56c0ee2213fb12c706590c31b5c405856a292e3ca7d7ef69c0d10ea166e0366e

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/01/2024, 23:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

78b78e9175fb2a243a10a997a51364a2.exe
Size

543KB
MD5

78b78e9175fb2a243a10a997a51364a2
SHA1

deea5768764131cb646f5556d42a13c1c381d363
SHA256

56c0ee2213fb12c706590c31b5c405856a292e3ca7d7ef69c0d10ea166e0366e
SHA512

20a33092a4a09afba1b8dbe5a97654e8a3f9d5c8ecfb21b8fd0ab24ad1b7559d30842bf0aaeea74bbb92bcaf1ea8a137a843233534eac9990aab464ef7e3aad6
SSDEEP

12288:oyO3k8nnKHZGqrdq8hYVyrOFajTEdgHA6vHvSa:Yk8nK5ljYFOHr3S

Score

7^/10

evasion themida

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2692	tvaqzotx.exe
2588	xtdbhxaf.exe
284	wenldfun.exe
1748	bjhdqbim.exe
2316	vlkepqgw.exe
848	ruswdjvu.exe
2652	wvjbntlr.exe
2756	ngmmuubd.exe
564	nvjjmcmr.exe
1640	cddkugrf.exe
2096	xbmepegw.exe
2964	qoyzycbs.exe
2404	giumofhf.exe
2980	fbvfqrjw.exe
2684	wadnpakw.exe
524	mjqfpwyc.exe
1076	ayzxwjjm.exe
1548	aulvtazx.exe
1680	zmunvnjo.exe
2044	zygfjzni.exe
2100	bljiezub.exe
2400	edagwvcz.exe
3024	iufssbok.exe
2960	nccngpzm.exe
792	slkixnfs.exe
652	ztgarkhk.exe
1152	rafywyyc.exe
2192	mrzblnhx.exe
1368	wylydmhw.exe
2748	krxvnvyb.exe
2868	idbrdyfo.exe
2176	skfovxmn.exe
2480	hodtzxzn.exe
3008	osngiqjd.exe
1828	ydcrdtqf.exe
880	iyamljgq.exe
2640	sfejdinq.exe
2320	pdjzjjmb.exe
2184	ephemkzj.exe
568	oolcfigj.exe
1732	onjmeeww.exe
2252	llqmfljd.exe
1960	yyhcloii.exe
2764	xqiufbrz.exe
2028	cgnhbhdb.exe
1664	eyeftdla.exe
2504	jhjrqrwk.exe
364	wjphbwbu.exe
2328	avjpmffu.exe
1332	aojhospl.exe
2648	akxkxrew.exe
2512	rzwibfvf.exe
1652	ijhkjxka.exe
2572	yoqyhxrd.exe
844	denkdldn.exe
2012	husfzroq.exe
1620	kbgqojpu.exe
1612	rxivycsk.exe
2824	rfgffyhx.exe
1984	dviioynf.exe
1600	bpedeatj.exe
1528	guxdxkyr.exe
1576	kkuytqjc.exe
1508	mgxboqyv.exe

Identifies Wine through registry keys 2 TTPs 64 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	qrrlllez.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	dboslica.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	dviioynf.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	oeoknvgt.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	qiflniqk.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	kocmesbl.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	qrnghdqg.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	yjkdjquq.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	bjhdqbim.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	mrzblnhx.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	wylydmhw.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	qeuwscas.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	ipcndwcq.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	njyhmdlq.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	qnvrhfeb.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	mqlpexes.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	ztgarkhk.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	fgcjilmt.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	myixopzl.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	oexzedry.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	giqpwsxm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	lmbhdizx.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	yoqyhxrd.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	kkuytqjc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	mhorklyz.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	iqhyjfbq.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	glhptgwa.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	rfgffyhx.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	egppqowg.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	nqaakaoa.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	npxftwtt.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	jicydrhb.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	etsqotwf.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	rinukrpk.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	xwwedtyg.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	jyxmgvao.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	mitbuzgp.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	qsdryjsa.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	mmczqsub.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	fbvfqrjw.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	lvrqujvs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	lxpjnpjh.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	daundadu.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	tdmqgklp.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	unkisokk.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	wptaslzk.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	fqtjfrsh.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	skfovxmn.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	wfiynwcq.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	owizulwf.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	pedlpdum.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	lutguhup.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	tojprtbl.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	flrbyggw.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	bjgdrplt.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	rzwibfvf.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	ahhcnnam.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	ikvcmqdl.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	yiqqjblh.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	ephemkzj.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	ryywqfkr.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	balccxqt.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	dlblhqrt.exe
Key opened	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Wine	wzpkovvm.exe

Loads dropped DLL 64 IoCs

pid	Process
3064	78b78e9175fb2a243a10a997a51364a2.exe
3064	78b78e9175fb2a243a10a997a51364a2.exe
2692	tvaqzotx.exe
2692	tvaqzotx.exe
2588	xtdbhxaf.exe
2588	xtdbhxaf.exe
284	wenldfun.exe
284	wenldfun.exe
1748	bjhdqbim.exe
1748	bjhdqbim.exe
2316	vlkepqgw.exe
2316	vlkepqgw.exe
848	ruswdjvu.exe
848	ruswdjvu.exe
2652	wvjbntlr.exe
2652	wvjbntlr.exe
2756	ngmmuubd.exe
2756	ngmmuubd.exe
564	nvjjmcmr.exe
564	nvjjmcmr.exe
1640	cddkugrf.exe
1640	cddkugrf.exe
2096	xbmepegw.exe
2096	xbmepegw.exe
2964	qoyzycbs.exe
2964	qoyzycbs.exe
2404	giumofhf.exe
2404	giumofhf.exe
2980	fbvfqrjw.exe
2980	fbvfqrjw.exe
2684	wadnpakw.exe
2684	wadnpakw.exe
524	mjqfpwyc.exe
524	mjqfpwyc.exe
1076	ayzxwjjm.exe
1076	ayzxwjjm.exe
1548	aulvtazx.exe
1548	aulvtazx.exe
1680	zmunvnjo.exe
1680	zmunvnjo.exe
2044	zygfjzni.exe
2044	zygfjzni.exe
2100	bljiezub.exe
2100	bljiezub.exe
2400	edagwvcz.exe
2400	edagwvcz.exe
3024	iufssbok.exe
3024	iufssbok.exe
2960	nccngpzm.exe
2960	nccngpzm.exe
792	slkixnfs.exe
792	slkixnfs.exe
652	ztgarkhk.exe
652	ztgarkhk.exe
1152	rafywyyc.exe
1152	rafywyyc.exe
2192	mrzblnhx.exe
2192	mrzblnhx.exe
1368	wylydmhw.exe
1368	wylydmhw.exe
2748	krxvnvyb.exe
2748	krxvnvyb.exe
2868	idbrdyfo.exe
2868	idbrdyfo.exe

Themida packer 52 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/3064-0-0x0000000000400000-0x00000000005D8000-memory.dmp	themida
behavioral1/memory/3064-2-0x0000000000400000-0x00000000005D8000-memory.dmp	themida
behavioral1/files/0x000800000001224f-18.dat	themida
behavioral1/memory/3064-19-0x0000000004840000-0x0000000004A18000-memory.dmp	themida
behavioral1/memory/2692-26-0x0000000000400000-0x00000000005D8000-memory.dmp	themida
behavioral1/memory/3064-27-0x0000000000400000-0x00000000005D8000-memory.dmp	themida
behavioral1/memory/2692-38-0x0000000000400000-0x00000000005D8000-memory.dmp	themida
behavioral1/memory/2588-43-0x0000000000400000-0x00000000005D8000-memory.dmp	themida
behavioral1/memory/2588-48-0x0000000000400000-0x00000000005D8000-memory.dmp	themida
behavioral1/memory/284-69-0x0000000000400000-0x00000000005D8000-memory.dmp	themida
behavioral1/memory/284-81-0x0000000000400000-0x00000000005D8000-memory.dmp	themida
behavioral1/memory/284-86-0x0000000000400000-0x00000000005D8000-memory.dmp	themida
behavioral1/memory/1748-88-0x0000000000400000-0x00000000005D8000-memory.dmp	themida
behavioral1/memory/1748-93-0x0000000000400000-0x00000000005D8000-memory.dmp	themida
behavioral1/memory/2316-112-0x0000000000400000-0x00000000005D8000-memory.dmp	themida
behavioral1/memory/1748-113-0x0000000000400000-0x00000000005D8000-memory.dmp	themida
behavioral1/memory/2316-118-0x0000000000400000-0x00000000005D8000-memory.dmp	themida
behavioral1/memory/2316-136-0x0000000000400000-0x00000000005D8000-memory.dmp	themida
behavioral1/memory/2756-214-0x0000000000400000-0x00000000005D8000-memory.dmp	themida
behavioral1/memory/1640-267-0x0000000000400000-0x00000000005D8000-memory.dmp	themida
behavioral1/memory/2404-332-0x0000000000400000-0x00000000005D8000-memory.dmp	themida
behavioral1/memory/2980-343-0x0000000000400000-0x00000000005D8000-memory.dmp	themida
behavioral1/memory/2684-354-0x0000000000400000-0x00000000005D8000-memory.dmp	themida
behavioral1/memory/524-379-0x0000000000400000-0x00000000005D8000-memory.dmp	themida
behavioral1/memory/1076-400-0x0000000000400000-0x00000000005D8000-memory.dmp	themida
behavioral1/memory/1548-423-0x0000000000400000-0x00000000005D8000-memory.dmp	themida
behavioral1/memory/1680-446-0x0000000000400000-0x00000000005D8000-memory.dmp	themida
behavioral1/memory/3024-534-0x0000000000400000-0x00000000005D8000-memory.dmp	themida
behavioral1/memory/2960-555-0x0000000000400000-0x00000000005D8000-memory.dmp	themida
behavioral1/memory/792-575-0x0000000000400000-0x00000000005D8000-memory.dmp	themida
behavioral1/memory/652-596-0x0000000000400000-0x00000000005D8000-memory.dmp	themida
behavioral1/memory/1152-617-0x0000000000400000-0x00000000005D8000-memory.dmp	themida
behavioral1/memory/2192-639-0x0000000000400000-0x00000000005D8000-memory.dmp	themida
behavioral1/memory/1368-661-0x0000000000400000-0x00000000005D8000-memory.dmp	themida
behavioral1/memory/2748-682-0x0000000000400000-0x00000000005D8000-memory.dmp	themida
behavioral1/memory/2868-703-0x0000000000400000-0x00000000005D8000-memory.dmp	themida
behavioral1/memory/2480-746-0x0000000000400000-0x00000000005D8000-memory.dmp	themida
behavioral1/memory/3008-763-0x0000000000400000-0x00000000005D8000-memory.dmp	themida
behavioral1/memory/880-815-0x0000000000400000-0x00000000005D8000-memory.dmp	themida
behavioral1/memory/2640-828-0x0000000000400000-0x00000000005D8000-memory.dmp	themida
behavioral1/memory/2184-871-0x0000000000400000-0x00000000005D8000-memory.dmp	themida
behavioral1/memory/2252-934-0x0000000000400000-0x00000000005D8000-memory.dmp	themida
behavioral1/memory/2764-975-0x0000000000400000-0x00000000005D8000-memory.dmp	themida
behavioral1/memory/2504-1038-0x0000000000400000-0x00000000005D8000-memory.dmp	themida
behavioral1/memory/364-1059-0x0000000000400000-0x00000000005D8000-memory.dmp	themida
behavioral1/memory/2328-1068-0x0000000000400000-0x00000000005D8000-memory.dmp	themida
behavioral1/memory/1332-1075-0x0000000000400000-0x00000000005D8000-memory.dmp	themida
behavioral1/memory/2648-1082-0x0000000000400000-0x00000000005D8000-memory.dmp	themida
behavioral1/memory/2512-1089-0x0000000000400000-0x00000000005D8000-memory.dmp	themida
behavioral1/memory/2572-1132-0x0000000000400000-0x00000000005D8000-memory.dmp	themida
behavioral1/memory/2012-1173-0x0000000000400000-0x00000000005D8000-memory.dmp	themida
behavioral1/memory/2824-1235-0x0000000000400000-0x00000000005D8000-memory.dmp	themida

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\jzukttul.exe	hivmbxun.exe
File opened for modification	C:\Windows\SysWOW64\jicydrhb.exe	rfonczxm.exe
File created	C:\Windows\SysWOW64\dlblhqrt.exe	lwbvdbaj.exe
File opened for modification	C:\Windows\SysWOW64\vjadfexq.exe	yiqqjblh.exe
File created	C:\Windows\SysWOW64\ulsalerh.exe	ancyjgji.exe
File created	C:\Windows\SysWOW64\vsajglqo.exe	eljlbphw.exe
File created	C:\Windows\SysWOW64\rpormzar.exe	fvzrgamr.exe
File created	C:\Windows\SysWOW64\plavjxad.exe	vcholdmj.exe
File created	C:\Windows\SysWOW64\bjhdqbim.exe	wenldfun.exe
File created	C:\Windows\SysWOW64\zmunvnjo.exe	aulvtazx.exe
File opened for modification	C:\Windows\SysWOW64\mrzblnhx.exe	rafywyyc.exe
File opened for modification	C:\Windows\SysWOW64\hivmbxun.exe	kswmiqhg.exe
File opened for modification	C:\Windows\SysWOW64\mfejvflu.exe	qeuwscas.exe
File created	C:\Windows\SysWOW64\nccngpzm.exe	iufssbok.exe
File opened for modification	C:\Windows\SysWOW64\guxdxkyr.exe	bpedeatj.exe
File opened for modification	C:\Windows\SysWOW64\nhrdxdwh.exe	yrilrqle.exe
File opened for modification	C:\Windows\SysWOW64\hedwmwtn.exe	njyhmdlq.exe
File opened for modification	C:\Windows\SysWOW64\winbqyih.exe	ftolmkzq.exe
File opened for modification	C:\Windows\SysWOW64\evjywjgs.exe	pmxgvfbn.exe
File opened for modification	C:\Windows\SysWOW64\ijhkjxka.exe	rzwibfvf.exe
File opened for modification	C:\Windows\SysWOW64\qeuwscas.exe	gnhoniic.exe
File created	C:\Windows\SysWOW64\rxakvdmd.exe	uhtkuwhx.exe
File opened for modification	C:\Windows\SysWOW64\vhyoxtbd.exe	vsajglqo.exe
File created	C:\Windows\SysWOW64\uaviqfqa.exe	noydnwea.exe
File created	C:\Windows\SysWOW64\flrbyggw.exe	lmbhdizx.exe
File opened for modification	C:\Windows\SysWOW64\rbjbjiwu.exe	cspibeip.exe
File created	C:\Windows\SysWOW64\utdewsdn.exe	xwwedtyg.exe
File created	C:\Windows\SysWOW64\mitbuzgp.exe	fejwlgwz.exe
File created	C:\Windows\SysWOW64\uvxjsmqx.exe	ixewjjvc.exe
File created	C:\Windows\SysWOW64\dyybthwi.exe	jrigqjhi.exe
File created	C:\Windows\SysWOW64\gcvmktyo.exe	pvvpffhw.exe
File opened for modification	C:\Windows\SysWOW64\yiqqjblh.exe	zqhgpobq.exe
File opened for modification	C:\Windows\SysWOW64\xbmepegw.exe	cddkugrf.exe
File opened for modification	C:\Windows\SysWOW64\rzwibfvf.exe	akxkxrew.exe
File created	C:\Windows\SysWOW64\lxyzqhrw.exe	bjwwosgi.exe
File created	C:\Windows\SysWOW64\vqbbwyps.exe	ypjosmdi.exe
File opened for modification	C:\Windows\SysWOW64\ipcndwcq.exe	rxakvdmd.exe
File created	C:\Windows\SysWOW64\iyamljgq.exe	ydcrdtqf.exe
File opened for modification	C:\Windows\SysWOW64\ephemkzj.exe	pdjzjjmb.exe
File created	C:\Windows\SysWOW64\sxzqlydb.exe	dlblhqrt.exe
File opened for modification	C:\Windows\SysWOW64\ehmrxjzy.exe	kxljrplf.exe
File opened for modification	C:\Windows\SysWOW64\edagwvcz.exe	bljiezub.exe
File created	C:\Windows\SysWOW64\cncxbdam.exe	nbesxdne.exe
File created	C:\Windows\SysWOW64\qrrlllez.exe	waayoafj.exe
File opened for modification	C:\Windows\SysWOW64\zsnrctgj.exe	fqtjfrsh.exe
File opened for modification	C:\Windows\SysWOW64\bzmydrzw.exe	evjywjgs.exe
File opened for modification	C:\Windows\SysWOW64\lzrohcjm.exe	bzmydrzw.exe
File opened for modification	C:\Windows\SysWOW64\vlkepqgw.exe	bjhdqbim.exe
File created	C:\Windows\SysWOW64\cddkugrf.exe	nvjjmcmr.exe
File opened for modification	C:\Windows\SysWOW64\cgnhbhdb.exe	xqiufbrz.exe
File created	C:\Windows\SysWOW64\denkdldn.exe	yoqyhxrd.exe
File created	C:\Windows\SysWOW64\wxvfgfng.exe	cncxbdam.exe
File opened for modification	C:\Windows\SysWOW64\zzoogejp.exe	irregjub.exe
File created	C:\Windows\SysWOW64\ygqakcxw.exe	bbnidnes.exe
File created	C:\Windows\SysWOW64\xtdbhxaf.exe	tvaqzotx.exe
File opened for modification	C:\Windows\SysWOW64\slkixnfs.exe	nccngpzm.exe
File created	C:\Windows\SysWOW64\wlrejpwa.exe	ryywqfkr.exe
File opened for modification	C:\Windows\SysWOW64\famxcmkq.exe	duxcthzd.exe
File opened for modification	C:\Windows\SysWOW64\oexzedry.exe	khdzrgvz.exe
File opened for modification	C:\Windows\SysWOW64\dutgimzu.exe	oivbfenm.exe
File created	C:\Windows\SysWOW64\bjwwosgi.exe	hhuwpdjy.exe
File created	C:\Windows\SysWOW64\tiuapqkl.exe	cqrqhxuz.exe
File created	C:\Windows\SysWOW64\evjywjgs.exe	pmxgvfbn.exe
File created	C:\Windows\SysWOW64\xmfaycib.exe	giqpwsxm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3064	78b78e9175fb2a243a10a997a51364a2.exe
2692	tvaqzotx.exe
2588	xtdbhxaf.exe
284	wenldfun.exe
1748	bjhdqbim.exe
2316	vlkepqgw.exe
848	ruswdjvu.exe
2652	wvjbntlr.exe
2756	ngmmuubd.exe
564	nvjjmcmr.exe
1640	cddkugrf.exe
2096	xbmepegw.exe
2964	qoyzycbs.exe
2404	giumofhf.exe
2980	fbvfqrjw.exe
2684	wadnpakw.exe
524	mjqfpwyc.exe
1076	ayzxwjjm.exe
1548	aulvtazx.exe
1680	zmunvnjo.exe
2044	zygfjzni.exe
2100	bljiezub.exe
2400	edagwvcz.exe
3024	iufssbok.exe
2960	nccngpzm.exe
792	slkixnfs.exe
652	ztgarkhk.exe
1152	rafywyyc.exe
2192	mrzblnhx.exe
1368	wylydmhw.exe
2748	krxvnvyb.exe
2868	idbrdyfo.exe
2176	skfovxmn.exe
2480	hodtzxzn.exe
3008	osngiqjd.exe
1828	ydcrdtqf.exe
880	iyamljgq.exe
2640	sfejdinq.exe
2320	pdjzjjmb.exe
2184	ephemkzj.exe
568	oolcfigj.exe
1732	onjmeeww.exe
2252	llqmfljd.exe
1960	yyhcloii.exe
2764	xqiufbrz.exe
2028	cgnhbhdb.exe
1664	eyeftdla.exe
2504	jhjrqrwk.exe
364	wjphbwbu.exe
2328	avjpmffu.exe
1332	aojhospl.exe
2648	akxkxrew.exe
2512	rzwibfvf.exe
1652	ijhkjxka.exe
2572	yoqyhxrd.exe
844	denkdldn.exe
2012	husfzroq.exe
1620	kbgqojpu.exe
1612	rxivycsk.exe
2824	rfgffyhx.exe
1984	dviioynf.exe
1600	bpedeatj.exe
1528	guxdxkyr.exe
1576	kkuytqjc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 2692	3064	78b78e9175fb2a243a10a997a51364a2.exe	28
PID 3064 wrote to memory of 2692	3064	78b78e9175fb2a243a10a997a51364a2.exe	28
PID 3064 wrote to memory of 2692	3064	78b78e9175fb2a243a10a997a51364a2.exe	28
PID 3064 wrote to memory of 2692	3064	78b78e9175fb2a243a10a997a51364a2.exe	28
PID 2692 wrote to memory of 2588	2692	tvaqzotx.exe	29
PID 2692 wrote to memory of 2588	2692	tvaqzotx.exe	29
PID 2692 wrote to memory of 2588	2692	tvaqzotx.exe	29
PID 2692 wrote to memory of 2588	2692	tvaqzotx.exe	29
PID 2588 wrote to memory of 284	2588	xtdbhxaf.exe	30
PID 2588 wrote to memory of 284	2588	xtdbhxaf.exe	30
PID 2588 wrote to memory of 284	2588	xtdbhxaf.exe	30
PID 2588 wrote to memory of 284	2588	xtdbhxaf.exe	30
PID 284 wrote to memory of 1748	284	wenldfun.exe	31
PID 284 wrote to memory of 1748	284	wenldfun.exe	31
PID 284 wrote to memory of 1748	284	wenldfun.exe	31
PID 284 wrote to memory of 1748	284	wenldfun.exe	31
PID 1748 wrote to memory of 2316	1748	bjhdqbim.exe	32
PID 1748 wrote to memory of 2316	1748	bjhdqbim.exe	32
PID 1748 wrote to memory of 2316	1748	bjhdqbim.exe	32
PID 1748 wrote to memory of 2316	1748	bjhdqbim.exe	32
PID 2316 wrote to memory of 848	2316	vlkepqgw.exe	33
PID 2316 wrote to memory of 848	2316	vlkepqgw.exe	33
PID 2316 wrote to memory of 848	2316	vlkepqgw.exe	33
PID 2316 wrote to memory of 848	2316	vlkepqgw.exe	33
PID 848 wrote to memory of 2652	848	ruswdjvu.exe	34
PID 848 wrote to memory of 2652	848	ruswdjvu.exe	34
PID 848 wrote to memory of 2652	848	ruswdjvu.exe	34
PID 848 wrote to memory of 2652	848	ruswdjvu.exe	34
PID 2652 wrote to memory of 2756	2652	wvjbntlr.exe	35
PID 2652 wrote to memory of 2756	2652	wvjbntlr.exe	35
PID 2652 wrote to memory of 2756	2652	wvjbntlr.exe	35
PID 2652 wrote to memory of 2756	2652	wvjbntlr.exe	35
PID 2756 wrote to memory of 564	2756	ngmmuubd.exe	36
PID 2756 wrote to memory of 564	2756	ngmmuubd.exe	36
PID 2756 wrote to memory of 564	2756	ngmmuubd.exe	36
PID 2756 wrote to memory of 564	2756	ngmmuubd.exe	36
PID 564 wrote to memory of 1640	564	nvjjmcmr.exe	37
PID 564 wrote to memory of 1640	564	nvjjmcmr.exe	37
PID 564 wrote to memory of 1640	564	nvjjmcmr.exe	37
PID 564 wrote to memory of 1640	564	nvjjmcmr.exe	37
PID 1640 wrote to memory of 2096	1640	cddkugrf.exe	38
PID 1640 wrote to memory of 2096	1640	cddkugrf.exe	38
PID 1640 wrote to memory of 2096	1640	cddkugrf.exe	38
PID 1640 wrote to memory of 2096	1640	cddkugrf.exe	38
PID 2096 wrote to memory of 2964	2096	xbmepegw.exe	39
PID 2096 wrote to memory of 2964	2096	xbmepegw.exe	39
PID 2096 wrote to memory of 2964	2096	xbmepegw.exe	39
PID 2096 wrote to memory of 2964	2096	xbmepegw.exe	39
PID 2964 wrote to memory of 2404	2964	qoyzycbs.exe	40
PID 2964 wrote to memory of 2404	2964	qoyzycbs.exe	40
PID 2964 wrote to memory of 2404	2964	qoyzycbs.exe	40
PID 2964 wrote to memory of 2404	2964	qoyzycbs.exe	40
PID 2404 wrote to memory of 2980	2404	giumofhf.exe	41
PID 2404 wrote to memory of 2980	2404	giumofhf.exe	41
PID 2404 wrote to memory of 2980	2404	giumofhf.exe	41
PID 2404 wrote to memory of 2980	2404	giumofhf.exe	41
PID 2980 wrote to memory of 2684	2980	fbvfqrjw.exe	42
PID 2980 wrote to memory of 2684	2980	fbvfqrjw.exe	42
PID 2980 wrote to memory of 2684	2980	fbvfqrjw.exe	42
PID 2980 wrote to memory of 2684	2980	fbvfqrjw.exe	42
PID 2684 wrote to memory of 524	2684	wadnpakw.exe	43
PID 2684 wrote to memory of 524	2684	wadnpakw.exe	43
PID 2684 wrote to memory of 524	2684	wadnpakw.exe	43
PID 2684 wrote to memory of 524	2684	wadnpakw.exe	43

C:\Users\Admin\AppData\Local\Temp\78b78e9175fb2a243a10a997a51364a2.exe
"C:\Users\Admin\AppData\Local\Temp\78b78e9175fb2a243a10a997a51364a2.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Windows\SysWOW64\tvaqzotx.exe
  C:\Windows\system32\tvaqzotx.exe 684 "C:\Users\Admin\AppData\Local\Temp\78b78e9175fb2a243a10a997a51364a2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\SysWOW64\xtdbhxaf.exe
    C:\Windows\system32\xtdbhxaf.exe 624 "C:\Windows\SysWOW64\tvaqzotx.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\SysWOW64\wenldfun.exe
      C:\Windows\system32\wenldfun.exe 628 "C:\Windows\SysWOW64\xtdbhxaf.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:284
    - - C:\Windows\SysWOW64\bjhdqbim.exe
        
        C:\Windows\system32\bjhdqbim.exe 636 "C:\Windows\SysWOW64\wenldfun.exe"
        5⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1748
      - C:\Windows\SysWOW64\vlkepqgw.exe
        
        C:\Windows\system32\vlkepqgw.exe 648 "C:\Windows\SysWOW64\bjhdqbim.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\ruswdjvu.exe
        
        C:\Windows\system32\ruswdjvu.exe 632 "C:\Windows\SysWOW64\vlkepqgw.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Windows\SysWOW64\wvjbntlr.exe
        
        C:\Windows\system32\wvjbntlr.exe 640 "C:\Windows\SysWOW64\ruswdjvu.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\ngmmuubd.exe
        
        C:\Windows\system32\ngmmuubd.exe 652 "C:\Windows\SysWOW64\wvjbntlr.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\SysWOW64\nvjjmcmr.exe
        
        C:\Windows\system32\nvjjmcmr.exe 644 "C:\Windows\SysWOW64\ngmmuubd.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:564
        
        C:\Windows\SysWOW64\cddkugrf.exe
        
        C:\Windows\system32\cddkugrf.exe 664 "C:\Windows\SysWOW64\nvjjmcmr.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\SysWOW64\xbmepegw.exe
        
        C:\Windows\system32\xbmepegw.exe 692 "C:\Windows\SysWOW64\cddkugrf.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\qoyzycbs.exe
        
        C:\Windows\system32\qoyzycbs.exe 660 "C:\Windows\SysWOW64\xbmepegw.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\giumofhf.exe
        
        C:\Windows\system32\giumofhf.exe 668 "C:\Windows\SysWOW64\qoyzycbs.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\SysWOW64\fbvfqrjw.exe
        
        C:\Windows\system32\fbvfqrjw.exe 672 "C:\Windows\SysWOW64\giumofhf.exe"
        15⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\wadnpakw.exe
        
        C:\Windows\system32\wadnpakw.exe 676 "C:\Windows\SysWOW64\fbvfqrjw.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\mjqfpwyc.exe
        
        C:\Windows\system32\mjqfpwyc.exe 764 "C:\Windows\SysWOW64\wadnpakw.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:524
        
        C:\Windows\SysWOW64\ayzxwjjm.exe
        
        C:\Windows\system32\ayzxwjjm.exe 712 "C:\Windows\SysWOW64\mjqfpwyc.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1076
        
        C:\Windows\SysWOW64\aulvtazx.exe
        
        C:\Windows\system32\aulvtazx.exe 656 "C:\Windows\SysWOW64\ayzxwjjm.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1548
        
        C:\Windows\SysWOW64\zmunvnjo.exe
        
        C:\Windows\system32\zmunvnjo.exe 716 "C:\Windows\SysWOW64\aulvtazx.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1680
        
        C:\Windows\SysWOW64\zygfjzni.exe
        
        C:\Windows\system32\zygfjzni.exe 704 "C:\Windows\SysWOW64\zmunvnjo.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2044
        
        C:\Windows\SysWOW64\bljiezub.exe
        
        C:\Windows\system32\bljiezub.exe 688 "C:\Windows\SysWOW64\zygfjzni.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2100
        
        C:\Windows\SysWOW64\edagwvcz.exe
        
        C:\Windows\system32\edagwvcz.exe 724 "C:\Windows\SysWOW64\bljiezub.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2400
        
        C:\Windows\SysWOW64\iufssbok.exe
        
        C:\Windows\system32\iufssbok.exe 696 "C:\Windows\SysWOW64\edagwvcz.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3024
        
        C:\Windows\SysWOW64\nccngpzm.exe
        
        C:\Windows\system32\nccngpzm.exe 708 "C:\Windows\SysWOW64\iufssbok.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2960
        
        C:\Windows\SysWOW64\slkixnfs.exe
        
        C:\Windows\system32\slkixnfs.exe 744 "C:\Windows\SysWOW64\nccngpzm.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:792
        
        C:\Windows\SysWOW64\ztgarkhk.exe
        
        C:\Windows\system32\ztgarkhk.exe 680 "C:\Windows\SysWOW64\slkixnfs.exe"
        27⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:652
        
        C:\Windows\SysWOW64\rafywyyc.exe
        
        C:\Windows\system32\rafywyyc.exe 720 "C:\Windows\SysWOW64\ztgarkhk.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1152
        
        C:\Windows\SysWOW64\mrzblnhx.exe
        
        C:\Windows\system32\mrzblnhx.exe 736 "C:\Windows\SysWOW64\rafywyyc.exe"
        29⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2192
        
        C:\Windows\SysWOW64\wylydmhw.exe
        
        C:\Windows\system32\wylydmhw.exe 620 "C:\Windows\SysWOW64\mrzblnhx.exe"
        30⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:1368
        
        C:\Windows\SysWOW64\krxvnvyb.exe
        
        C:\Windows\system32\krxvnvyb.exe 812 "C:\Windows\SysWOW64\wylydmhw.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2748
        
        C:\Windows\SysWOW64\idbrdyfo.exe
        
        C:\Windows\system32\idbrdyfo.exe 732 "C:\Windows\SysWOW64\krxvnvyb.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2868
        
        C:\Windows\SysWOW64\skfovxmn.exe
        
        C:\Windows\system32\skfovxmn.exe 824 "C:\Windows\SysWOW64\idbrdyfo.exe"
        33⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious behavior: EnumeratesProcesses
        
        PID:2176
        
        C:\Windows\SysWOW64\hodtzxzn.exe
        
        C:\Windows\system32\hodtzxzn.exe 728 "C:\Windows\SysWOW64\skfovxmn.exe"
        34⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2480
        
        C:\Windows\SysWOW64\osngiqjd.exe
        
        C:\Windows\system32\osngiqjd.exe 748 "C:\Windows\SysWOW64\hodtzxzn.exe"
        35⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3008
        
        C:\Windows\SysWOW64\ydcrdtqf.exe
        
        C:\Windows\system32\ydcrdtqf.exe 800 "C:\Windows\SysWOW64\osngiqjd.exe"
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1828
        
        C:\Windows\SysWOW64\iyamljgq.exe
        
        C:\Windows\system32\iyamljgq.exe 780 "C:\Windows\SysWOW64\ydcrdtqf.exe"
        37⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:880
        
        C:\Windows\SysWOW64\sfejdinq.exe
        
        C:\Windows\system32\sfejdinq.exe 788 "C:\Windows\SysWOW64\iyamljgq.exe"
        38⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2640
        
        C:\Windows\SysWOW64\pdjzjjmb.exe
        
        C:\Windows\system32\pdjzjjmb.exe 852 "C:\Windows\SysWOW64\sfejdinq.exe"
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2320
        
        C:\Windows\SysWOW64\ephemkzj.exe
        
        C:\Windows\system32\ephemkzj.exe 740 "C:\Windows\SysWOW64\pdjzjjmb.exe"
        40⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious behavior: EnumeratesProcesses
        
        PID:2184
        
        C:\Windows\SysWOW64\oolcfigj.exe
        
        C:\Windows\system32\oolcfigj.exe 856 "C:\Windows\SysWOW64\ephemkzj.exe"
        41⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:568
        
        C:\Windows\SysWOW64\onjmeeww.exe
        
        C:\Windows\system32\onjmeeww.exe 752 "C:\Windows\SysWOW64\oolcfigj.exe"
        42⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1732
        
        C:\Windows\SysWOW64\llqmfljd.exe
        
        C:\Windows\system32\llqmfljd.exe 760 "C:\Windows\SysWOW64\onjmeeww.exe"
        43⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2252
        
        C:\Windows\SysWOW64\yyhcloii.exe
        
        C:\Windows\system32\yyhcloii.exe 796 "C:\Windows\SysWOW64\llqmfljd.exe"
        44⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1960
        
        C:\Windows\SysWOW64\xqiufbrz.exe
        
        C:\Windows\system32\xqiufbrz.exe 768 "C:\Windows\SysWOW64\yyhcloii.exe"
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2764
        
        C:\Windows\SysWOW64\cgnhbhdb.exe
        
        C:\Windows\system32\cgnhbhdb.exe 848 "C:\Windows\SysWOW64\xqiufbrz.exe"
        46⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2028
        
        C:\Windows\SysWOW64\eyeftdla.exe
        
        C:\Windows\system32\eyeftdla.exe 792 "C:\Windows\SysWOW64\cgnhbhdb.exe"
        47⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1664
        
        C:\Windows\SysWOW64\jhjrqrwk.exe
        
        C:\Windows\system32\jhjrqrwk.exe 808 "C:\Windows\SysWOW64\eyeftdla.exe"
        48⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2504
        
        C:\Windows\SysWOW64\wjphbwbu.exe
        
        C:\Windows\system32\wjphbwbu.exe 840 "C:\Windows\SysWOW64\jhjrqrwk.exe"
        49⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:364
        
        C:\Windows\SysWOW64\avjpmffu.exe
        
        C:\Windows\system32\avjpmffu.exe 832 "C:\Windows\SysWOW64\wjphbwbu.exe"
        50⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2328
        
        C:\Windows\SysWOW64\aojhospl.exe
        
        C:\Windows\system32\aojhospl.exe 772 "C:\Windows\SysWOW64\avjpmffu.exe"
        51⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1332
        
        C:\Windows\SysWOW64\akxkxrew.exe
        
        C:\Windows\system32\akxkxrew.exe 868 "C:\Windows\SysWOW64\aojhospl.exe"
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2648
        
        C:\Windows\SysWOW64\rzwibfvf.exe
        
        C:\Windows\system32\rzwibfvf.exe 804 "C:\Windows\SysWOW64\akxkxrew.exe"
        53⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2512
        
        C:\Windows\SysWOW64\ijhkjxka.exe
        
        C:\Windows\system32\ijhkjxka.exe 884 "C:\Windows\SysWOW64\rzwibfvf.exe"
        54⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1652
        
        C:\Windows\SysWOW64\yoqyhxrd.exe
        
        C:\Windows\system32\yoqyhxrd.exe 756 "C:\Windows\SysWOW64\ijhkjxka.exe"
        55⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2572
        
        C:\Windows\SysWOW64\denkdldn.exe
        
        C:\Windows\system32\denkdldn.exe 816 "C:\Windows\SysWOW64\yoqyhxrd.exe"
        56⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:844
        
        C:\Windows\SysWOW64\husfzroq.exe
        
        C:\Windows\system32\husfzroq.exe 872 "C:\Windows\SysWOW64\denkdldn.exe"
        57⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2012
        
        C:\Windows\SysWOW64\kbgqojpu.exe
        
        C:\Windows\system32\kbgqojpu.exe 876 "C:\Windows\SysWOW64\husfzroq.exe"
        58⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1620
        
        C:\Windows\SysWOW64\rxivycsk.exe
        
        C:\Windows\system32\rxivycsk.exe 784 "C:\Windows\SysWOW64\kbgqojpu.exe"
        59⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1612
        
        C:\Windows\SysWOW64\rfgffyhx.exe
        
        C:\Windows\system32\rfgffyhx.exe 820 "C:\Windows\SysWOW64\rxivycsk.exe"
        60⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious behavior: EnumeratesProcesses
        
        PID:2824
        
        C:\Windows\SysWOW64\dviioynf.exe
        
        C:\Windows\system32\dviioynf.exe 948 "C:\Windows\SysWOW64\rfgffyhx.exe"
        61⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious behavior: EnumeratesProcesses
        
        PID:1984
        
        C:\Windows\SysWOW64\bpedeatj.exe
        
        C:\Windows\system32\bpedeatj.exe 828 "C:\Windows\SysWOW64\dviioynf.exe"
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1600
        
        C:\Windows\SysWOW64\guxdxkyr.exe
        
        C:\Windows\system32\guxdxkyr.exe 844 "C:\Windows\SysWOW64\bpedeatj.exe"
        63⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1528
        
        C:\Windows\SysWOW64\kkuytqjc.exe
        
        C:\Windows\system32\kkuytqjc.exe 836 "C:\Windows\SysWOW64\guxdxkyr.exe"
        64⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious behavior: EnumeratesProcesses
        
        PID:1576
        
        C:\Windows\SysWOW64\mgxboqyv.exe
        
        C:\Windows\system32\mgxboqyv.exe 900 "C:\Windows\SysWOW64\kkuytqjc.exe"
        65⤵
        Executes dropped EXE
        
        PID:1508
        
        C:\Windows\SysWOW64\ztpquuxh.exe
        
        C:\Windows\system32\ztpquuxh.exe 964 "C:\Windows\SysWOW64\mgxboqyv.exe"
        66⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\wfiynwcq.exe
        
        C:\Windows\system32\wfiynwcq.exe 904 "C:\Windows\SysWOW64\ztpquuxh.exe"
        67⤵
        Identifies Wine through registry keys
        
        PID:1696
        
        C:\Windows\SysWOW64\drhdcysc.exe
        
        C:\Windows\system32\drhdcysc.exe 912 "C:\Windows\SysWOW64\wfiynwcq.exe"
        68⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\lvrqujvs.exe
        
        C:\Windows\system32\lvrqujvs.exe 924 "C:\Windows\SysWOW64\drhdcysc.exe"
        69⤵
        Identifies Wine through registry keys
        
        PID:2940
        
        C:\Windows\SysWOW64\vqkbbdvp.exe
        
        C:\Windows\system32\vqkbbdvp.exe 976 "C:\Windows\SysWOW64\lvrqujvs.exe"
        70⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\svnbilob.exe
        
        C:\Windows\system32\svnbilob.exe 864 "C:\Windows\SysWOW64\vqkbbdvp.exe"
        71⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\awmbpako.exe
        
        C:\Windows\system32\awmbpako.exe 880 "C:\Windows\SysWOW64\svnbilob.exe"
        72⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\fejwlgwz.exe
        
        C:\Windows\system32\fejwlgwz.exe 892 "C:\Windows\SysWOW64\awmbpako.exe"
        73⤵
        Drops file in System32 directory
        
        PID:924
        
        C:\Windows\SysWOW64\mitbuzgp.exe
        
        C:\Windows\system32\mitbuzgp.exe 908 "C:\Windows\SysWOW64\fejwlgwz.exe"
        74⤵
        Identifies Wine through registry keys
        
        PID:2636
        
        C:\Windows\SysWOW64\ryywqfkr.exe
        
        C:\Windows\system32\ryywqfkr.exe 936 "C:\Windows\SysWOW64\mitbuzgp.exe"
        75⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:1628
        
        C:\Windows\SysWOW64\wlrejpwa.exe
        
        C:\Windows\system32\wlrejpwa.exe 888 "C:\Windows\SysWOW64\ryywqfkr.exe"
        76⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\ghkorjxx.exe
        
        C:\Windows\system32\ghkorjxx.exe 932 "C:\Windows\SysWOW64\wlrejpwa.exe"
        77⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\lxpjnpjh.exe
        
        C:\Windows\system32\lxpjnpjh.exe 860 "C:\Windows\SysWOW64\ghkorjxx.exe"
        78⤵
        Identifies Wine through registry keys
        
        PID:672
        
        C:\Windows\SysWOW64\vtquvkjf.exe
        
        C:\Windows\system32\vtquvkjf.exe 920 "C:\Windows\SysWOW64\lxpjnpjh.exe"
        79⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\ajnoryvh.exe
        
        C:\Windows\system32\ajnoryvh.exe 916 "C:\Windows\SysWOW64\vtquvkjf.exe"
        80⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\hnxuijyf.exe
        
        C:\Windows\system32\hnxuijyf.exe 968 "C:\Windows\SysWOW64\ajnoryvh.exe"
        81⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\sbymqdgc.exe
        
        C:\Windows\system32\sbymqdgc.exe 896 "C:\Windows\SysWOW64\hnxuijyf.exe"
        82⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\bpyjolmz.exe
        
        C:\Windows\system32\bpyjolmz.exe 980 "C:\Windows\SysWOW64\sbymqdgc.exe"
        83⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\balccxqt.exe
        
        C:\Windows\system32\balccxqt.exe 928 "C:\Windows\SysWOW64\bpyjolmz.exe"
        84⤵
        Identifies Wine through registry keys
        
        PID:2088
        
        C:\Windows\SysWOW64\gutcbhiy.exe
        
        C:\Windows\system32\gutcbhiy.exe 940 "C:\Windows\SysWOW64\balccxqt.exe"
        85⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\lhmkmrng.exe
        
        C:\Windows\system32\lhmkmrng.exe 956 "C:\Windows\SysWOW64\gutcbhiy.exe"
        86⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\salkbxrt.exe
        
        C:\Windows\system32\salkbxrt.exe 944 "C:\Windows\SysWOW64\lhmkmrng.exe"
        87⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\ahhcnnam.exe
        
        C:\Windows\system32\ahhcnnam.exe 996 "C:\Windows\SysWOW64\salkbxrt.exe"
        88⤵
        Identifies Wine through registry keys
        
        PID:2468
        
        C:\Windows\SysWOW64\kswmiqhg.exe
        
        C:\Windows\system32\kswmiqhg.exe 1020 "C:\Windows\SysWOW64\ahhcnnam.exe"
        89⤵
        Drops file in System32 directory
        
        PID:2996
        
        C:\Windows\SysWOW64\hivmbxun.exe
        
        C:\Windows\system32\hivmbxun.exe 972 "C:\Windows\SysWOW64\kswmiqhg.exe"
        90⤵
        Drops file in System32 directory
        
        PID:2860
        
        C:\Windows\SysWOW64\jzukttul.exe
        
        C:\Windows\system32\jzukttul.exe 952 "C:\Windows\SysWOW64\hivmbxun.exe"
        91⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\oeoknvgt.exe
        
        C:\Windows\system32\oeoknvgt.exe 1068 "C:\Windows\SysWOW64\jzukttul.exe"
        92⤵
        Identifies Wine through registry keys
        
        PID:2336
        
        C:\Windows\SysWOW64\qarvivnu.exe
        
        C:\Windows\system32\qarvivnu.exe 1072 "C:\Windows\SysWOW64\oeoknvgt.exe"
        93⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\duxcthzd.exe
        
        C:\Windows\system32\duxcthzd.exe 1080 "C:\Windows\SysWOW64\qarvivnu.exe"
        94⤵
        Drops file in System32 directory
        
        PID:384
        
        C:\Windows\SysWOW64\famxcmkq.exe
        
        C:\Windows\system32\famxcmkq.exe 988 "C:\Windows\SysWOW64\duxcthzd.exe"
        95⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\srhatuqx.exe
        
        C:\Windows\system32\srhatuqx.exe 1012 "C:\Windows\SysWOW64\famxcmkq.exe"
        96⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\wlpikeac.exe
        
        C:\Windows\system32\wlpikeac.exe 984 "C:\Windows\SysWOW64\srhatuqx.exe"
        97⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\olafjsmp.exe
        
        C:\Windows\system32\olafjsmp.exe 960 "C:\Windows\SysWOW64\wlpikeac.exe"
        98⤵
        
        PID:280
        
        C:\Windows\SysWOW64\gdbqdfog.exe
        
        C:\Windows\system32\gdbqdfog.exe 1008 "C:\Windows\SysWOW64\olafjsmp.exe"
        99⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\ancyjgji.exe
        
        C:\Windows\system32\ancyjgji.exe 992 "C:\Windows\SysWOW64\gdbqdfog.exe"
        100⤵
        Drops file in System32 directory
        
        PID:2360
        
        C:\Windows\SysWOW64\ulsalerh.exe
        
        C:\Windows\system32\ulsalerh.exe 1032 "C:\Windows\SysWOW64\ancyjgji.exe"
        101⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\rfonczxm.exe
        
        C:\Windows\system32\rfonczxm.exe 1000 "C:\Windows\SysWOW64\ulsalerh.exe"
        102⤵
        Drops file in System32 directory
        
        PID:2772
        
        C:\Windows\SysWOW64\jicydrhb.exe
        
        C:\Windows\system32\jicydrhb.exe 1040 "C:\Windows\SysWOW64\rfonczxm.exe"
        103⤵
        Identifies Wine through registry keys
        
        PID:2392
        
        C:\Windows\SysWOW64\qmkwuxzf.exe
        
        C:\Windows\system32\qmkwuxzf.exe 1028 "C:\Windows\SysWOW64\jicydrhb.exe"
        104⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\nnujyilo.exe
        
        C:\Windows\system32\nnujyilo.exe 1016 "C:\Windows\SysWOW64\qmkwuxzf.exe"
        105⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\xbwlapec.exe
        
        C:\Windows\system32\xbwlapec.exe 1036 "C:\Windows\SysWOW64\nnujyilo.exe"
        106⤵
        
        PID:764
        
        C:\Windows\SysWOW64\oivbfenm.exe
        
        C:\Windows\system32\oivbfenm.exe 1044 "C:\Windows\SysWOW64\xbwlapec.exe"
        107⤵
        Drops file in System32 directory
        
        PID:1112
        
        C:\Windows\SysWOW64\dutgimzu.exe
        
        C:\Windows\system32\dutgimzu.exe 1004 "C:\Windows\SysWOW64\oivbfenm.exe"
        108⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\vxprkwrj.exe
        
        C:\Windows\system32\vxprkwrj.exe 1076 "C:\Windows\SysWOW64\dutgimzu.exe"
        109⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\naebmgcz.exe
        
        C:\Windows\system32\naebmgcz.exe 1056 "C:\Windows\SysWOW64\vxprkwrj.exe"
        110⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\hhuwpdjy.exe
        
        C:\Windows\system32\hhuwpdjy.exe 1052 "C:\Windows\SysWOW64\naebmgcz.exe"
        111⤵
        Drops file in System32 directory
        
        PID:2092
        
        C:\Windows\SysWOW64\bjwwosgi.exe
        
        C:\Windows\system32\bjwwosgi.exe 1060 "C:\Windows\SysWOW64\hhuwpdjy.exe"
        112⤵
        Drops file in System32 directory
        
        PID:1636
        
        C:\Windows\SysWOW64\lxyzqhrw.exe
        
        C:\Windows\system32\lxyzqhrw.exe 1084 "C:\Windows\SysWOW64\bjwwosgi.exe"
        113⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\chjcxahr.exe
        
        C:\Windows\system32\chjcxahr.exe 1064 "C:\Windows\SysWOW64\lxyzqhrw.exe"
        114⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\mhorklyz.exe
        
        C:\Windows\system32\mhorklyz.exe 1092 "C:\Windows\SysWOW64\chjcxahr.exe"
        115⤵
        Identifies Wine through registry keys
        
        PID:2180
        
        C:\Windows\SysWOW64\tdhpnrlg.exe
        
        C:\Windows\system32\tdhpnrlg.exe 1048 "C:\Windows\SysWOW64\mhorklyz.exe"
        116⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\itgpoqyn.exe
        
        C:\Windows\system32\itgpoqyn.exe 1108 "C:\Windows\SysWOW64\tdhpnrlg.exe"
        117⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\rweswgof.exe
        
        C:\Windows\system32\rweswgof.exe 1112 "C:\Windows\SysWOW64\itgpoqyn.exe"
        118⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\boraizgo.exe
        
        C:\Windows\system32\boraizgo.exe 1144 "C:\Windows\SysWOW64\rweswgof.exe"
        119⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\bsekqquz.exe
        
        C:\Windows\system32\bsekqquz.exe 1104 "C:\Windows\SysWOW64\boraizgo.exe"
        120⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\qhndfcfb.exe
        
        C:\Windows\system32\qhndfcfb.exe 1172 "C:\Windows\SysWOW64\bsekqquz.exe"
        121⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cqrqhxuz.exe
        
        C:\Windows\system32\cqrqhxuz.exe 1140 "C:\Windows\SysWOW64\qhndfcfb.exe"
        122⤵
        Drops file in System32 directory
        
        PID:696
        
        C:\Windows\SysWOW64\tiuapqkl.exe
        
        C:\Windows\system32\tiuapqkl.exe 1100 "C:\Windows\SysWOW64\cqrqhxuz.exe"
        123⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\etsqotwf.exe
        
        C:\Windows\system32\etsqotwf.exe 1128 "C:\Windows\SysWOW64\tiuapqkl.exe"
        124⤵
        Identifies Wine through registry keys
        
        PID:1572
        
        C:\Windows\SysWOW64\yrilrqle.exe
        
        C:\Windows\system32\yrilrqle.exe 1096 "C:\Windows\SysWOW64\etsqotwf.exe"
        125⤵
        Drops file in System32 directory
        
        PID:2220
        
        C:\Windows\SysWOW64\nhrdxdwh.exe
        
        C:\Windows\system32\nhrdxdwh.exe 1116 "C:\Windows\SysWOW64\yrilrqle.exe"
        126⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cspibeip.exe
        
        C:\Windows\system32\cspibeip.exe 1124 "C:\Windows\SysWOW64\nhrdxdwh.exe"
        127⤵
        Drops file in System32 directory
        
        PID:2688
        
        C:\Windows\SysWOW64\rbjbjiwu.exe
        
        C:\Windows\system32\rbjbjiwu.exe 1120 "C:\Windows\SysWOW64\cspibeip.exe"
        128⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\gnhoniic.exe
        
        C:\Windows\system32\gnhoniic.exe 1136 "C:\Windows\SysWOW64\rbjbjiwu.exe"
        129⤵
        Drops file in System32 directory
        
        PID:1224
        
        C:\Windows\SysWOW64\qeuwscas.exe
        
        C:\Windows\system32\qeuwscas.exe 1088 "C:\Windows\SysWOW64\gnhoniic.exe"
        130⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:1352
        
        C:\Windows\SysWOW64\mfejvflu.exe
        
        C:\Windows\system32\mfejvflu.exe 1152 "C:\Windows\SysWOW64\qeuwscas.exe"
        131⤵
        
        PID:812
        
        C:\Windows\SysWOW64\mynbpsvk.exe
        
        C:\Windows\system32\mynbpsvk.exe 1132 "C:\Windows\SysWOW64\mfejvflu.exe"
        132⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\ypjosmdi.exe
        
        C:\Windows\system32\ypjosmdi.exe 1156 "C:\Windows\SysWOW64\mynbpsvk.exe"
        133⤵
        Drops file in System32 directory
        
        PID:992
        
        C:\Windows\SysWOW64\vqbbwyps.exe
        
        C:\Windows\system32\vqbbwyps.exe 1160 "C:\Windows\SysWOW64\ypjosmdi.exe"
        134⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\famedqne.exe
        
        C:\Windows\system32\famedqne.exe 1148 "C:\Windows\SysWOW64\vqbbwyps.exe"
        135⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\xapccwqr.exe
        
        C:\Windows\system32\xapccwqr.exe 1192 "C:\Windows\SysWOW64\famedqne.exe"
        136⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\oszmkwgd.exe
        
        C:\Windows\system32\oszmkwgd.exe 1164 "C:\Windows\SysWOW64\xapccwqr.exe"
        137⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\owmeyakx.exe
        
        C:\Windows\system32\owmeyakx.exe 1168 "C:\Windows\SysWOW64\oszmkwgd.exe"
        138⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\iffmwcyr.exe
        
        C:\Windows\system32\iffmwcyr.exe 1176 "C:\Windows\SysWOW64\owmeyakx.exe"
        139⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\xrlshdkz.exe
        
        C:\Windows\system32\xrlshdkz.exe 1184 "C:\Windows\SysWOW64\iffmwcyr.exe"
        140⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\usvfdowi.exe
        
        C:\Windows\system32\usvfdowi.exe 1188 "C:\Windows\SysWOW64\xrlshdkz.exe"
        141⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\uhtkuwhx.exe
        
        C:\Windows\system32\uhtkuwhx.exe 1180 "C:\Windows\SysWOW64\usvfdowi.exe"
        142⤵
        Drops file in System32 directory
        
        PID:1956
        
        C:\Windows\SysWOW64\rxakvdmd.exe
        
        C:\Windows\system32\rxakvdmd.exe 1196 "C:\Windows\SysWOW64\uhtkuwhx.exe"
        143⤵
        Drops file in System32 directory
        
        PID:584
        
        C:\Windows\SysWOW64\ipcndwcq.exe
        
        C:\Windows\system32\ipcndwcq.exe 1200 "C:\Windows\SysWOW64\rxakvdmd.exe"
        144⤵
        Identifies Wine through registry keys
        
        PID:2604
        
        C:\Windows\SysWOW64\fqvazhoz.exe
        
        C:\Windows\system32\fqvazhoz.exe 1204 "C:\Windows\SysWOW64\ipcndwcq.exe"
        145⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\rwnizyfv.exe
        
        C:\Windows\system32\rwnizyfv.exe 1220 "C:\Windows\SysWOW64\fqvazhoz.exe"
        146⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\oxxvcbre.exe
        
        C:\Windows\system32\oxxvcbre.exe 1208 "C:\Windows\SysWOW64\rwnizyfv.exe"
        147⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\bgbifwyc.exe
        
        C:\Windows\system32\bgbifwyc.exe 1216 "C:\Windows\SysWOW64\oxxvcbre.exe"
        148⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\kgoyrhps.exe
        
        C:\Windows\system32\kgoyrhps.exe 1224 "C:\Windows\SysWOW64\bgbifwyc.exe"
        149⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\ivnykodz.exe
        
        C:\Windows\system32\ivnykodz.exe 1228 "C:\Windows\SysWOW64\kgoyrhps.exe"
        150⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\rcwgdism.exe
        
        C:\Windows\system32\rcwgdism.exe 1212 "C:\Windows\SysWOW64\ivnykodz.exe"
        151⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\lwbvdbaj.exe
        
        C:\Windows\system32\lwbvdbaj.exe 1240 "C:\Windows\SysWOW64\rcwgdism.exe"
        152⤵
        Drops file in System32 directory
        
        PID:1804
        
        C:\Windows\SysWOW64\dlblhqrt.exe
        
        C:\Windows\system32\dlblhqrt.exe 1244 "C:\Windows\SysWOW64\lwbvdbaj.exe"
        153⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:1996
        
        C:\Windows\SysWOW64\sxzqlydb.exe
        
        C:\Windows\system32\sxzqlydb.exe 1236 "C:\Windows\SysWOW64\dlblhqrt.exe"
        154⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\xcsywaij.exe
        
        C:\Windows\system32\xcsywaij.exe 1256 "C:\Windows\SysWOW64\sxzqlydb.exe"
        155⤵
        
        PID:628
        
        C:\Windows\SysWOW64\ybfoitza.exe
        
        C:\Windows\system32\ybfoitza.exe 1276 "C:\Windows\SysWOW64\xcsywaij.exe"
        156⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\qiflniqk.exe
        
        C:\Windows\system32\qiflniqk.exe 1232 "C:\Windows\SysWOW64\ybfoitza.exe"
        157⤵
        Identifies Wine through registry keys
        
        PID:1296
        
        C:\Windows\SysWOW64\ixewjjvc.exe
        
        C:\Windows\system32\ixewjjvc.exe 1248 "C:\Windows\SysWOW64\qiflniqk.exe"
        158⤵
        Drops file in System32 directory
        
        PID:1976
        
        C:\Windows\SysWOW64\uvxjsmqx.exe
        
        C:\Windows\system32\uvxjsmqx.exe 1252 "C:\Windows\SysWOW64\ixewjjvc.exe"
        159⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\jdjbsqvl.exe
        
        C:\Windows\system32\jdjbsqvl.exe 1268 "C:\Windows\SysWOW64\uvxjsmqx.exe"
        160⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\gebowuhm.exe
        
        C:\Windows\system32\gebowuhm.exe 1272 "C:\Windows\SysWOW64\jdjbsqvl.exe"
        161⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\qsdryjsa.exe
        
        C:\Windows\system32\qsdryjsa.exe 1300 "C:\Windows\SysWOW64\gebowuhm.exe"
        162⤵
        Identifies Wine through registry keys
        
        PID:592
        
        C:\Windows\SysWOW64\zzezqdpn.exe
        
        C:\Windows\system32\zzezqdpn.exe 1260 "C:\Windows\SysWOW64\qsdryjsa.exe"
        163⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\phzzrzct.exe
        
        C:\Windows\system32\phzzrzct.exe 1280 "C:\Windows\SysWOW64\zzezqdpn.exe"
        164⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\elwfuipb.exe
        
        C:\Windows\system32\elwfuipb.exe 1264 "C:\Windows\SysWOW64\phzzrzct.exe"
        165⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\qcasfcez.exe
        
        C:\Windows\system32\qcasfcez.exe 1288 "C:\Windows\SysWOW64\elwfuipb.exe"
        166⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\foyxjdqh.exe
        
        C:\Windows\system32\foyxjdqh.exe 1292 "C:\Windows\SysWOW64\qcasfcez.exe"
        167⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\rinxocfz.exe
        
        C:\Windows\system32\rinxocfz.exe 1284 "C:\Windows\SysWOW64\foyxjdqh.exe"
        168⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\rezcltns.exe
        
        C:\Windows\system32\rezcltns.exe 1296 "C:\Windows\SysWOW64\rinxocfz.exe"
        169⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\awmsxmfj.exe
        
        C:\Windows\system32\awmsxmfj.exe 1308 "C:\Windows\SysWOW64\rezcltns.exe"
        170⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\nbesxdne.exe
        
        C:\Windows\system32\nbesxdne.exe 1304 "C:\Windows\SysWOW64\awmsxmfj.exe"
        171⤵
        Drops file in System32 directory
        
        PID:2396
        
        C:\Windows\SysWOW64\cncxbdam.exe
        
        C:\Windows\system32\cncxbdam.exe 1316 "C:\Windows\SysWOW64\nbesxdne.exe"
        172⤵
        Drops file in System32 directory
        
        PID:1540
        
        C:\Windows\SysWOW64\wxvfgfng.exe
        
        C:\Windows\system32\wxvfgfng.exe 1324 "C:\Windows\SysWOW64\cncxbdam.exe"
        173⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\jdlijddf.exe
        
        C:\Windows\system32\jdlijddf.exe 1320 "C:\Windows\SysWOW64\wxvfgfng.exe"
        174⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\fwevfgoo.exe
        
        C:\Windows\system32\fwevfgoo.exe 1332 "C:\Windows\SysWOW64\jdlijddf.exe"
        175⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\vfqogkcu.exe
        
        C:\Windows\system32\vfqogkcu.exe 1328 "C:\Windows\SysWOW64\fwevfgoo.exe"
        176⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\uxzgixml.exe
        
        C:\Windows\system32\uxzgixml.exe 1348 "C:\Windows\SysWOW64\vfqogkcu.exe"
        177⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\elbjkmwz.exe
        
        C:\Windows\system32\elbjkmwz.exe 1344 "C:\Windows\SysWOW64\uxzgixml.exe"
        178⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\waayoafj.exe
        
        C:\Windows\system32\waayoafj.exe 1352 "C:\Windows\SysWOW64\elbjkmwz.exe"
        179⤵
        Drops file in System32 directory
        
        PID:2660
        
        C:\Windows\SysWOW64\qrrlllez.exe
        
        C:\Windows\system32\qrrlllez.exe 1312 "C:\Windows\SysWOW64\waayoafj.exe"
        180⤵
        Identifies Wine through registry keys
        
        PID:1900
        
        C:\Windows\SysWOW64\mvnlkapd.exe
        
        C:\Windows\system32\mvnlkapd.exe 1340 "C:\Windows\SysWOW64\qrrlllez.exe"
        181⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\evyjjgby.exe
        
        C:\Windows\system32\evyjjgby.exe 1356 "C:\Windows\SysWOW64\mvnlkapd.exe"
        182⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\batbpntb.exe
        
        C:\Windows\system32\batbpntb.exe 1364 "C:\Windows\SysWOW64\evyjjgby.exe"
        183⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\sdimrfer.exe
        
        C:\Windows\system32\sdimrfer.exe 1336 "C:\Windows\SysWOW64\batbpntb.exe"
        184⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\njyhmdlq.exe
        
        C:\Windows\system32\njyhmdlq.exe 1376 "C:\Windows\SysWOW64\sdimrfer.exe"
        185⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:896
        
        C:\Windows\SysWOW64\hedwmwtn.exe
        
        C:\Windows\system32\hedwmwtn.exe 1360 "C:\Windows\SysWOW64\njyhmdlq.exe"
        186⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\kocmesbl.exe
        
        C:\Windows\system32\kocmesbl.exe 1384 "C:\Windows\SysWOW64\hedwmwtn.exe"
        187⤵
        Identifies Wine through registry keys
        
        PID:2580
        
        C:\Windows\SysWOW64\owizulwf.exe
        
        C:\Windows\system32\owizulwf.exe 1368 "C:\Windows\SysWOW64\kocmesbl.exe"
        188⤵
        Identifies Wine through registry keys
        
        PID:1080
        
        C:\Windows\SysWOW64\igbhankg.exe
        
        C:\Windows\system32\igbhankg.exe 1396 "C:\Windows\SysWOW64\owizulwf.exe"
        189⤵
        
        PID:756
        
        C:\Windows\SysWOW64\pzjsioyl.exe
        
        C:\Windows\system32\pzjsioyl.exe 1372 "C:\Windows\SysWOW64\igbhankg.exe"
        190⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\pvvpffhw.exe
        
        C:\Windows\system32\pvvpffhw.exe 1392 "C:\Windows\SysWOW64\pzjsioyl.exe"
        191⤵
        Drops file in System32 directory
        
        PID:2292
        
        C:\Windows\SysWOW64\gcvmktyo.exe
        
        C:\Windows\system32\gcvmktyo.exe 1400 "C:\Windows\SysWOW64\pvvpffhw.exe"
        192⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\daundadu.exe
        
        C:\Windows\system32\daundadu.exe 1412 "C:\Windows\SysWOW64\gcvmktyo.exe"
        193⤵
        Identifies Wine through registry keys
        
        PID:1120
        
        C:\Windows\SysWOW64\hujnqzzv.exe
        
        C:\Windows\system32\hujnqzzv.exe 1380 "C:\Windows\SysWOW64\daundadu.exe"
        194⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\keakjvzt.exe
        
        C:\Windows\system32\keakjvzt.exe 1404 "C:\Windows\SysWOW64\hujnqzzv.exe"
        195⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\wzpkovvm.exe
        
        C:\Windows\system32\wzpkovvm.exe 1388 "C:\Windows\SysWOW64\keakjvzt.exe"
        196⤵
        Identifies Wine through registry keys
        
        PID:2108
        
        C:\Windows\SysWOW64\tdmqgklp.exe
        
        C:\Windows\system32\tdmqgklp.exe 1408 "C:\Windows\SysWOW64\wzpkovvm.exe"
        197⤵
        Identifies Wine through registry keys
        
        PID:1764
        
        C:\Windows\SysWOW64\cgksoaba.exe
        
        C:\Windows\system32\cgksoaba.exe 1416 "C:\Windows\SysWOW64\tdmqgklp.exe"
        198⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\unkisokk.exe
        
        C:\Windows\system32\unkisokk.exe 1420 "C:\Windows\SysWOW64\cgksoaba.exe"
        199⤵
        Identifies Wine through registry keys
        
        PID:3056
        
        C:\Windows\SysWOW64\pedlpdum.exe
        
        C:\Windows\system32\pedlpdum.exe 1428 "C:\Windows\SysWOW64\unkisokk.exe"
        200⤵
        Identifies Wine through registry keys
        
        PID:636
        
        C:\Windows\SysWOW64\jrigqjhi.exe
        
        C:\Windows\system32\jrigqjhi.exe 1432 "C:\Windows\SysWOW64\pedlpdum.exe"
        201⤵
        Drops file in System32 directory
        
        PID:2476
        
        C:\Windows\SysWOW64\dyybthwi.exe
        
        C:\Windows\system32\dyybthwi.exe 1424 "C:\Windows\SysWOW64\jrigqjhi.exe"
        202⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\akuorbcm.exe
        
        C:\Windows\system32\akuorbcm.exe 1440 "C:\Windows\SysWOW64\dyybthwi.exe"
        203⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\knsqyzsf.exe
        
        C:\Windows\system32\knsqyzsf.exe 1436 "C:\Windows\SysWOW64\akuorbcm.exe"
        204⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\eljlbphw.exe
        
        C:\Windows\system32\eljlbphw.exe 1448 "C:\Windows\SysWOW64\knsqyzsf.exe"
        205⤵
        Drops file in System32 directory
        
        PID:2456
        
        C:\Windows\SysWOW64\vsajglqo.exe
        
        C:\Windows\system32\vsajglqo.exe 1456 "C:\Windows\SysWOW64\eljlbphw.exe"
        206⤵
        Drops file in System32 directory
        
        PID:1396
        
        C:\Windows\SysWOW64\vhyoxtbd.exe
        
        C:\Windows\system32\vhyoxtbd.exe 1452 "C:\Windows\SysWOW64\vsajglqo.exe"
        207⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\fvzrgamr.exe
        
        C:\Windows\system32\fvzrgamr.exe 1444 "C:\Windows\SysWOW64\vhyoxtbd.exe"
        208⤵
        Drops file in System32 directory
        
        PID:2616
        
        C:\Windows\SysWOW64\rpormzar.exe
        
        C:\Windows\system32\rpormzar.exe 1464 "C:\Windows\SysWOW64\fvzrgamr.exe"
        209⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\oqzeilma.exe
        
        C:\Windows\system32\oqzeilma.exe 1472 "C:\Windows\SysWOW64\rpormzar.exe"
        210⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\omlbncdl.exe
        
        C:\Windows\system32\omlbncdl.exe 1460 "C:\Windows\SysWOW64\oqzeilma.exe"
        211⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\druplbkx.exe
        
        C:\Windows\system32\druplbkx.exe 1476 "C:\Windows\SysWOW64\omlbncdl.exe"
        212⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\khdzrgvz.exe
        
        C:\Windows\system32\khdzrgvz.exe 1484 "C:\Windows\SysWOW64\druplbkx.exe"
        213⤵
        Drops file in System32 directory
        
        PID:2620
        
        C:\Windows\SysWOW64\oexzedry.exe
        
        C:\Windows\system32\oexzedry.exe 1480 "C:\Windows\SysWOW64\khdzrgvz.exe"
        214⤵
        Identifies Wine through registry keys
        
        PID:1596
        
        C:\Windows\SysWOW64\dboslica.exe
        
        C:\Windows\system32\dboslica.exe 1496 "C:\Windows\SysWOW64\oexzedry.exe"
        215⤵
        Identifies Wine through registry keys
        
        PID:2020
        
        C:\Windows\SysWOW64\neehrsou.exe
        
        C:\Windows\system32\neehrsou.exe 1500 "C:\Windows\SysWOW64\dboslica.exe"
        216⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\ikvcmqdl.exe
        
        C:\Windows\system32\ikvcmqdl.exe 1536 "C:\Windows\SysWOW64\neehrsou.exe"
        217⤵
        Identifies Wine through registry keys
        
        PID:2852
        
        C:\Windows\SysWOW64\waeutvow.exe
        
        C:\Windows\system32\waeutvow.exe 1492 "C:\Windows\SysWOW64\ikvcmqdl.exe"
        218⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\wptaslzk.exe
        
        C:\Windows\system32\wptaslzk.exe 1488 "C:\Windows\SysWOW64\waeutvow.exe"
        219⤵
        Identifies Wine through registry keys
        
        PID:2560
        
        C:\Windows\SysWOW64\bbnidnes.exe
        
        C:\Windows\system32\bbnidnes.exe 1508 "C:\Windows\SysWOW64\wptaslzk.exe"
        220⤵
        Drops file in System32 directory
        
        PID:436
        
        C:\Windows\SysWOW64\ygqakcxw.exe
        
        C:\Windows\system32\ygqakcxw.exe 1520 "C:\Windows\SysWOW64\bbnidnes.exe"
        221⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\iqhyjfbq.exe
        
        C:\Windows\system32\iqhyjfbq.exe 1468 "C:\Windows\SysWOW64\ygqakcxw.exe"
        222⤵
        Identifies Wine through registry keys
        
        PID:2820
        
        C:\Windows\SysWOW64\celkrlvm.exe
        
        C:\Windows\system32\celkrlvm.exe 1524 "C:\Windows\SysWOW64\iqhyjfbq.exe"
        223⤵
        
        PID:932
        
        C:\Windows\SysWOW64\zqhgpobq.exe
        
        C:\Windows\system32\zqhgpobq.exe 1512 "C:\Windows\SysWOW64\celkrlvm.exe"
        224⤵
        Drops file in System32 directory
        
        PID:2728
        
        C:\Windows\SysWOW64\yiqqjblh.exe
        
        C:\Windows\system32\yiqqjblh.exe 1516 "C:\Windows\SysWOW64\zqhgpobq.exe"
        225⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:1280
        
        C:\Windows\SysWOW64\vjadfexq.exe
        
        C:\Windows\system32\vjadfexq.exe 1528 "C:\Windows\SysWOW64\yiqqjblh.exe"
        226⤵
        
        PID:960
        
        C:\Windows\SysWOW64\nqaakaoa.exe
        
        C:\Windows\system32\nqaakaoa.exe 1540 "C:\Windows\SysWOW64\vjadfexq.exe"
        227⤵
        Identifies Wine through registry keys
        
        PID:2936
        
        C:\Windows\SysWOW64\ftolmkzq.exe
        
        C:\Windows\system32\ftolmkzq.exe 1504 "C:\Windows\SysWOW64\nqaakaoa.exe"
        228⤵
        Drops file in System32 directory
        
        PID:1812
        
        C:\Windows\SysWOW64\winbqyih.exe
        
        C:\Windows\system32\winbqyih.exe 1544 "C:\Windows\SysWOW64\ftolmkzq.exe"
        229⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\lutguhup.exe
        
        C:\Windows\system32\lutguhup.exe 1532 "C:\Windows\SysWOW64\winbqyih.exe"
        230⤵
        Identifies Wine through registry keys
        
        PID:948
        
        C:\Windows\SysWOW64\qrnghdqg.exe
        
        C:\Windows\system32\qrnghdqg.exe 1548 "C:\Windows\SysWOW64\lutguhup.exe"
        231⤵
        Identifies Wine through registry keys
        
        PID:2800
        
        C:\Windows\SysWOW64\irregjub.exe
        
        C:\Windows\system32\irregjub.exe 1556 "C:\Windows\SysWOW64\qrnghdqg.exe"
        232⤵
        Drops file in System32 directory
        
        PID:2536
        
        C:\Windows\SysWOW64\zzoogejp.exe
        
        C:\Windows\system32\zzoogejp.exe 1560 "C:\Windows\SysWOW64\irregjub.exe"
        233⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\gkwzofxt.exe
        
        C:\Windows\system32\gkwzofxt.exe 1564 "C:\Windows\SysWOW64\zzoogejp.exe"
        234⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\vzfrvkqv.exe
        
        C:\Windows\system32\vzfrvkqv.exe 1568 "C:\Windows\SysWOW64\gkwzofxt.exe"
        235⤵
        
        PID:544
        
        C:\Windows\SysWOW64\zfzrihfu.exe
        
        C:\Windows\system32\zfzrihfu.exe 1552 "C:\Windows\SysWOW64\vzfrvkqv.exe"
        236⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\rinukrpk.exe
        
        C:\Windows\system32\rinukrpk.exe 1576 "C:\Windows\SysWOW64\zfzrihfu.exe"
        237⤵
        Identifies Wine through registry keys
        
        PID:2072
        
        C:\Windows\SysWOW64\ojfhocbt.exe
        
        C:\Windows\system32\ojfhocbt.exe 1584 "C:\Windows\SysWOW64\rinukrpk.exe"
        238⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\ipwkjzqs.exe
        
        C:\Windows\system32\ipwkjzqs.exe 1580 "C:\Windows\SysWOW64\ojfhocbt.exe"
        239⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\awvznozc.exe
        
        C:\Windows\system32\awvznozc.exe 1592 "C:\Windows\SysWOW64\ipwkjzqs.exe"
        240⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\zllfmwkr.exe
        
        C:\Windows\system32\zllfmwkr.exe 1600 "C:\Windows\SysWOW64\awvznozc.exe"
        241⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\glhptgwa.exe
        
        C:\Windows\system32\glhptgwa.exe 1572 "C:\Windows\SysWOW64\zllfmwkr.exe"
        242⤵
        Identifies Wine through registry keys
        
        PID:2948
        
        C:\Windows\SysWOW64\bgmftzex.exe
        
        C:\Windows\system32\bgmftzex.exe 1604 "C:\Windows\SysWOW64\glhptgwa.exe"
        243⤵
        
        PID:760
        
        C:\Windows\SysWOW64\qvvpzexz.exe
        
        C:\Windows\system32\qvvpzexz.exe 1612 "C:\Windows\SysWOW64\bgmftzex.exe"
        244⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\kyifzxfe.exe
        
        C:\Windows\system32\kyifzxfe.exe 1608 "C:\Windows\SysWOW64\qvvpzexz.exe"
        245⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\xhescsvc.exe
        
        C:\Windows\system32\xhescsvc.exe 1616 "C:\Windows\SysWOW64\kyifzxfe.exe"
        246⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\uiwfgdhd.exe
        
        C:\Windows\system32\uiwfgdhd.exe 1596 "C:\Windows\SysWOW64\xhescsvc.exe"
        247⤵
        
        PID:888
        
        C:\Windows\SysWOW64\ixfxmisn.exe
        
        C:\Windows\system32\ixfxmisn.exe 1588 "C:\Windows\SysWOW64\uiwfgdhd.exe"
        248⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\quqvxomu.exe
        
        C:\Windows\system32\quqvxomu.exe 1632 "C:\Windows\SysWOW64\ixfxmisn.exe"
        249⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\pmrnrbwd.exe
        
        C:\Windows\system32\pmrnrbwd.exe 1620 "C:\Windows\SysWOW64\quqvxomu.exe"
        250⤵
        
        PID:368
        
        C:\Windows\SysWOW64\pfaglngu.exe
        
        C:\Windows\system32\pfaglngu.exe 1624 "C:\Windows\SysWOW64\pmrnrbwd.exe"
        251⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\wnnyglim.exe
        
        C:\Windows\system32\wnnyglim.exe 1628 "C:\Windows\SysWOW64\pfaglngu.exe"
        252⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\berligxk.exe
        
        C:\Windows\system32\berligxk.exe 1652 "C:\Windows\SysWOW64\wnnyglim.exe"
        253⤵
        
        PID:816
        
        C:\Windows\SysWOW64\vcholdmj.exe
        
        C:\Windows\system32\vcholdmj.exe 1640 "C:\Windows\SysWOW64\berligxk.exe"
        254⤵
        Drops file in System32 directory
        
        PID:2700
        
        C:\Windows\SysWOW64\plavjxad.exe
        
        C:\Windows\system32\plavjxad.exe 1648 "C:\Windows\SysWOW64\vcholdmj.exe"
        255⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\hpxglpks.exe
        
        C:\Windows\system32\hpxglpks.exe 1660 "C:\Windows\SysWOW64\plavjxad.exe"
        256⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\dqhtoswc.exe
        
        C:\Windows\system32\dqhtoswc.exe 1656 "C:\Windows\SysWOW64\hpxglpks.exe"
        257⤵
        
        PID:292
        
        C:\Windows\SysWOW64\ylmbgley.exe
        
        C:\Windows\system32\ylmbgley.exe 1644 "C:\Windows\SysWOW64\dqhtoswc.exe"
        258⤵
        
        PID:700
        
        C:\Windows\SysWOW64\xpyylcnk.exe
        
        C:\Windows\system32\xpyylcnk.exe 1664 "C:\Windows\SysWOW64\ylmbgley.exe"
        259⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\xwwedtyg.exe
        
        C:\Windows\system32\xwwedtyg.exe 1636 "C:\Windows\SysWOW64\xpyylcnk.exe"
        260⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:1064
        
        C:\Windows\SysWOW64\utdewsdn.exe
        
        C:\Windows\system32\utdewsdn.exe 1672 "C:\Windows\SysWOW64\xwwedtyg.exe"
        261⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\gojmjrrf.exe
        
        C:\Windows\system32\gojmjrrf.exe 1668 "C:\Windows\SysWOW64\utdewsdn.exe"
        262⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\vaprnzmn.exe
        
        C:\Windows\system32\vaprnzmn.exe 1680 "C:\Windows\SysWOW64\gojmjrrf.exe"
        263⤵
        
        PID:912
        
        C:\Windows\SysWOW64\tporgyru.exe
        
        C:\Windows\system32\tporgyru.exe 1684 "C:\Windows\SysWOW64\vaprnzmn.exe"
        264⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\qnvrhfeb.exe
        
        C:\Windows\system32\qnvrhfeb.exe 1688 "C:\Windows\SysWOW64\tporgyru.exe"
        265⤵
        Identifies Wine through registry keys
        
        PID:1360
        
        C:\Windows\SysWOW64\egppqowg.exe
        
        C:\Windows\system32\egppqowg.exe 1692 "C:\Windows\SysWOW64\qnvrhfeb.exe"
        266⤵
        Identifies Wine through registry keys
        
        PID:1988
        
        C:\Windows\SysWOW64\tojprtbl.exe
        
        C:\Windows\system32\tojprtbl.exe 1704 "C:\Windows\SysWOW64\egppqowg.exe"
        267⤵
        Identifies Wine through registry keys
        
        PID:2872
        
        C:\Windows\SysWOW64\giqpwsxm.exe
        
        C:\Windows\system32\giqpwsxm.exe 1696 "C:\Windows\SysWOW64\tojprtbl.exe"
        268⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:2216
        
        C:\Windows\SysWOW64\xmfaycib.exe
        
        C:\Windows\system32\xmfaycib.exe 1708 "C:\Windows\SysWOW64\giqpwsxm.exe"
        269⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\mboseotd.exe
        
        C:\Windows\system32\mboseotd.exe 1700 "C:\Windows\SysWOW64\xmfaycib.exe"
        270⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\mqlpexes.exe
        
        C:\Windows\system32\mqlpexes.exe 1724 "C:\Windows\SysWOW64\mboseotd.exe"
        271⤵
        Identifies Wine through registry keys
        
        PID:556
        
        C:\Windows\SysWOW64\wiyfiini.exe
        
        C:\Windows\system32\wiyfiini.exe 1712 "C:\Windows\SysWOW64\mqlpexes.exe"
        272⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\noydnwea.exe
        
        C:\Windows\system32\noydnwea.exe 1732 "C:\Windows\SysWOW64\wiyfiini.exe"
        273⤵
        Drops file in System32 directory
        
        PID:2740
        
        C:\Windows\SysWOW64\uaviqfqa.exe
        
        C:\Windows\system32\uaviqfqa.exe 1716 "C:\Windows\SysWOW64\noydnwea.exe"
        274⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\rurvpixm.exe
        
        C:\Windows\system32\rurvpixm.exe 1728 "C:\Windows\SysWOW64\uaviqfqa.exe"
        275⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\jbrstwow.exe
        
        C:\Windows\system32\jbrstwow.exe 1720 "C:\Windows\SysWOW64\rurvpixm.exe"
        276⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\vzjfbzjz.exe
        
        C:\Windows\system32\vzjfbzjz.exe 1744 "C:\Windows\SysWOW64\jbrstwow.exe"
        277⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\nzudafmm.exe
        
        C:\Windows\system32\nzudafmm.exe 1676 "C:\Windows\SysWOW64\vzjfbzjz.exe"
        278⤵
        
        PID:580
        
        C:\Windows\SysWOW64\pmxgvfbn.exe
        
        C:\Windows\system32\pmxgvfbn.exe 1748 "C:\Windows\SysWOW64\nzudafmm.exe"
        279⤵
        Drops file in System32 directory
        
        PID:472
        
        C:\Windows\SysWOW64\evjywjgs.exe
        
        C:\Windows\system32\evjywjgs.exe 1740 "C:\Windows\SysWOW64\pmxgvfbn.exe"
        280⤵
        Drops file in System32 directory
        
        PID:1868
        
        C:\Windows\SysWOW64\bzmydrzw.exe
        
        C:\Windows\system32\bzmydrzw.exe 1760 "C:\Windows\SysWOW64\evjywjgs.exe"
        281⤵
        Drops file in System32 directory
        
        PID:2896
        
        C:\Windows\SysWOW64\lzrohcjm.exe
        
        C:\Windows\system32\lzrohcjm.exe 1752 "C:\Windows\SysWOW64\bzmydrzw.exe"
        282⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\fqtjfrsh.exe
        
        C:\Windows\system32\fqtjfrsh.exe 1736 "C:\Windows\SysWOW64\lzrohcjm.exe"
        283⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:2732
        
        C:\Windows\SysWOW64\zsnrctgj.exe
        
        C:\Windows\system32\zsnrctgj.exe 1764 "C:\Windows\SysWOW64\fqtjfrsh.exe"
        284⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\mmczqsub.exe
        
        C:\Windows\system32\mmczqsub.exe 1768 "C:\Windows\SysWOW64\zsnrctgj.exe"
        285⤵
        Identifies Wine through registry keys
        
        PID:2372
        
        C:\Windows\SysWOW64\jyxmgvao.exe
        
        C:\Windows\system32\jyxmgvao.exe 1756 "C:\Windows\SysWOW64\mmczqsub.exe"
        286⤵
        Identifies Wine through registry keys
        
        PID:2968
        
        C:\Windows\SysWOW64\gltmndtr.exe
        
        C:\Windows\system32\gltmndtr.exe 1776 "C:\Windows\SysWOW64\jyxmgvao.exe"
        287⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\lmbhdizx.exe
        
        C:\Windows\system32\lmbhdizx.exe 1772 "C:\Windows\SysWOW64\gltmndtr.exe"
        288⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:2812
        
        C:\Windows\SysWOW64\flrbyggw.exe
        
        C:\Windows\system32\flrbyggw.exe 1784 "C:\Windows\SysWOW64\lmbhdizx.exe"
        289⤵
        Identifies Wine through registry keys
        
        PID:1560
        
        C:\Windows\SysWOW64\kxljrplf.exe
        
        C:\Windows\system32\kxljrplf.exe 1796 "C:\Windows\SysWOW64\flrbyggw.exe"
        290⤵
        Drops file in System32 directory
        
        PID:1884
        
        C:\Windows\SysWOW64\ehmrxjzy.exe
        
        C:\Windows\system32\ehmrxjzy.exe 1800 "C:\Windows\SysWOW64\kxljrplf.exe"
        291⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\gnscmbic.exe
        
        C:\Windows\system32\gnscmbic.exe 1868 "C:\Windows\SysWOW64\ehmrxjzy.exe"
        292⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\nrardpag.exe
        
        C:\Windows\system32\nrardpag.exe 1804 "C:\Windows\SysWOW64\gnscmbic.exe"
        293⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\pmdcyqpg.exe
        
        C:\Windows\system32\pmdcyqpg.exe 1780 "C:\Windows\SysWOW64\nrardpag.exe"
        294⤵
        
        PID:780
        
        C:\Windows\SysWOW64\hbszpysv.exe
        
        C:\Windows\system32\hbszpysv.exe 1812 "C:\Windows\SysWOW64\pmdcyqpg.exe"
        295⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\gxnfmpig.exe
        
        C:\Windows\system32\gxnfmpig.exe 1792 "C:\Windows\SysWOW64\hbszpysv.exe"
        296⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\qmohwetu.exe
        
        C:\Windows\system32\qmohwetu.exe 1808 "C:\Windows\SysWOW64\gxnfmpig.exe"
        297⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\tzrkrwav.exe
        
        C:\Windows\system32\tzrkrwav.exe 1816 "C:\Windows\SysWOW64\qmohwetu.exe"
        298⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\pabxnime.exe
        
        C:\Windows\system32\pabxnime.exe 1820 "C:\Windows\SysWOW64\tzrkrwav.exe"
        299⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\myixopzl.exe
        
        C:\Windows\system32\myixopzl.exe 1828 "C:\Windows\SysWOW64\pabxnime.exe"
        300⤵
        Identifies Wine through registry keys
        
        PID:588
        
        C:\Windows\SysWOW64\bjgdrplt.exe
        
        C:\Windows\system32\bjgdrplt.exe 1832 "C:\Windows\SysWOW64\myixopzl.exe"
        301⤵
        Identifies Wine through registry keys
        
        PID:2908
        
        C:\Windows\SysWOW64\gloxavrz.exe
        
        C:\Windows\system32\gloxavrz.exe 1852 "C:\Windows\SysWOW64\bjgdrplt.exe"
        302⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\nwwvrbjc.exe
        
        C:\Windows\system32\nwwvrbjc.exe 1912 "C:\Windows\SysWOW64\gloxavrz.exe"
        303⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\npxftwtt.exe
        
        C:\Windows\system32\npxftwtt.exe 1824 "C:\Windows\SysWOW64\nwwvrbjc.exe"
        304⤵
        Identifies Wine through registry keys
        
        PID:988
        
        C:\Windows\SysWOW64\igyiilvn.exe
        
        C:\Windows\system32\igyiilvn.exe 1840 "C:\Windows\SysWOW64\npxftwtt.exe"
        305⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\eluipsnz.exe
        
        C:\Windows\system32\eluipsnz.exe 1788 "C:\Windows\SysWOW64\igyiilvn.exe"
        306⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\yjkdjquq.exe
        
        C:\Windows\system32\yjkdjquq.exe 1856 "C:\Windows\SysWOW64\eluipsnz.exe"
        307⤵
        Identifies Wine through registry keys
        
        PID:2140
        
        C:\Windows\SysWOW64\yblvlceh.exe
        
        C:\Windows\system32\yblvlceh.exe 1844 "C:\Windows\SysWOW64\yjkdjquq.exe"
        308⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\qnhyfuwx.exe
        
        C:\Windows\system32\qnhyfuwx.exe 1848 "C:\Windows\SysWOW64\yblvlceh.exe"
        309⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\quxdedat.exe
        
        C:\Windows\system32\quxdedat.exe 1864 "C:\Windows\SysWOW64\qnhyfuwx.exe"
        310⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\fgcjilmt.exe
        
        C:\Windows\system32\fgcjilmt.exe 1860 "C:\Windows\SysWOW64\quxdedat.exe"
        311⤵
        Identifies Wine through registry keys
        
        PID:2472
        
        C:\Windows\SysWOW64\jwzderxe.exe
        
        C:\Windows\system32\jwzderxe.exe 1836 "C:\Windows\SysWOW64\fgcjilmt.exe"
        312⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\blzbjfon.exe
        
        C:\Windows\system32\blzbjfon.exe 1880 "C:\Windows\SysWOW64\jwzderxe.exe"
        313⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\dyceegvo.exe
        
        C:\Windows\system32\dyceegvo.exe 1872 "C:\Windows\SysWOW64\blzbjfon.exe"
        314⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\sgwwfkiu.exe
        
        C:\Windows\system32\sgwwfkiu.exe 1884 "C:\Windows\SysWOW64\dyceegvo.exe"
        315⤵
        
        PID:788
        
        C:\Windows\SysWOW64\rcitbbrn.exe
        
        C:\Windows\system32\rcitbbrn.exe 1896 "C:\Windows\SysWOW64\sgwwfkiu.exe"
        316⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\bgwedlbc.exe
        
        C:\Windows\system32\bgwedlbc.exe 1888 "C:\Windows\SysWOW64\rcitbbrn.exe"
        317⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\jgvekzfq.exe
        
        C:\Windows\system32\jgvekzfq.exe 1876 "C:\Windows\SysWOW64\bgwedlbc.exe"
        318⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\qkdcbgyt.exe
        
        C:\Windows\system32\qkdcbgyt.exe 1892 "C:\Windows\SysWOW64\jgvekzfq.exe"
        319⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\suurtcfr.exe
        
        C:\Windows\system32\suurtcfr.exe 1904 "C:\Windows\SysWOW64\qkdcbgyt.exe"
        320⤵
        
        PID:956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\tvaqzotx.exe

Filesize
543KB

MD5
78b78e9175fb2a243a10a997a51364a2

SHA1
deea5768764131cb646f5556d42a13c1c381d363

SHA256
56c0ee2213fb12c706590c31b5c405856a292e3ca7d7ef69c0d10ea166e0366e

SHA512
20a33092a4a09afba1b8dbe5a97654e8a3f9d5c8ecfb21b8fd0ab24ad1b7559d30842bf0aaeea74bbb92bcaf1ea8a137a843233534eac9990aab464ef7e3aad6

Download Submit
memory/284-71-0x0000000004200000-0x0000000004202000-memory.dmp

Filesize
8KB

Download
memory/284-87-0x00000000041D0000-0x00000000041D1000-memory.dmp

Filesize
4KB

Download
memory/284-81-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/284-86-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/284-83-0x0000000004000000-0x0000000004001000-memory.dmp

Filesize
4KB

Download
memory/284-85-0x0000000003FA0000-0x0000000003FA1000-memory.dmp

Filesize
4KB

Download
memory/284-84-0x00000000041B0000-0x00000000041B1000-memory.dmp

Filesize
4KB

Download
memory/284-69-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/364-1059-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/524-379-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/652-596-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/792-575-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/880-815-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/1076-400-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/1152-617-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/1332-1075-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/1368-661-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/1548-423-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/1640-267-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/1680-446-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/1748-96-0x0000000003FA0000-0x0000000003FA1000-memory.dmp

Filesize
4KB

Download
memory/1748-100-0x0000000004020000-0x0000000004021000-memory.dmp

Filesize
4KB

Download
memory/1748-113-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/1748-94-0x0000000004000000-0x0000000004001000-memory.dmp

Filesize
4KB

Download
memory/1748-95-0x00000000041B0000-0x00000000041B1000-memory.dmp

Filesize
4KB

Download
memory/1748-98-0x0000000003FC0000-0x0000000003FC1000-memory.dmp

Filesize
4KB

Download
memory/1748-99-0x0000000003F90000-0x0000000003F91000-memory.dmp

Filesize
4KB

Download
memory/1748-88-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/1748-101-0x0000000003FD0000-0x0000000003FD1000-memory.dmp

Filesize
4KB

Download
memory/1748-102-0x0000000003FE0000-0x0000000003FE1000-memory.dmp

Filesize
4KB

Download
memory/1748-103-0x0000000004030000-0x0000000004031000-memory.dmp

Filesize
4KB

Download
memory/1748-97-0x00000000041D0000-0x00000000041D1000-memory.dmp

Filesize
4KB

Download
memory/1748-93-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/1748-89-0x0000000004200000-0x0000000004202000-memory.dmp

Filesize
8KB

Download
memory/2012-1173-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/2184-871-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/2192-639-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/2252-934-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/2316-112-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/2316-136-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/2316-120-0x00000000041C0000-0x00000000041C1000-memory.dmp

Filesize
4KB

Download
memory/2316-121-0x00000000040E0000-0x00000000040E1000-memory.dmp

Filesize
4KB

Download
memory/2316-119-0x0000000004140000-0x0000000004141000-memory.dmp

Filesize
4KB

Download
memory/2316-118-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/2316-114-0x0000000004210000-0x0000000004212000-memory.dmp

Filesize
8KB

Download
memory/2328-1068-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/2404-332-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/2480-746-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/2504-1038-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/2512-1089-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/2572-1132-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/2588-60-0x0000000004180000-0x0000000004181000-memory.dmp

Filesize
4KB

Download
memory/2588-44-0x0000000004200000-0x0000000004202000-memory.dmp

Filesize
8KB

Download
memory/2588-55-0x0000000004160000-0x0000000004161000-memory.dmp

Filesize
4KB

Download
memory/2588-50-0x00000000041C0000-0x00000000041C1000-memory.dmp

Filesize
4KB

Download
memory/2588-57-0x0000000003FD0000-0x0000000003FD1000-memory.dmp

Filesize
4KB

Download
memory/2588-58-0x0000000003FE0000-0x0000000003FE1000-memory.dmp

Filesize
4KB

Download
memory/2588-56-0x0000000003FB0000-0x0000000003FB1000-memory.dmp

Filesize
4KB

Download
memory/2588-48-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/2588-53-0x0000000003FC0000-0x0000000003FC1000-memory.dmp

Filesize
4KB

Download
memory/2588-54-0x0000000003F90000-0x0000000003F91000-memory.dmp

Filesize
4KB

Download
memory/2588-43-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/2588-49-0x0000000004150000-0x0000000004151000-memory.dmp

Filesize
4KB

Download
memory/2588-52-0x00000000041E0000-0x00000000041E1000-memory.dmp

Filesize
4KB

Download
memory/2588-51-0x0000000003FA0000-0x0000000003FA1000-memory.dmp

Filesize
4KB

Download
memory/2588-59-0x0000000004140000-0x0000000004141000-memory.dmp

Filesize
4KB

Download
memory/2588-70-0x0000000004860000-0x0000000004A38000-memory.dmp

Filesize
1.8MB

Download
memory/2640-828-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/2648-1082-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/2684-354-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/2692-26-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/2692-40-0x0000000004140000-0x0000000004141000-memory.dmp

Filesize
4KB

Download
memory/2692-38-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/2692-28-0x0000000004210000-0x0000000004212000-memory.dmp

Filesize
8KB

Download
memory/2692-42-0x00000000041C0000-0x00000000041C1000-memory.dmp

Filesize
4KB

Download
memory/2692-110-0x00000000041C0000-0x00000000041C1000-memory.dmp

Filesize
4KB

Download
memory/2748-682-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/2756-214-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/2764-975-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/2824-1235-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/2868-703-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/2960-555-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/2980-343-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/3008-763-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/3024-534-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/3064-17-0x0000000004170000-0x0000000004171000-memory.dmp

Filesize
4KB

Download
memory/3064-2-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/3064-12-0x00000000041B0000-0x00000000041B1000-memory.dmp

Filesize
4KB

Download
memory/3064-4-0x00000000041C0000-0x00000000041C1000-memory.dmp

Filesize
4KB

Download
memory/3064-0-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/3064-3-0x0000000004140000-0x0000000004141000-memory.dmp

Filesize
4KB

Download
memory/3064-13-0x0000000004120000-0x0000000004121000-memory.dmp

Filesize
4KB

Download
memory/3064-11-0x0000000004110000-0x0000000004111000-memory.dmp

Filesize
4KB

Download
memory/3064-19-0x0000000004840000-0x0000000004A18000-memory.dmp

Filesize
1.8MB

Download
memory/3064-10-0x00000000040F0000-0x00000000040F1000-memory.dmp

Filesize
4KB

Download
memory/3064-9-0x0000000004160000-0x0000000004161000-memory.dmp

Filesize
4KB

Download
memory/3064-1-0x0000000004210000-0x0000000004212000-memory.dmp

Filesize
8KB

Download
memory/3064-27-0x0000000000400000-0x00000000005D8000-memory.dmp

Filesize
1.8MB

Download
memory/3064-8-0x00000000040D0000-0x00000000040D1000-memory.dmp

Filesize
4KB

Download
memory/3064-7-0x0000000004100000-0x0000000004101000-memory.dmp

Filesize
4KB

Download
memory/3064-6-0x00000000041E0000-0x00000000041E1000-memory.dmp

Filesize
4KB

Download
memory/3064-5-0x00000000040E0000-0x00000000040E1000-memory.dmp

Filesize
4KB

Download