\xzjimfwhv.exe 1176 "C:\Windows\SysWOW64\votsockwo.exe"
        133⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\hchkcumaw.exe
        
        C:\Windows\system32\hchkcumaw.exe 1144 "C:\Windows\SysWOW64\xzjimfwhv.exe"
        134⤵
        Identifies Wine through registry keys
        
        PID:2964
        
        C:\Windows\SysWOW64\zfwvdmwqj.exe
        
        C:\Windows\system32\zfwvdmwqj.exe 1136 "C:\Windows\SysWOW64\hchkcumaw.exe"
        135⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\qpgxlfmcd.exe
        
        C:\Windows\system32\qpgxlfmcd.exe 1152 "C:\Windows\SysWOW64\zfwvdmwqj.exe"
        136⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\qbtqzjqwk.exe
        
        C:\Windows\system32\qbtqzjqwk.exe 1156 "C:\Windows\SysWOW64\qpgxlfmcd.exe"
        137⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\funvjaisd.exe
        
        C:\Windows\system32\funvjaisd.exe 1192 "C:\Windows\SysWOW64\qbtqzjqwk.exe"
        138⤵
        Identifies Wine through registry keys
        
        PID:2652
        
        C:\Windows\SysWOW64\zavqlyxsm.exe
        
        C:\Windows\system32\zavqlyxsm.exe 1164 "C:\Windows\SysWOW64\funvjaisd.exe"
        139⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\ombvpyjay.exe
        
        C:\Windows\system32\ombvpyjay.exe 1168 "C:\Windows\SysWOW64\zavqlyxsm.exe"
        140⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:2764
        
        C:\Windows\SysWOW64\djkjnyqlt.exe
        
        C:\Windows\system32\djkjnyqlt.exe 1184 "C:\Windows\SysWOW64\ombvpyjay.exe"
        141⤵
        Identifies Wine through registry keys
        
        PID:1464
        
        C:\Windows\SysWOW64\nplqfsnyh.exe
        
        C:\Windows\system32\nplqfsnyh.exe 1200 "C:\Windows\SysWOW64\djkjnyqlt.exe"
        142⤵
        Drops file in System32 directory
        
        PID:2144
        
        C:\Windows\SysWOW64\xacgevrko.exe
        
        C:\Windows\system32\xacgevrko.exe 1180 "C:\Windows\SysWOW64\nplqfsnyh.exe"
        143⤵
        Identifies Wine through registry keys
        
        PID:2184
        
        C:\Windows\SysWOW64\huozefaur.exe
        
        C:\Windows\system32\huozefaur.exe 1196 "C:\Windows\SysWOW64\xacgevrko.exe"
        144⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\nytepqtgf.exe
        
        C:\Windows\system32\nytepqtgf.exe 1188 "C:\Windows\SysWOW64\huozefaur.exe"
        145⤵
        Drops file in System32 directory
        
        PID:2924
        
        C:\Windows\SysWOW64\wtshwfrzg.exe
        
        C:\Windows\system32\wtshwfrzg.exe 1220 "C:\Windows\SysWOW64\nytepqtgf.exe"
        146⤵
        Drops file in System32 directory
        
        PID:2524
        
        C:\Windows\SysWOW64\rwxpwzzwu.exe
        
        C:\Windows\system32\rwxpwzzwu.exe 1240 "C:\Windows\SysWOW64\wtshwfrzg.exe"
        147⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\nxhcsklyh.exe
        
        C:\Windows\system32\nxhcsklyh.exe 1212 "C:\Windows\SysWOW64\rwxpwzzwu.exe"
        148⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\ajwcgbzyb.exe
        
        C:\Windows\system32\ajwcgbzyb.exe 1256 "C:\Windows\SysWOW64\nxhcsklyh.exe"
        149⤵
        Drops file in System32 directory
        
        PID:1432
        
        C:\Windows\SysWOW64\marxiwpwi.exe
        
        C:\Windows\system32\marxiwpwi.exe 1232 "C:\Windows\SysWOW64\ajwcgbzyb.exe"
        150⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\tboixgaxw.exe
        
        C:\Windows\system32\tboixgaxw.exe 1252 "C:\Windows\SysWOW64\marxiwpwi.exe"
        151⤵
        Drops file in System32 directory
        
        PID:2536
        
        C:\Windows\SysWOW64\ospkuvkzx.exe
        
        C:\Windows\system32\ospkuvkzx.exe 1236 "C:\Windows\SysWOW64\tboixgaxw.exe"
        152⤵
        Identifies Wine through registry keys
        
        PID:2492
        
        C:\Windows\SysWOW64\fzpaqjtre.exe
        
        C:\Windows\system32\fzpaqjtre.exe 1208 "C:\Windows\SysWOW64\ospkuvkzx.exe"
        153⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\stwieipky.exe
        
        C:\Windows\system32\stwieipky.exe 1244 "C:\Windows\SysWOW64\fzpaqjtre.exe"
        154⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\jawyiwybg.exe
        
        C:\Windows\system32\jawyiwybg.exe 1264 "C:\Windows\SysWOW64\stwieipky.exe"
        155⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\lvyaexnuz.exe
        
        C:\Windows\system32\lvyaexnuz.exe 1204 "C:\Windows\SysWOW64\jawyiwybg.exe"
        156⤵
        Identifies Wine through registry keys
        
        PID:1496
        
        C:\Windows\SysWOW64\toxakejqz.exe
        
        C:\Windows\system32\toxakejqz.exe 1224 "C:\Windows\SysWOW64\lvyaexnuz.exe"
        157⤵
        Identifies Wine through registry keys
        
        PID:112
        
        C:\Windows\SysWOW64\ybridnvyt.exe
        
        C:\Windows\system32\ybridnvyt.exe 1248 "C:\Windows\SysWOW64\toxakejqz.exe"
        158⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\awulyocqn.exe
        
        C:\Windows\system32\awulyocqn.exe 1228 "C:\Windows\SysWOW64\ybridnvyt.exe"
        159⤵
        Drops file in System32 directory
        
        PID:1160
        
        C:\Windows\SysWOW64\xmalzvpxo.exe
        
        C:\Windows\system32\xmalzvpxo.exe 1276 "C:\Windows\SysWOW64\awulyocqn.exe"
        160⤵
        
        PID:604
        
        C:\Windows\SysWOW64\rvutxpdzb.exe
        
        C:\Windows\system32\rvutxpdzb.exe 1260 "C:\Windows\SysWOW64\xmalzvpxo.exe"
        161⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\rodlzjnqp.exe
        
        C:\Windows\system32\rodlzjnqp.exe 1272 "C:\Windows\SysWOW64\rvutxpdzb.exe"
        162⤵
        
        PID:932
        
        C:\Windows\SysWOW64\qgedtwxhv.exe
        
        C:\Windows\system32\qgedtwxhv.exe 1268 "C:\Windows\SysWOW64\rodlzjnqp.exe"
        163⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\izqlmwklk.exe
        
        C:\Windows\system32\izqlmwklk.exe 1280 "C:\Windows\SysWOW64\qgedtwxhv.exe"
        164⤵
        Drops file in System32 directory
        
        PID:2036
        
        C:\Windows\SysWOW64\zkzoavese.exe
        
        C:\Windows\system32\zkzoavese.exe 1284 "C:\Windows\SysWOW64\izqlmwklk.exe"
        165⤵
        Identifies Wine through registry keys
        
        PID:1664
        
        C:\Windows\SysWOW64\dwqgtaggm.exe
        
        C:\Windows\system32\dwqgtaggm.exe 1316 "C:\Windows\SysWOW64\zkzoavese.exe"
        166⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:584
        
        C:\Windows\SysWOW64\iyzudsola.exe
        
        C:\Windows\system32\iyzudsola.exe 1288 "C:\Windows\SysWOW64\dwqgtaggm.exe"
        167⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\pukrpqijb.exe
        
        C:\Windows\system32\pukrpqijb.exe 1292 "C:\Windows\SysWOW64\iyzudsola.exe"
        168⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\jtbusoqib.exe
        
        C:\Windows\system32\jtbusoqib.exe 1296 "C:\Windows\SysWOW64\pukrpqijb.exe"
        169⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\ezrpvlfib.exe
        
        C:\Windows\system32\ezrpvlfib.exe 1300 "C:\Windows\SysWOW64\jtbusoqib.exe"
        170⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\yxhkpjmhb.exe
        
        C:\Windows\system32\yxhkpjmhb.exe 1304 "C:\Windows\SysWOW64\ezrpvlfib.exe"
        171⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\ppsuxbbtv.exe
        
        C:\Windows\system32\ppsuxbbtv.exe 1308 "C:\Windows\SysWOW64\yxhkpjmhb.exe"
        172⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cyohhwrrd.exe
        
        C:\Windows\system32\cyohhwrrd.exe 1344 "C:\Windows\SysWOW64\ppsuxbbtv.exe"
        173⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:2784
        
        C:\Windows\SysWOW64\jrvaiyfwr.exe
        
        C:\Windows\system32\jrvaiyfwr.exe 1320 "C:\Windows\SysWOW64\cyohhwrrd.exe"
        174⤵
        
        PID:920
        
        C:\Windows\SysWOW64\gwrspfphr.exe
        
        C:\Windows\system32\gwrspfphr.exe 1340 "C:\Windows\SysWOW64\jrvaiyfwr.exe"
        175⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\srysuemal.exe
        
        C:\Windows\system32\srysuemal.exe 1312 "C:\Windows\SysWOW64\gwrspfphr.exe"
        176⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\hzssvjrfs.exe
        
        C:\Windows\system32\hzssvjrfs.exe 1324 "C:\Windows\SysWOW64\srysuemal.exe"
        177⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\wdqxzjdnn.exe
        
        C:\Windows\system32\wdqxzjdnn.exe 1332 "C:\Windows\SysWOW64\hzssvjrfs.exe"
        178⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:2948
        
        C:\Windows\SysWOW64\qmrfelrha.exe
        
        C:\Windows\system32\qmrfelrha.exe 1336 "C:\Windows\SysWOW64\wdqxzjdnn.exe"
        179⤵
        Drops file in System32 directory
        
        PID:1640
        
        C:\Windows\SysWOW64\voispdhln.exe
        
        C:\Windows\system32\voispdhln.exe 1328 "C:\Windows\SysWOW64\qmrfelrha.exe"
        180⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\kagysmtli.exe
        
        C:\Windows\system32\kagysmtli.exe 1348 "C:\Windows\SysWOW64\voispdhln.exe"
        181⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\oxaqgiqki.exe
        
        C:\Windows\system32\oxaqgiqki.exe 1364 "C:\Windows\SysWOW64\kagysmtli.exe"
        182⤵
        Identifies Wine through registry keys
        
        PID:1728
        
        C:\Windows\SysWOW64\berligxki.exe
        
        C:\Windows\system32\berligxki.exe 1372 "C:\Windows\SysWOW64\oxaqgiqki.exe"
        183⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:2804
        
        C:\Windows\SysWOW64\kggvwbded.exe
        
        C:\Windows\system32\kggvwbded.exe 1356 "C:\Windows\SysWOW64\berligxki.exe"
        184⤵
        Drops file in System32 directory
        
        PID:780
        
        C:\Windows\SysWOW64\nnuglamix.exe
        
        C:\Windows\system32\nnuglamix.exe 1352 "C:\Windows\SysWOW64\kggvwbded.exe"
        185⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\xxkqgvtck.exe
        
        C:\Windows\system32\xxkqgvtck.exe 1392 "C:\Windows\SysWOW64\nnuglamix.exe"
        186⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\rspgypbhy.exe
        
        C:\Windows\system32\rspgypbhy.exe 1368 "C:\Windows\SysWOW64\xxkqgvtck.exe"
        187⤵
        Drops file in System32 directory
        
        PID:2760
        
        C:\Windows\SysWOW64\zwzlqiewl.exe
        
        C:\Windows\system32\zwzlqiewl.exe 1388 "C:\Windows\SysWOW64\rspgypbhy.exe"
        188⤵
        
        PID:916
        
        C:\Windows\SysWOW64\jzowdlsrx.exe
        
        C:\Windows\system32\jzowdlsrx.exe 1404 "C:\Windows\SysWOW64\zwzlqiewl.exe"
        189⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\rdyjuwvgs.exe
        
        C:\Windows\system32\rdyjuwvgs.exe 1460 "C:\Windows\SysWOW64\jzowdlsrx.exe"
        190⤵
        Drops file in System32 directory
        
        PID:2640
        
        C:\Windows\SysWOW64\nhubtenks.exe
        
        C:\Windows\system32\nhubtenks.exe 1376 "C:\Windows\SysWOW64\rdyjuwvgs.exe"
        191⤵
        
        PID:548
        
        C:\Windows\SysWOW64\vmeokxqif.exe
        
        C:\Windows\system32\vmeokxqif.exe 1360 "C:\Windows\SysWOW64\nhubtenks.exe"
        192⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\ikzrtxwpg.exe
        
        C:\Windows\system32\ikzrtxwpg.exe 1432 "C:\Windows\SysWOW64\vmeokxqif.exe"
        193⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\irwwknzda.exe
        
        C:\Windows\system32\irwwknzda.exe 1380 "C:\Windows\SysWOW64\ikzrtxwpg.exe"
        194⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\meqedpemu.exe
        
        C:\Windows\system32\meqedpemu.exe 1480 "C:\Windows\SysWOW64\irwwknzda.exe"
        195⤵
        Identifies Wine through registry keys
        
        PID:1264
        
        C:\Windows\SysWOW64\llnodktzh.exe
        
        C:\Windows\system32\llnodktzh.exe 1384 "C:\Windows\SysWOW64\meqedpemu.exe"
        196⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\yrgolbkvc.exe
        
        C:\Windows\system32\yrgolbkvc.exe 1428 "C:\Windows\SysWOW64\llnodktzh.exe"
        197⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\fvfmupcyc.exe
        
        C:\Windows\system32\fvfmupcyc.exe 1400 "C:\Windows\SysWOW64\yrgolbkvc.exe"
        198⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\csmmvwhfd.exe
        
        C:\Windows\system32\csmmvwhfd.exe 1396 "C:\Windows\SysWOW64\fvfmupcyc.exe"
        199⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:2696
        
        C:\Windows\SysWOW64\monecrqkq.exe
        
        C:\Windows\system32\monecrqkq.exe 1408 "C:\Windows\SysWOW64\csmmvwhfd.exe"
        200⤵
        Identifies Wine through registry keys
        
        PID:1644
        
        C:\Windows\SysWOW64\jpxsgucmw.exe
        
        C:\Windows\system32\jpxsgucmw.exe 1456 "C:\Windows\SysWOW64\monecrqkq.exe"
        201⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\oqgmpzazd.exe
        
        C:\Windows\system32\oqgmpzazd.exe 1416 "C:\Windows\SysWOW64\jpxsgucmw.exe"
        202⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\vjlhfwdrf.exe
        
        C:\Windows\system32\vjlhfwdrf.exe 1412 "C:\Windows\SysWOW64\oqgmpzazd.exe"
        203⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\sjhstadfn.exe
        
        C:\Windows\system32\sjhstadfn.exe 1424 "C:\Windows\SysWOW64\vjlhfwdrf.exe"
        204⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\xcjnoitoq.exe
        
        C:\Windows\system32\xcjnoitoq.exe 1472 "C:\Windows\SysWOW64\sjhstadfn.exe"
        205⤵
        Identifies Wine through registry keys
        
        PID:2568
        
        C:\Windows\SysWOW64\kpcowyjkl.exe
        
        C:\Windows\system32\kpcowyjkl.exe 1436 "C:\Windows\SysWOW64\xcjnoitoq.exe"
        206⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\thpdaktaz.exe
        
        C:\Windows\system32\thpdaktaz.exe 1420 "C:\Windows\SysWOW64\kpcowyjkl.exe"
        207⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:2908
        
        C:\Windows\SysWOW64\lkdoccdqm.exe
        
        C:\Windows\system32\lkdoccdqm.exe 1452 "C:\Windows\SysWOW64\thpdaktaz.exe"
        208⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\adxtlldug.exe
        
        C:\Windows\system32\adxtlldug.exe 1440 "C:\Windows\SysWOW64\lkdoccdqm.exe"
        209⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\aojmzpzgn.exe
        
        C:\Windows\system32\aojmzpzgn.exe 1464 "C:\Windows\SysWOW64\adxtlldug.exe"
        210⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\jgotmirxb.exe
        
        C:\Windows\system32\jgotmirxb.exe 1496 "C:\Windows\SysWOW64\aojmzpzgn.exe"
        211⤵
        
        PID:816
        
        C:\Windows\SysWOW64\eqqjrcero.exe
        
        C:\Windows\system32\eqqjrcero.exe 1468 "C:\Windows\SysWOW64\jgotmirxb.exe"
        212⤵
        
        PID:668
        
        C:\Windows\SysWOW64\tykbsgsew.exe
        
        C:\Windows\system32\tykbsgsew.exe 1448 "C:\Windows\SysWOW64\eqqjrcero.exe"
        213⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\ikihwpeeq.exe
        
        C:\Windows\system32\ikihwpeeq.exe 1444 "C:\Windows\SysWOW64\tykbsgsew.exe"
        214⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\hcjrqcovw.exe
        
        C:\Windows\system32\hcjrqcovw.exe 1476 "C:\Windows\SysWOW64\ikihwpeeq.exe"
        215⤵
        
        PID:1244
        
        C:\Windows\SysWOW64\znucxuehq.exe
        
        C:\Windows\system32\znucxuehq.exe 1492 "C:\Windows\SysWOW64\hcjrqcovw.exe"
        216⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:1964
        
        C:\Windows\SysWOW64\qbtrcivzy.exe
        
        C:\Windows\system32\qbtrcivzy.exe 1484 "C:\Windows\SysWOW64\znucxuehq.exe"
        217⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\nkbkxckxf.exe
        
        C:\Windows\system32\nkbkxckxf.exe 1504 "C:\Windows\SysWOW64\qbtrcivzy.exe"
        218⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\wyahcqbgf.exe
        
        C:\Windows\system32\wyahcqbgf.exe 1520 "C:\Windows\SysWOW64\nkbkxckxf.exe"
        219⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\gxnfmpigf.exe
        
        C:\Windows\system32\gxnfmpigf.exe 1500 "C:\Windows\SysWOW64\wyahcqbgf.exe"
        220⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\rxrcxoign.exe
        
        C:\Windows\system32\rxrcxoign.exe 1488 "C:\Windows\SysWOW64\gxnfmpigf.exe"
        221⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\vjkkqxvoz.exe
        
        C:\Windows\system32\vjkkqxvoz.exe 1508 "C:\Windows\SysWOW64\rxrcxoign.exe"
        222⤵
        Drops file in System32 directory
        
        PID:2116
        
        C:\Windows\SysWOW64\blsfgdtuh.exe
        
        C:\Windows\system32\blsfgdtuh.exe 1512 "C:\Windows\SysWOW64\vjkkqxvoz.exe"
        223⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\lgtpoxbzu.exe
        
        C:\Windows\system32\lgtpoxbzu.exe 1516 "C:\Windows\SysWOW64\blsfgdtuh.exe"
        224⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\nfzfmupua.exe
        
        C:\Windows\system32\nfzfmupua.exe 1524 "C:\Windows\SysWOW64\lgtpoxbzu.exe"
        225⤵
        Identifies Wine through registry keys
        
        PID:1088
        
        C:\Windows\SysWOW64\xemcetoua.exe
        
        C:\Windows\system32\xemcetoua.exe 1560 "C:\Windows\SysWOW64\nfzfmupua.exe"
        226⤵
        Identifies Wine through registry keys
        
        PID:1684
        
        C:\Windows\SysWOW64\zodawpwsp.exe
        
        C:\Windows\system32\zodawpwsp.exe 1564 "C:\Windows\SysWOW64\xemcetoua.exe"
        227⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\ebxihzjab.exe
        
        C:\Windows\system32\ebxihzjab.exe 1532 "C:\Windows\SysWOW64\zodawpwsp.exe"
        228⤵
        Identifies Wine through registry keys
        
        PID:2064
        
        C:\Windows\SysWOW64\olmsdcpuo.exe
        
        C:\Windows\system32\olmsdcpuo.exe 1568 "C:\Windows\SysWOW64\ebxihzjab.exe"
        229⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\rsavstqyq.exe
        
        C:\Windows\system32\rsavstqyq.exe 1556 "C:\Windows\SysWOW64\olmsdcpuo.exe"
        230⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\tcsskpyxx.exe
        
        C:\Windows\system32\tcsskpyxx.exe 1528 "C:\Windows\SysWOW64\rsavstqyq.exe"
        231⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\nainfnnwy.exe
        
        C:\Windows\system32\nainfnnwy.exe 1536 "C:\Windows\SysWOW64\tcsskpyxx.exe"
        232⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\ruzfgsikx.exe
        
        C:\Windows\system32\ruzfgsikx.exe 1540 "C:\Windows\SysWOW64\nainfnnwy.exe"
        233⤵
        Drops file in System32 directory
        
        PID:1636
        
        C:\Windows\SysWOW64\wstytgejx.exe
        
        C:\Windows\system32\wstytgejx.exe 1544 "C:\Windows\SysWOW64\ruzfgsikx.exe"
        234⤵
        Identifies Wine through registry keys
        
        PID:2684
        
        C:\Windows\SysWOW64\laoyulkof.exe
        
        C:\Windows\system32\laoyulkof.exe 1548 "C:\Windows\SysWOW64\wstytgejx.exe"
        235⤵
        Drops file in System32 directory
        
        PID:616
        
        C:\Windows\SysWOW64\pfiqhhyno.exe
        
        C:\Windows\system32\pfiqhhyno.exe 1576 "C:\Windows\SysWOW64\laoyulkof.exe"
        236⤵
        Identifies Wine through registry keys
        
        PID:2712
        
        C:\Windows\SysWOW64\hiwbjrrdb.exe
        
        C:\Windows\system32\hiwbjrrdb.exe 1552 "C:\Windows\SysWOW64\pfiqhhyno.exe"
        237⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\zmlldbbsw.exe
        
        C:\Windows\system32\zmlldbbsw.exe 1580 "C:\Windows\SysWOW64\hiwbjrrdb.exe"
        238⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\qwvokbrfi.exe
        
        C:\Windows\system32\qwvokbrfi.exe 1572 "C:\Windows\SysWOW64\zmlldbbsw.exe"
        239⤵
        
        PID:560
        
        C:\Windows\SysWOW64\crcoysffb.exe
        
        C:\Windows\system32\crcoysffb.exe 1588 "C:\Windows\SysWOW64\qwvokbrfi.exe"
        240⤵
        Drops file in System32 directory
        
        PID:2920
        
        C:\Windows\SysWOW64\cgatpjitd.exe
        
        C:\Windows\system32\cgatpjitd.exe 1592 "C:\Windows\SysWOW64\crcoysffb.exe"
        241⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\exnjbuzkj.exe
        
        C:\Windows\system32\exnjbuzkj.exe 1596 "C:\Windows\SysWOW64\cgatpjitd.exe"
        242⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\yhorzwnee.exe
        
        C:\Windows\system32\yhorzwnee.exe 1584 "C:\Windows\SysWOW64\exnjbuzkj.exe"
        243⤵
        
        PID:896
        
        C:\Windows\SysWOW64\qkdcbgytr.exe
        
        C:\Windows\system32\qkdcbgytr.exe 1608 "C:\Windows\SysWOW64\yhorzwnee.exe"
        244⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\nwypzjeff.exe
        
        C:\Windows\system32\nwypzjeff.exe 1600 "C:\Windows\SysWOW64\qkdcbgytr.exe"
        245⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\hgswxkszs.exe
        
        C:\Windows\system32\hgswxkszs.exe 1612 "C:\Windows\SysWOW64\nwypzjeff.exe"
        246⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\tahwkkgam.exe
        
        C:\Windows\system32\tahwkkgam.exe 1604 "C:\Windows\SysWOW64\hgswxkszs.exe"
        247⤵
        Identifies Wine through registry keys
        
        PID:1040
        
        C:\Windows\SysWOW64\levhmtyph.exe
        
        C:\Windows\system32\levhmtyph.exe 1624 "C:\Windows\SysWOW64\tahwkkgam.exe"
        248⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\lttmdcbdb.exe
        
        C:\Windows\system32\lttmdcbdb.exe 1616 "C:\Windows\SysWOW64\levhmtyph.exe"
        249⤵
        Identifies Wine through registry keys
        
        PID:1692
        
        C:\Windows\SysWOW64\pynnryqcj.exe
        
        C:\Windows\system32\pynnryqcj.exe 1636 "C:\Windows\SysWOW64\lttmdcbdb.exe"
        250⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\mdjfpojgb.exe
        
        C:\Windows\system32\mdjfpojgb.exe 1620 "C:\Windows\SysWOW64\pynnryqcj.exe"
        251⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\ecucotmtj.exe
        
        C:\Windows\system32\ecucotmtj.exe 1632 "C:\Windows\SysWOW64\mdjfpojgb.exe"
        252⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:2456
        
        C:\Windows\SysWOW64\tsdvvyfdq.exe
        
        C:\Windows\system32\tsdvvyfdq.exe 1664 "C:\Windows\SysWOW64\ecucotmtj.exe"
        253⤵
        Identifies Wine through registry keys
        
        PID:2884
        
        C:\Windows\SysWOW64\kvrfwqptd.exe
        
        C:\Windows\system32\kvrfwqptd.exe 1644 "C:\Windows\SysWOW64\tsdvvyfdq.exe"
        254⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cyfqyaaiy.exe
        
        C:\Windows\system32\cyfqyaaiy.exe 1628 "C:\Windows\SysWOW64\kvrfwqptd.exe"
        255⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\owxdpdvde.exe
        
        C:\Windows\system32\owxdpdvde.exe 1648 "C:\Windows\SysWOW64\cyfqyaaiy.exe"
        256⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\jrklhxdas.exe
        
        C:\Windows\system32\jrklhxdas.exe 1640 "C:\Windows\SysWOW64\owxdpdvde.exe"
        257⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\oewtayiim.exe
        
        C:\Windows\system32\oewtayiim.exe 1652 "C:\Windows\SysWOW64\jrklhxdas.exe"
        258⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:2936
        
        C:\Windows\SysWOW64\ifxafawcz.exe
        
        C:\Windows\system32\ifxafawcz.exe 1688 "C:\Windows\SysWOW64\oewtayiim.exe"
        259⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:924
        
        C:\Windows\SysWOW64\kxpyywdag.exe
        
        C:\Windows\system32\kxpyywdag.exe 1660 "C:\Windows\SysWOW64\ifxafawcz.exe"
        260⤵
        
        PID:432
        
        C:\Windows\SysWOW64\jtbvunuuh.exe
        
        C:\Windows\system32\jtbvunuuh.exe 1656 "C:\Windows\SysWOW64\kxpyywdag.exe"
        261⤵
        Drops file in System32 directory
        
        PID:1144
        
        C:\Windows\SysWOW64\xgtlartyv.exe
        
        C:\Windows\system32\xgtlartyv.exe 1756 "C:\Windows\SysWOW64\jtbvunuuh.exe"
        262⤵
        Identifies Wine through registry keys
        
        PID:2276
        
        C:\Windows\SysWOW64\jxwgdmiwc.exe
        
        C:\Windows\system32\jxwgdmiwc.exe 1668 "C:\Windows\SysWOW64\xgtlartyv.exe"
        263⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\lamqyppyp.exe
        
        C:\Windows\system32\lamqyppyp.exe 1736 "C:\Windows\SysWOW64\jxwgdmiwc.exe"
        264⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\fknyercsc.exe
        
        C:\Windows\system32\fknyercsc.exe 1708 "C:\Windows\SysWOW64\lamqyppyp.exe"
        265⤵
        Identifies Wine through registry keys
        
        PID:3020
        
        C:\Windows\SysWOW64\fcojyemjq.exe
        
        C:\Windows\system32\fcojyemjq.exe 1676 "C:\Windows\SysWOW64\fknyercsc.exe"
        266⤵
        Identifies Wine through registry keys
        
        PID:2172
        
        C:\Windows\SysWOW64\mdnjekqwq.exe
        
        C:\Windows\system32\mdnjekqwq.exe 1680 "C:\Windows\SysWOW64\fcojyemjq.exe"
        267⤵
        
        PID:844
        
        C:\Windows\SysWOW64\rlseaychx.exe
        
        C:\Windows\system32\rlseaychx.exe 1776 "C:\Windows\SysWOW64\mdnjekqwq.exe"
        268⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\tgugvzjiq.exe
        
        C:\Windows\system32\tgugvzjiq.exe 1772 "C:\Windows\SysWOW64\rlseaychx.exe"
        269⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\tzvrplsrx.exe
        
        C:\Windows\system32\tzvrplsrx.exe 1684 "C:\Windows\SysWOW64\tgugvzjiq.exe"
        270⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\srwjrychl.exe
        
        C:\Windows\system32\srwjrychl.exe 1672 "C:\Windows\SysWOW64\tzvrplsrx.exe"
        271⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\dkmowoekm.exe
        
        C:\Windows\system32\dkmowoekm.exe 1692 "C:\Windows\SysWOW64\srwjrychl.exe"
        272⤵
        Drops file in System32 directory
        
        PID:2716
        
        C:\Windows\SysWOW64\szvhdbpmt.exe
        
        C:\Windows\system32\szvhdbpmt.exe 1720 "C:\Windows\SysWOW64\dkmowoekm.exe"
        273⤵
        Drops file in System32 directory
        
        PID:1940
        
        C:\Windows\SysWOW64\xmohwlcvn.exe
        
        C:\Windows\system32\xmohwlcvn.exe 1732 "C:\Windows\SysWOW64\szvhdbpmt.exe"
        274⤵
        Drops file in System32 directory
        
        PID:2384
        
        C:\Windows\SysWOW64\zwoeohktu.exe
        
        C:\Windows\system32\zwoeohktu.exe 1696 "C:\Windows\SysWOW64\xmohwlcvn.exe"
        275⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\eihmhipbo.exe
        
        C:\Windows\system32\eihmhipbo.exe 1724 "C:\Windows\SysWOW64\zwoeohktu.exe"
        276⤵
        Drops file in System32 directory
        
        PID:456
        
        C:\Windows\SysWOW64\gszcaexav.exe
        
        C:\Windows\system32\gszcaexav.exe 1784 "C:\Windows\SysWOW64\eihmhipbo.exe"
        277⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\irnrxjkvb.exe
        
        C:\Windows\system32\irnrxjkvb.exe 1700 "C:\Windows\SysWOW64\gszcaexav.exe"
        278⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\nlwfibazp.exe
        
        C:\Windows\system32\nlwfibazp.exe 1760 "C:\Windows\SysWOW64\irnrxjkvb.exe"
        279⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\zcaskwhxw.exe
        
        C:\Windows\system32\zcaskwhxw.exe 1716 "C:\Windows\SysWOW64\nlwfibazp.exe"
        280⤵
        Drops file in System32 directory
        
        PID:2528
        
        C:\Windows\SysWOW64\wvkfgztzj.exe
        
        C:\Windows\system32\wvkfgztzj.exe 1728 "C:\Windows\SysWOW64\zcaskwhxw.exe"
        281⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\twcsklfix.exe
        
        C:\Windows\system32\twcsklfix.exe 1740 "C:\Windows\SysWOW64\wvkfgztzj.exe"
        282⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\dsvcsfofk.exe
        
        C:\Windows\system32\dsvcsfofk.exe 1712 "C:\Windows\SysWOW64\twcsklfix.exe"
        283⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\awycynyjk.exe
        
        C:\Windows\system32\awycynyjk.exe 1748 "C:\Windows\SysWOW64\dsvcsfofk.exe"
        284⤵
        Identifies Wine through registry keys
        
        PID:2240
        
        C:\Windows\SysWOW64\mnupbhohr.exe
        
        C:\Windows\system32\mnupbhohr.exe 1744 "C:\Windows\SysWOW64\awycynyjk.exe"
        285⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\zwykecvfy.exe
        
        C:\Windows\system32\zwykecvfy.exe 1768 "C:\Windows\SysWOW64\mnupbhohr.exe"
        286⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:1008
        
        C:\Windows\SysWOW64\vxqxhopom.exe
        
        C:\Windows\system32\vxqxhopom.exe 1800 "C:\Windows\SysWOW64\zwykecvfy.exe"
        287⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\bhysytnuu.exe
        
        C:\Windows\system32\bhysytnuu.exe 1860 "C:\Windows\SysWOW64\vxqxhopom.exe"
        288⤵
        
        PID:936
        
        C:\Windows\SysWOW64\uymiwqbpa.exe
        
        C:\Windows\system32\uymiwqbpa.exe 1764 "C:\Windows\SysWOW64\bhysytnuu.exe"
        289⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\zkyqpznxu.exe
        
        C:\Windows\system32\zkyqpznxu.exe 1796 "C:\Windows\SysWOW64\uymiwqbpa.exe"
        290⤵
        
        PID:952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\ttousfdaq.exe

Filesize
537KB

MD5
224beb5a2b2dde8188376e6e0231fb5f

SHA1
11bb3c6896c218b8227cedfbb3cae73b8ee712c5

SHA256
1af46adfac967037ee474a30ad4dbc9c33f95d90cb3f9b9b0e859a46b11ffef3

SHA512
e36b6d3e9c207c3f8ddc155349adde822c87d140203527be005310a88c16a03b2bb8dd3b730abe8af629914c7a4659fe97d7fd7f0b89d3310e867c714ae98742

Download Submit
memory/612-1012-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/828-255-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1012-991-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1020-1075-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1076-118-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1076-141-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1188-1136-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1212-805-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1308-410-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1408-1095-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1424-720-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1428-927-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1448-580-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1504-109-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/1504-106-0x00000000041B0000-0x00000000041B1000-memory.dmp

Filesize
4KB

Download
memory/1504-93-0x0000000004200000-0x0000000004202000-memory.dmp

Filesize
8KB

Download
memory/1504-114-0x0000000003F60000-0x0000000003F61000-memory.dmp

Filesize
4KB

Download
memory/1504-92-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1504-115-0x00000000047F0000-0x00000000049C6000-memory.dmp

Filesize
1.8MB

Download
memory/1504-117-0x00000000047F0000-0x00000000049C6000-memory.dmp

Filesize
1.8MB

Download
memory/1504-113-0x0000000003F50000-0x0000000003F51000-memory.dmp

Filesize
4KB

Download
memory/1504-112-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/1504-111-0x0000000004170000-0x0000000004171000-memory.dmp

Filesize
4KB

Download
memory/1504-110-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/1504-108-0x00000000041D0000-0x00000000041D1000-memory.dmp

Filesize
4KB

Download
memory/1504-107-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/1504-103-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1504-116-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1504-105-0x0000000004140000-0x0000000004141000-memory.dmp

Filesize
4KB

Download
memory/1544-1267-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1560-322-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1752-1288-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1804-846-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1976-233-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1984-244-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2032-344-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2052-4-0x00000000041B0000-0x00000000041B1000-memory.dmp

Filesize
4KB

Download
memory/2052-0-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2052-3-0x0000000004150000-0x0000000004151000-memory.dmp

Filesize
4KB

Download
memory/2052-11-0x0000000004110000-0x0000000004111000-memory.dmp

Filesize
4KB

Download
memory/2052-5-0x0000000003F60000-0x0000000003F61000-memory.dmp

Filesize
4KB

Download
memory/2052-6-0x00000000041D0000-0x00000000041D1000-memory.dmp

Filesize
4KB

Download
memory/2052-7-0x0000000003F80000-0x0000000003F81000-memory.dmp

Filesize
4KB

Download
memory/2052-8-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/2052-1-0x0000000004200000-0x0000000004202000-memory.dmp

Filesize
8KB

Download
memory/2052-9-0x0000000004160000-0x0000000004161000-memory.dmp

Filesize
4KB

Download
memory/2052-12-0x0000000004120000-0x0000000004121000-memory.dmp

Filesize
4KB

Download
memory/2052-2-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2052-13-0x0000000004140000-0x0000000004141000-memory.dmp

Filesize
4KB

Download
memory/2052-17-0x0000000004170000-0x0000000004171000-memory.dmp

Filesize
4KB

Download
memory/2052-10-0x0000000003F70000-0x0000000003F71000-memory.dmp

Filesize
4KB

Download
memory/2052-28-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2052-26-0x0000000004830000-0x0000000004A06000-memory.dmp

Filesize
1.8MB

Download
memory/2052-19-0x0000000004830000-0x0000000004A06000-memory.dmp

Filesize
1.8MB

Download
memory/2208-298-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2280-1115-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2296-431-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2304-177-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2348-868-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2364-971-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2488-54-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2488-72-0x00000000041D0000-0x00000000041D1000-memory.dmp

Filesize
4KB

Download
memory/2488-70-0x0000000003FA0000-0x0000000003FA1000-memory.dmp

Filesize
4KB

Download
memory/2488-71-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2488-63-0x0000000004150000-0x0000000004151000-memory.dmp

Filesize
4KB

Download
memory/2488-69-0x00000000041B0000-0x00000000041B1000-memory.dmp

Filesize
4KB

Download
memory/2488-57-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2488-56-0x0000000004200000-0x0000000004202000-memory.dmp

Filesize
8KB

Download
memory/2592-41-0x00000000040B0000-0x00000000040B1000-memory.dmp

Filesize
4KB

Download
memory/2592-52-0x0000000004950000-0x0000000004B26000-memory.dmp

Filesize
1.8MB

Download
memory/2592-27-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2592-29-0x0000000004210000-0x0000000004212000-memory.dmp

Filesize
8KB

Download
memory/2592-34-0x0000000004140000-0x0000000004141000-memory.dmp

Filesize
4KB

Download
memory/2592-35-0x00000000041C0000-0x00000000041C1000-memory.dmp

Filesize
4KB

Download
memory/2592-36-0x00000000040A0000-0x00000000040A1000-memory.dmp

Filesize
4KB

Download
memory/2592-33-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2592-37-0x00000000041E0000-0x00000000041E1000-memory.dmp

Filesize
4KB

Download
memory/2592-40-0x0000000004160000-0x0000000004161000-memory.dmp

Filesize
4KB

Download
memory/2592-39-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/2592-38-0x00000000040C0000-0x00000000040C1000-memory.dmp

Filesize
4KB

Download
memory/2592-48-0x00000000040D0000-0x00000000040D1000-memory.dmp

Filesize
4KB

Download
memory/2592-55-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2592-50-0x00000000041B0000-0x00000000041B1000-memory.dmp

Filesize
4KB

Download
memory/2592-53-0x0000000004170000-0x0000000004171000-memory.dmp

Filesize
4KB

Download
memory/2592-51-0x0000000004120000-0x0000000004121000-memory.dmp

Filesize
4KB

Download
memory/2600-660-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2616-763-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2620-1222-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2628-494-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2676-87-0x00000000041B0000-0x00000000041B1000-memory.dmp

Filesize
4KB

Download
memory/2676-79-0x0000000004140000-0x0000000004141000-memory.dmp

Filesize
4KB

Download
memory/2676-91-0x0000000004100000-0x0000000004101000-memory.dmp

Filesize
4KB

Download
memory/2676-74-0x0000000004200000-0x0000000004202000-memory.dmp

Filesize
8KB

Download
memory/2676-75-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2676-90-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2676-89-0x00000000041D0000-0x00000000041D1000-memory.dmp

Filesize
4KB

Download
memory/2676-73-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2676-88-0x00000000040E0000-0x00000000040E1000-memory.dmp

Filesize
4KB

Download
memory/2692-222-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2744-194-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2880-452-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2960-270-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2980-911-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download