08c6abfb2bb8814fa487937e9ea7900fe5469dd8557b2f057b6e5bc2a9c5d626

Analysis

max time kernel
150s
max time network
15s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
01-08-2024 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81cc11a664618647600e1680dd772a57_JaffaCakes118.exe
Size

498KB
MD5

81cc11a664618647600e1680dd772a57
SHA1

b964473a5b3afb316242ea11e26391783da6c6ba
SHA256

08c6abfb2bb8814fa487937e9ea7900fe5469dd8557b2f057b6e5bc2a9c5d626
SHA512

464117c4496d0600c73bd9474be05a7a7aa763e903f4c95186bd9a7386c97749d79b45bae9d904e6455aec4d696688ec5c4811506940ebe92499f528dafcfc91
SSDEEP

12288:Og1ielsvSZi6tQPAZtM3zqQx1y05/Kwj7pyVRBFdLXBasI:OC3qvcXtQJNxg6FaRXdLX

Score

7^/10

discovery evasion

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2440	btmttb.exe
2704	zaeltb.exe
2616	nfdbyw.exe
2956	hwdhpt.exe
2108	tmfrlr.exe
776	kqumho.exe
2348	btohib.exe
2504	aamxbw.exe
2444	zloiqd.exe
2808	yijxgh.exe
2936	dypyou.exe
2692	parqoj.exe
1296	rgvlle.exe
1100	ctldkq.exe
928	kqwbwn.exe
1544	husgod.exe
2712	ldyled.exe
2732	ztqwed.exe
1680	euyrvi.exe
1944	gephnw.exe
2304	drthmm.exe
2436	isbccr.exe
876	cqrwfp.exe
368	iaarvm.exe
2864	metzgw.exe
2256	pawccw.exe
2200	wegpth.exe
2840	bjsxmr.exe
1964	gwlfft.exe
1656	vhrkjb.exe
1096	ulqhai.exe
1740	vzcupv.exe
1532	yjushr.exe
2788	xyrpzh.exe
2904	xudvvy.exe
2556	ecafki.exe
2696	qeeloq.exe
3004	ihsvqa.exe
1792	cnjqlx.exe
3016	horlbc.exe
612	weadih.exe
1500	tbhdjo.exe
1620	suiwdb.exe
952	clvdhm.exe
2856	upjojw.exe
112	ovzrmu.exe
1916	spprlm.exe
2448	ngjuib.exe
1520	czdrrk.exe
924	hmwzku.exe
1708	qpljee.exe
2288	ytvwwx.exe
2328	agyzrp.exe
2624	xhimmb.exe
2608	fihmbh.exe
2016	hsgctd.exe
1252	gawmth.exe
2104	gsffvt.exe
1568	nwpkee.exe
1604	qksmzf.exe
2672	uwdutp.exe
1588	fwpsdn.exe
2012	ktmirg.exe
1912	pggqkq.exe

Identifies Wine through registry keys 2 TTPs 64 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	hgltkg.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	hmkril.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	drthmm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	rbmojl.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	mlyazi.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	hndjbx.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	gwlfft.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	bfrruy.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	gldpxy.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	ffhftu.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	mdjlnx.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	vhrkjb.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	puhzsv.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	qkrusi.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	qxvvwa.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	bbasdi.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	yzzyuk.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	upjojw.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	wfxgoc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	myexkh.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	ahvkbn.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	yijxgh.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	dcckbs.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	thuvgg.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	81cc11a664618647600e1680dd772a57_JaffaCakes118.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	ecjvns.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	vxgned.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	ktzeby.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	tbhdjo.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	czdrrk.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	sfbfux.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	tmwaop.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	rflmzx.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	dhdqwg.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	zlrmti.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	bvvgvd.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	ejgdjf.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	nvanoj.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	htiicc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	rordcg.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	wuwbzr.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	frnlpo.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	evvigc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	btohib.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	uwfppk.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	ywfdow.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	wawbwn.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	wlzbap.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	agyzrp.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	rlnblz.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	guqrkr.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	bprnev.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	runwuv.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	vkaxcf.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	uhdvrm.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	paryal.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	gcqntn.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	frqzqn.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	kmkgcb.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	klhias.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	vanqbd.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	evvbgy.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	horlbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Wine	pggqkq.exe

Loads dropped DLL 64 IoCs

pid	Process
2548	81cc11a664618647600e1680dd772a57_JaffaCakes118.exe
2548	81cc11a664618647600e1680dd772a57_JaffaCakes118.exe
2440	btmttb.exe
2440	btmttb.exe
2704	zaeltb.exe
2704	zaeltb.exe
2616	nfdbyw.exe
2616	nfdbyw.exe
2956	hwdhpt.exe
2956	hwdhpt.exe
2108	tmfrlr.exe
2108	tmfrlr.exe
776	kqumho.exe
776	kqumho.exe
2348	btohib.exe
2348	btohib.exe
2504	aamxbw.exe
2504	aamxbw.exe
2444	zloiqd.exe
2444	zloiqd.exe
2808	yijxgh.exe
2808	yijxgh.exe
2936	dypyou.exe
2936	dypyou.exe
2692	parqoj.exe
2692	parqoj.exe
1296	rgvlle.exe
1296	rgvlle.exe
1100	ctldkq.exe
1100	ctldkq.exe
928	kqwbwn.exe
928	kqwbwn.exe
1544	husgod.exe
1544	husgod.exe
2712	ldyled.exe
2712	ldyled.exe
2732	ztqwed.exe
2732	ztqwed.exe
1680	euyrvi.exe
1680	euyrvi.exe
1944	gephnw.exe
1944	gephnw.exe
2304	drthmm.exe
2304	drthmm.exe
2436	isbccr.exe
2436	isbccr.exe
876	cqrwfp.exe
876	cqrwfp.exe
368	iaarvm.exe
368	iaarvm.exe
2864	metzgw.exe
2864	metzgw.exe
2256	pawccw.exe
2256	pawccw.exe
2200	wegpth.exe
2200	wegpth.exe
2840	bjsxmr.exe
2840	bjsxmr.exe
1964	gwlfft.exe
1964	gwlfft.exe
1656	vhrkjb.exe
1656	vhrkjb.exe
1096	ulqhai.exe
1096	ulqhai.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ehrdqq.exe	zxaiil.exe
File created	C:\Windows\SysWOW64\moedkg.exe	ehrdqq.exe
File opened for modification	C:\Windows\SysWOW64\vzcupv.exe	ulqhai.exe
File opened for modification	C:\Windows\SysWOW64\prxtaw.exe	sbqszp.exe
File created	C:\Windows\SysWOW64\mlyazi.exe	hgeaoz.exe
File opened for modification	C:\Windows\SysWOW64\iaarvm.exe	cqrwfp.exe
File created	C:\Windows\SysWOW64\byvxzo.exe	bcjacp.exe
File created	C:\Windows\SysWOW64\kivmeb.exe	frqzqn.exe
File created	C:\Windows\SysWOW64\zovixo.exe	uennpr.exe
File created	C:\Windows\SysWOW64\hndjbx.exe	fraggw.exe
File opened for modification	C:\Windows\SysWOW64\dbhtkq.exe	yzzyuk.exe
File opened for modification	C:\Windows\SysWOW64\zloiqd.exe	aamxbw.exe
File created	C:\Windows\SysWOW64\qkxgst.exe	gowwkz.exe
File created	C:\Windows\SysWOW64\gknpjf.exe	xeoaer.exe
File opened for modification	C:\Windows\SysWOW64\dhgkfg.exe	tmfzpl.exe
File created	C:\Windows\SysWOW64\ruagvd.exe	jbbgho.exe
File opened for modification	C:\Windows\SysWOW64\lqblik.exe	gawrme.exe
File created	C:\Windows\SysWOW64\vzcupv.exe	ulqhai.exe
File created	C:\Windows\SysWOW64\dxkvbu.exe	gdoida.exe
File opened for modification	C:\Windows\SysWOW64\mrwruz.exe	hndjbx.exe
File created	C:\Windows\SysWOW64\blxqtr.exe	ukypek.exe
File opened for modification	C:\Windows\SysWOW64\rgvlle.exe	parqoj.exe
File opened for modification	C:\Windows\SysWOW64\uhpkxb.exe	rxquff.exe
File created	C:\Windows\SysWOW64\ylfffw.exe	tylfmm.exe
File opened for modification	C:\Windows\SysWOW64\xzrhpw.exe	valrrs.exe
File created	C:\Windows\SysWOW64\zxaiil.exe	xkygek.exe
File created	C:\Windows\SysWOW64\itdhlh.exe	alqprs.exe
File created	C:\Windows\SysWOW64\mgcqwl.exe	htiicc.exe
File opened for modification	C:\Windows\SysWOW64\ylfxtu.exe	ntpzoe.exe
File opened for modification	C:\Windows\SysWOW64\kdwlsd.exe	cgugjs.exe
File created	C:\Windows\SysWOW64\tmfzpl.exe	ohlrek.exe
File opened for modification	C:\Windows\SysWOW64\tbhdjo.exe	weadih.exe
File opened for modification	C:\Windows\SysWOW64\hlpexm.exe	xmlhnn.exe
File created	C:\Windows\SysWOW64\xrmgjx.exe	tesyqn.exe
File opened for modification	C:\Windows\SysWOW64\zntkqd.exe	riqxhs.exe
File created	C:\Windows\SysWOW64\xldxpu.exe	sykxws.exe
File opened for modification	C:\Windows\SysWOW64\ldomer.exe	hmkril.exe
File opened for modification	C:\Windows\SysWOW64\aamxbw.exe	btohib.exe
File opened for modification	C:\Windows\SysWOW64\xeblrw.exe	paryal.exe
File created	C:\Windows\SysWOW64\wlzbap.exe	xpnvvy.exe
File created	C:\Windows\SysWOW64\yzzyuk.exe	bvvgvd.exe
File created	C:\Windows\SysWOW64\mnqqsq.exe	ejgdjf.exe
File opened for modification	C:\Windows\SysWOW64\itdhlh.exe	alqprs.exe
File created	C:\Windows\SysWOW64\dsfjcz.exe	runwuv.exe
File opened for modification	C:\Windows\SysWOW64\aqslpr.exe	vanqbd.exe
File created	C:\Windows\SysWOW64\thuvgg.exe	oubnnw.exe
File opened for modification	C:\Windows\SysWOW64\xbklpp.exe	ujtvwt.exe
File created	C:\Windows\SysWOW64\tljftb.exe	ipqulg.exe
File created	C:\Windows\SysWOW64\fzorus.exe	yveech.exe
File opened for modification	C:\Windows\SysWOW64\jayjen.exe	ezpowh.exe
File created	C:\Windows\SysWOW64\lypued.exe	faleqk.exe
File created	C:\Windows\SysWOW64\wlptby.exe	okitmk.exe
File created	C:\Windows\SysWOW64\ktzeby.exe	fcujnk.exe
File opened for modification	C:\Windows\SysWOW64\dkpkzv.exe	dsozfj.exe
File created	C:\Windows\SysWOW64\ecafki.exe	xudvvy.exe
File created	C:\Windows\SysWOW64\ejkhkq.exe	hisupe.exe
File created	C:\Windows\SysWOW64\anghrx.exe	ejkhkq.exe
File opened for modification	C:\Windows\SysWOW64\qohlkr.exe	mgcqwl.exe
File opened for modification	C:\Windows\SysWOW64\szrzte.exe	kdhmks.exe
File created	C:\Windows\SysWOW64\atuigc.exe	apidbl.exe
File opened for modification	C:\Windows\SysWOW64\vkaxcf.exe	ndfxip.exe
File created	C:\Windows\SysWOW64\bjsxmr.exe	wegpth.exe
File opened for modification	C:\Windows\SysWOW64\fzorus.exe	yveech.exe
File opened for modification	C:\Windows\SysWOW64\tmfzpl.exe	ohlrek.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs

pid	Process
2548	81cc11a664618647600e1680dd772a57_JaffaCakes118.exe
2440	btmttb.exe
2704	zaeltb.exe
2616	nfdbyw.exe
2956	hwdhpt.exe
2108	tmfrlr.exe
776	kqumho.exe
2348	btohib.exe
2504	aamxbw.exe
2444	zloiqd.exe
2808	yijxgh.exe
2936	dypyou.exe
2692	parqoj.exe
1296	rgvlle.exe
1100	ctldkq.exe
928	kqwbwn.exe
1544	husgod.exe
2712	ldyled.exe
2732	ztqwed.exe
1680	euyrvi.exe
1944	gephnw.exe
2304	drthmm.exe
2436	isbccr.exe
876	cqrwfp.exe
368	iaarvm.exe
2864	metzgw.exe
2256	pawccw.exe
2200	wegpth.exe
2840	bjsxmr.exe
1964	gwlfft.exe
1656	vhrkjb.exe
1096	ulqhai.exe
1740	vzcupv.exe
1532	yjushr.exe
2788	xyrpzh.exe
2904	xudvvy.exe
2556	ecafki.exe
2696	qeeloq.exe
3004	ihsvqa.exe
1792	cnjqlx.exe
3016	horlbc.exe
612	weadih.exe
1500	tbhdjo.exe
1620	suiwdb.exe
952	clvdhm.exe
2856	upjojw.exe
112	ovzrmu.exe
1916	spprlm.exe
2448	ngjuib.exe
1520	czdrrk.exe
924	hmwzku.exe
1708	qpljee.exe
2288	ytvwwx.exe
2328	agyzrp.exe
2624	xhimmb.exe
2608	fihmbh.exe
2016	hsgctd.exe
1252	gawmth.exe
2104	gsffvt.exe
1568	nwpkee.exe
1604	qksmzf.exe
2672	uwdutp.exe
1588	fwpsdn.exe
2012	ktmirg.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wfxgoc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ocbdkr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ybtdqf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mdjlnx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wegpth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qkrusi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	paryal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fcujnk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bdrbua.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cxsyvv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gsffvt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rbmojl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jtywdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wlkiby.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ulzxda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vanqbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ohlrek.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zaeltb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	myimqo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kjunvi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lubute.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ndfxip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kqatvz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipqulg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rgvlle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nbmbkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ybekrg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	izrhnu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bprnev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lwxgdy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbklpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qohlkr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iytppg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tljftb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ukwcev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ezpowh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iuxkcu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	czdrrk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gtmenx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rxquff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qexhux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tbhdjo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	azsgyg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fguzdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cdqcnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	anghrx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bmsdsw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qeqyni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ywmlvk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kqwbwn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	upjojw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sbqszp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pfiylb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eevppu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xldxpu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	isbccr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	klhias.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uennpr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dhdqwg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	agsehd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	anbbdz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tjsdkj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	peqham.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oepgzr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2548	81cc11a664618647600e1680dd772a57_JaffaCakes118.exe
2440	btmttb.exe
2704	zaeltb.exe
2616	nfdbyw.exe
2956	hwdhpt.exe
2108	tmfrlr.exe
776	kqumho.exe
2348	btohib.exe
2504	aamxbw.exe
2444	zloiqd.exe
2808	yijxgh.exe
2936	dypyou.exe
2692	parqoj.exe
1296	rgvlle.exe
1100	ctldkq.exe
928	kqwbwn.exe
1544	husgod.exe
2712	ldyled.exe
2732	ztqwed.exe
1680	euyrvi.exe
1944	gephnw.exe
2304	drthmm.exe
2436	isbccr.exe
876	cqrwfp.exe
368	iaarvm.exe
2864	metzgw.exe
2256	pawccw.exe
2200	wegpth.exe
2840	bjsxmr.exe
1964	gwlfft.exe
1656	vhrkjb.exe
1096	ulqhai.exe
1740	vzcupv.exe
1532	yjushr.exe
2788	xyrpzh.exe
2904	xudvvy.exe
2556	ecafki.exe
2696	qeeloq.exe
3004	ihsvqa.exe
1792	cnjqlx.exe
3016	horlbc.exe
612	weadih.exe
1500	tbhdjo.exe
1620	suiwdb.exe
952	clvdhm.exe
2856	upjojw.exe
112	ovzrmu.exe
1916	spprlm.exe
2448	ngjuib.exe
1520	czdrrk.exe
924	hmwzku.exe
1708	qpljee.exe
2288	ytvwwx.exe
2328	agyzrp.exe
2624	xhimmb.exe
2608	fihmbh.exe
2016	hsgctd.exe
1252	gawmth.exe
2104	gsffvt.exe
1568	nwpkee.exe
1604	qksmzf.exe
2672	uwdutp.exe
1588	fwpsdn.exe
2012	ktmirg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2440	2548	81cc11a664618647600e1680dd772a57_JaffaCakes118.exe	29
PID 2548 wrote to memory of 2440	2548	81cc11a664618647600e1680dd772a57_JaffaCakes118.exe	29
PID 2548 wrote to memory of 2440	2548	81cc11a664618647600e1680dd772a57_JaffaCakes118.exe	29
PID 2548 wrote to memory of 2440	2548	81cc11a664618647600e1680dd772a57_JaffaCakes118.exe	29
PID 2440 wrote to memory of 2704	2440	btmttb.exe	30
PID 2440 wrote to memory of 2704	2440	btmttb.exe	30
PID 2440 wrote to memory of 2704	2440	btmttb.exe	30
PID 2440 wrote to memory of 2704	2440	btmttb.exe	30
PID 2704 wrote to memory of 2616	2704	zaeltb.exe	31
PID 2704 wrote to memory of 2616	2704	zaeltb.exe	31
PID 2704 wrote to memory of 2616	2704	zaeltb.exe	31
PID 2704 wrote to memory of 2616	2704	zaeltb.exe	31
PID 2616 wrote to memory of 2956	2616	nfdbyw.exe	32
PID 2616 wrote to memory of 2956	2616	nfdbyw.exe	32
PID 2616 wrote to memory of 2956	2616	nfdbyw.exe	32
PID 2616 wrote to memory of 2956	2616	nfdbyw.exe	32
PID 2956 wrote to memory of 2108	2956	hwdhpt.exe	33
PID 2956 wrote to memory of 2108	2956	hwdhpt.exe	33
PID 2956 wrote to memory of 2108	2956	hwdhpt.exe	33
PID 2956 wrote to memory of 2108	2956	hwdhpt.exe	33
PID 2108 wrote to memory of 776	2108	tmfrlr.exe	34
PID 2108 wrote to memory of 776	2108	tmfrlr.exe	34
PID 2108 wrote to memory of 776	2108	tmfrlr.exe	34
PID 2108 wrote to memory of 776	2108	tmfrlr.exe	34
PID 776 wrote to memory of 2348	776	kqumho.exe	35
PID 776 wrote to memory of 2348	776	kqumho.exe	35
PID 776 wrote to memory of 2348	776	kqumho.exe	35
PID 776 wrote to memory of 2348	776	kqumho.exe	35
PID 2348 wrote to memory of 2504	2348	btohib.exe	36
PID 2348 wrote to memory of 2504	2348	btohib.exe	36
PID 2348 wrote to memory of 2504	2348	btohib.exe	36
PID 2348 wrote to memory of 2504	2348	btohib.exe	36
PID 2504 wrote to memory of 2444	2504	aamxbw.exe	37
PID 2504 wrote to memory of 2444	2504	aamxbw.exe	37
PID 2504 wrote to memory of 2444	2504	aamxbw.exe	37
PID 2504 wrote to memory of 2444	2504	aamxbw.exe	37
PID 2444 wrote to memory of 2808	2444	zloiqd.exe	38
PID 2444 wrote to memory of 2808	2444	zloiqd.exe	38
PID 2444 wrote to memory of 2808	2444	zloiqd.exe	38
PID 2444 wrote to memory of 2808	2444	zloiqd.exe	38
PID 2808 wrote to memory of 2936	2808	yijxgh.exe	39
PID 2808 wrote to memory of 2936	2808	yijxgh.exe	39
PID 2808 wrote to memory of 2936	2808	yijxgh.exe	39
PID 2808 wrote to memory of 2936	2808	yijxgh.exe	39
PID 2936 wrote to memory of 2692	2936	dypyou.exe	40
PID 2936 wrote to memory of 2692	2936	dypyou.exe	40
PID 2936 wrote to memory of 2692	2936	dypyou.exe	40
PID 2936 wrote to memory of 2692	2936	dypyou.exe	40
PID 2692 wrote to memory of 1296	2692	parqoj.exe	41
PID 2692 wrote to memory of 1296	2692	parqoj.exe	41
PID 2692 wrote to memory of 1296	2692	parqoj.exe	41
PID 2692 wrote to memory of 1296	2692	parqoj.exe	41
PID 1296 wrote to memory of 1100	1296	rgvlle.exe	42
PID 1296 wrote to memory of 1100	1296	rgvlle.exe	42
PID 1296 wrote to memory of 1100	1296	rgvlle.exe	42
PID 1296 wrote to memory of 1100	1296	rgvlle.exe	42
PID 1100 wrote to memory of 928	1100	ctldkq.exe	43
PID 1100 wrote to memory of 928	1100	ctldkq.exe	43
PID 1100 wrote to memory of 928	1100	ctldkq.exe	43
PID 1100 wrote to memory of 928	1100	ctldkq.exe	43
PID 928 wrote to memory of 1544	928	kqwbwn.exe	44
PID 928 wrote to memory of 1544	928	kqwbwn.exe	44
PID 928 wrote to memory of 1544	928	kqwbwn.exe	44
PID 928 wrote to memory of 1544	928	kqwbwn.exe	44

C:\Users\Admin\AppData\Local\Temp\81cc11a664618647600e1680dd772a57_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\81cc11a664618647600e1680dd772a57_JaffaCakes118.exe"
1⤵
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\SysWOW64\btmttb.exe
  C:\Windows\system32\btmttb.exe 660 "C:\Users\Admin\AppData\Local\Temp\81cc11a664618647600e1680dd772a57_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\SysWOW64\zaeltb.exe
    C:\Windows\system32\zaeltb.exe 616 "C:\Windows\SysWOW64\btmttb.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\SysWOW64\nfdbyw.exe
      C:\Windows\system32\nfdbyw.exe 620 "C:\Windows\SysWOW64\zaeltb.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Windows\SysWOW64\hwdhpt.exe
        
        C:\Windows\system32\hwdhpt.exe 652 "C:\Windows\SysWOW64\nfdbyw.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2956
      - C:\Windows\SysWOW64\tmfrlr.exe
        
        C:\Windows\system32\tmfrlr.exe 628 "C:\Windows\SysWOW64\hwdhpt.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\kqumho.exe
        
        C:\Windows\system32\kqumho.exe 624 "C:\Windows\SysWOW64\tmfrlr.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:776
        
        C:\Windows\SysWOW64\btohib.exe
        
        C:\Windows\system32\btohib.exe 632 "C:\Windows\SysWOW64\kqumho.exe"
        8⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\aamxbw.exe
        
        C:\Windows\system32\aamxbw.exe 636 "C:\Windows\SysWOW64\btohib.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\zloiqd.exe
        
        C:\Windows\system32\zloiqd.exe 676 "C:\Windows\SysWOW64\aamxbw.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\SysWOW64\yijxgh.exe
        
        C:\Windows\system32\yijxgh.exe 648 "C:\Windows\SysWOW64\zloiqd.exe"
        11⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\dypyou.exe
        
        C:\Windows\system32\dypyou.exe 708 "C:\Windows\SysWOW64\yijxgh.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\SysWOW64\parqoj.exe
        
        C:\Windows\system32\parqoj.exe 644 "C:\Windows\SysWOW64\dypyou.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SysWOW64\rgvlle.exe
        
        C:\Windows\system32\rgvlle.exe 696 "C:\Windows\SysWOW64\parqoj.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1296
        
        C:\Windows\SysWOW64\ctldkq.exe
        
        C:\Windows\system32\ctldkq.exe 664 "C:\Windows\SysWOW64\rgvlle.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        C:\Windows\SysWOW64\kqwbwn.exe
        
        C:\Windows\system32\kqwbwn.exe 700 "C:\Windows\SysWOW64\ctldkq.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:928
        
        C:\Windows\SysWOW64\husgod.exe
        
        C:\Windows\system32\husgod.exe 688 "C:\Windows\SysWOW64\kqwbwn.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:1544
        
        C:\Windows\SysWOW64\ldyled.exe
        
        C:\Windows\system32\ldyled.exe 704 "C:\Windows\SysWOW64\husgod.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:2712
        
        C:\Windows\SysWOW64\ztqwed.exe
        
        C:\Windows\system32\ztqwed.exe 668 "C:\Windows\SysWOW64\ldyled.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:2732
        
        C:\Windows\SysWOW64\euyrvi.exe
        
        C:\Windows\system32\euyrvi.exe 684 "C:\Windows\SysWOW64\ztqwed.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:1680
        
        C:\Windows\SysWOW64\gephnw.exe
        
        C:\Windows\system32\gephnw.exe 744 "C:\Windows\SysWOW64\euyrvi.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:1944
        
        C:\Windows\SysWOW64\drthmm.exe
        
        C:\Windows\system32\drthmm.exe 764 "C:\Windows\SysWOW64\gephnw.exe"
        22⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:2304
        
        C:\Windows\SysWOW64\isbccr.exe
        
        C:\Windows\system32\isbccr.exe 784 "C:\Windows\SysWOW64\drthmm.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2436
        
        C:\Windows\SysWOW64\cqrwfp.exe
        
        C:\Windows\system32\cqrwfp.exe 732 "C:\Windows\SysWOW64\isbccr.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:876
        
        C:\Windows\SysWOW64\iaarvm.exe
        
        C:\Windows\system32\iaarvm.exe 712 "C:\Windows\SysWOW64\cqrwfp.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:368
        
        C:\Windows\SysWOW64\metzgw.exe
        
        C:\Windows\system32\metzgw.exe 716 "C:\Windows\SysWOW64\iaarvm.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:2864
        
        C:\Windows\SysWOW64\pawccw.exe
        
        C:\Windows\system32\pawccw.exe 720 "C:\Windows\SysWOW64\metzgw.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:2256
        
        C:\Windows\SysWOW64\wegpth.exe
        
        C:\Windows\system32\wegpth.exe 656 "C:\Windows\SysWOW64\pawccw.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2200
        
        C:\Windows\SysWOW64\bjsxmr.exe
        
        C:\Windows\system32\bjsxmr.exe 748 "C:\Windows\SysWOW64\wegpth.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:2840
        
        C:\Windows\SysWOW64\gwlfft.exe
        
        C:\Windows\system32\gwlfft.exe 740 "C:\Windows\SysWOW64\bjsxmr.exe"
        30⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:1964
        
        C:\Windows\SysWOW64\vhrkjb.exe
        
        C:\Windows\system32\vhrkjb.exe 752 "C:\Windows\SysWOW64\gwlfft.exe"
        31⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:1656
        
        C:\Windows\SysWOW64\ulqhai.exe
        
        C:\Windows\system32\ulqhai.exe 728 "C:\Windows\SysWOW64\vhrkjb.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:1096
        
        C:\Windows\SysWOW64\vzcupv.exe
        
        C:\Windows\system32\vzcupv.exe 788 "C:\Windows\SysWOW64\ulqhai.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:1740
        
        C:\Windows\SysWOW64\yjushr.exe
        
        C:\Windows\system32\yjushr.exe 760 "C:\Windows\SysWOW64\vzcupv.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:1532
        
        C:\Windows\SysWOW64\xyrpzh.exe
        
        C:\Windows\system32\xyrpzh.exe 796 "C:\Windows\SysWOW64\yjushr.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:2788
        
        C:\Windows\SysWOW64\xudvvy.exe
        
        C:\Windows\system32\xudvvy.exe 724 "C:\Windows\SysWOW64\xyrpzh.exe"
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:2904
        
        C:\Windows\SysWOW64\ecafki.exe
        
        C:\Windows\system32\ecafki.exe 680 "C:\Windows\SysWOW64\xudvvy.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:2556
        
        C:\Windows\SysWOW64\qeeloq.exe
        
        C:\Windows\system32\qeeloq.exe 756 "C:\Windows\SysWOW64\ecafki.exe"
        38⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:2696
        
        C:\Windows\SysWOW64\ihsvqa.exe
        
        C:\Windows\system32\ihsvqa.exe 768 "C:\Windows\SysWOW64\qeeloq.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:3004
        
        C:\Windows\SysWOW64\cnjqlx.exe
        
        C:\Windows\system32\cnjqlx.exe 776 "C:\Windows\SysWOW64\ihsvqa.exe"
        40⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:1792
        
        C:\Windows\SysWOW64\horlbc.exe
        
        C:\Windows\system32\horlbc.exe 772 "C:\Windows\SysWOW64\cnjqlx.exe"
        41⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:3016
        
        C:\Windows\SysWOW64\weadih.exe
        
        C:\Windows\system32\weadih.exe 800 "C:\Windows\SysWOW64\horlbc.exe"
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:612
        
        C:\Windows\SysWOW64\tbhdjo.exe
        
        C:\Windows\system32\tbhdjo.exe 780 "C:\Windows\SysWOW64\weadih.exe"
        43⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1500
        
        C:\Windows\SysWOW64\suiwdb.exe
        
        C:\Windows\system32\suiwdb.exe 840 "C:\Windows\SysWOW64\tbhdjo.exe"
        44⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:1620
        
        C:\Windows\SysWOW64\clvdhm.exe
        
        C:\Windows\system32\clvdhm.exe 692 "C:\Windows\SysWOW64\suiwdb.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:952
        
        C:\Windows\SysWOW64\upjojw.exe
        
        C:\Windows\system32\upjojw.exe 816 "C:\Windows\SysWOW64\clvdhm.exe"
        46⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2856
        
        C:\Windows\SysWOW64\ovzrmu.exe
        
        C:\Windows\system32\ovzrmu.exe 804 "C:\Windows\SysWOW64\upjojw.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:112
        
        C:\Windows\SysWOW64\spprlm.exe
        
        C:\Windows\system32\spprlm.exe 672 "C:\Windows\SysWOW64\ovzrmu.exe"
        48⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:1916
        
        C:\Windows\SysWOW64\ngjuib.exe
        
        C:\Windows\system32\ngjuib.exe 856 "C:\Windows\SysWOW64\spprlm.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:2448
        
        C:\Windows\SysWOW64\czdrrk.exe
        
        C:\Windows\system32\czdrrk.exe 812 "C:\Windows\SysWOW64\ngjuib.exe"
        50⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1520
        
        C:\Windows\SysWOW64\hmwzku.exe
        
        C:\Windows\system32\hmwzku.exe 832 "C:\Windows\SysWOW64\czdrrk.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:924
        
        C:\Windows\SysWOW64\qpljee.exe
        
        C:\Windows\system32\qpljee.exe 808 "C:\Windows\SysWOW64\hmwzku.exe"
        52⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:1708
        
        C:\Windows\SysWOW64\ytvwwx.exe
        
        C:\Windows\system32\ytvwwx.exe 844 "C:\Windows\SysWOW64\qpljee.exe"
        53⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:2288
        
        C:\Windows\SysWOW64\agyzrp.exe
        
        C:\Windows\system32\agyzrp.exe 908 "C:\Windows\SysWOW64\ytvwwx.exe"
        54⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:2328
        
        C:\Windows\SysWOW64\xhimmb.exe
        
        C:\Windows\system32\xhimmb.exe 792 "C:\Windows\SysWOW64\agyzrp.exe"
        55⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:2624
        
        C:\Windows\SysWOW64\fihmbh.exe
        
        C:\Windows\system32\fihmbh.exe 880 "C:\Windows\SysWOW64\xhimmb.exe"
        56⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:2608
        
        C:\Windows\SysWOW64\hsgctd.exe
        
        C:\Windows\system32\hsgctd.exe 852 "C:\Windows\SysWOW64\fihmbh.exe"
        57⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:2016
        
        C:\Windows\SysWOW64\gawmth.exe
        
        C:\Windows\system32\gawmth.exe 892 "C:\Windows\SysWOW64\hsgctd.exe"
        58⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:1252
        
        C:\Windows\SysWOW64\gsffvt.exe
        
        C:\Windows\system32\gsffvt.exe 736 "C:\Windows\SysWOW64\gawmth.exe"
        59⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2104
        
        C:\Windows\SysWOW64\nwpkee.exe
        
        C:\Windows\system32\nwpkee.exe 828 "C:\Windows\SysWOW64\gsffvt.exe"
        60⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:1568
        
        C:\Windows\SysWOW64\qksmzf.exe
        
        C:\Windows\system32\qksmzf.exe 864 "C:\Windows\SysWOW64\nwpkee.exe"
        61⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:1604
        
        C:\Windows\SysWOW64\uwdutp.exe
        
        C:\Windows\system32\uwdutp.exe 868 "C:\Windows\SysWOW64\qksmzf.exe"
        62⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:2672
        
        C:\Windows\SysWOW64\fwpsdn.exe
        
        C:\Windows\system32\fwpsdn.exe 948 "C:\Windows\SysWOW64\uwdutp.exe"
        63⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:1588
        
        C:\Windows\SysWOW64\ktmirg.exe
        
        C:\Windows\system32\ktmirg.exe 848 "C:\Windows\SysWOW64\fwpsdn.exe"
        64⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: EnumeratesProcesses
        
        PID:2012
        
        C:\Windows\SysWOW64\pggqkq.exe
        
        C:\Windows\system32\pggqkq.exe 920 "C:\Windows\SysWOW64\ktmirg.exe"
        65⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        
        PID:1912
        
        C:\Windows\SysWOW64\ulzxda.exe
        
        C:\Windows\system32\ulzxda.exe 872 "C:\Windows\SysWOW64\pggqkq.exe"
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:552
        
        C:\Windows\SysWOW64\ybekrg.exe
        
        C:\Windows\system32\ybekrg.exe 876 "C:\Windows\SysWOW64\ulzxda.exe"
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        C:\Windows\SysWOW64\jxxdha.exe
        
        C:\Windows\system32\jxxdha.exe 972 "C:\Windows\SysWOW64\ybekrg.exe"
        68⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\tejarz.exe
        
        C:\Windows\system32\tejarz.exe 976 "C:\Windows\SysWOW64\jxxdha.exe"
        69⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\apifot.exe
        
        C:\Windows\system32\apifot.exe 904 "C:\Windows\SysWOW64\tejarz.exe"
        70⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\lhxltj.exe
        
        C:\Windows\system32\lhxltj.exe 984 "C:\Windows\SysWOW64\apifot.exe"
        71⤵
        
        PID:432
        
        C:\Windows\SysWOW64\nvanoj.exe
        
        C:\Windows\system32\nvanoj.exe 896 "C:\Windows\SysWOW64\lhxltj.exe"
        72⤵
        Identifies Wine through registry keys
        
        PID:1244
        
        C:\Windows\SysWOW64\atvqxs.exe
        
        C:\Windows\system32\atvqxs.exe 940 "C:\Windows\SysWOW64\nvanoj.exe"
        73⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\hbqirh.exe
        
        C:\Windows\system32\hbqirh.exe 860 "C:\Windows\SysWOW64\atvqxs.exe"
        74⤵
        
        PID:276
        
        C:\Windows\SysWOW64\ecjvns.exe
        
        C:\Windows\system32\ecjvns.exe 912 "C:\Windows\SysWOW64\hbqirh.exe"
        75⤵
        Identifies Wine through registry keys
        
        PID:1324
        
        C:\Windows\SysWOW64\wfxgoc.exe
        
        C:\Windows\system32\wfxgoc.exe 888 "C:\Windows\SysWOW64\ecjvns.exe"
        76⤵
        Identifies Wine through registry keys
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Windows\SysWOW64\qhqoue.exe
        
        C:\Windows\system32\qhqoue.exe 900 "C:\Windows\SysWOW64\wfxgoc.exe"
        77⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\nbmbkh.exe
        
        C:\Windows\system32\nbmbkh.exe 944 "C:\Windows\SysWOW64\qhqoue.exe"
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:808
        
        C:\Windows\SysWOW64\zvbbqy.exe
        
        C:\Windows\system32\zvbbqy.exe 884 "C:\Windows\SysWOW64\nbmbkh.exe"
        79⤵
        
        PID:396
        
        C:\Windows\SysWOW64\wawbwn.exe
        
        C:\Windows\system32\wawbwn.exe 916 "C:\Windows\SysWOW64\zvbbqy.exe"
        80⤵
        Identifies Wine through registry keys
        
        PID:2228
        
        C:\Windows\SysWOW64\ajaozi.exe
        
        C:\Windows\system32\ajaozi.exe 836 "C:\Windows\SysWOW64\wawbwn.exe"
        81⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\hgltkg.exe
        
        C:\Windows\system32\hgltkg.exe 936 "C:\Windows\SysWOW64\ajaozi.exe"
        82⤵
        Identifies Wine through registry keys
        
        PID:2876
        
        C:\Windows\SysWOW64\runwuv.exe
        
        C:\Windows\system32\runwuv.exe 1032 "C:\Windows\SysWOW64\hgltkg.exe"
        83⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:1800
        
        C:\Windows\SysWOW64\dsfjcz.exe
        
        C:\Windows\system32\dsfjcz.exe 956 "C:\Windows\SysWOW64\runwuv.exe"
        84⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\yyvefo.exe
        
        C:\Windows\system32\yyvefo.exe 1020 "C:\Windows\SysWOW64\dsfjcz.exe"
        85⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\stauxh.exe
        
        C:\Windows\system32\stauxh.exe 992 "C:\Windows\SysWOW64\yyvefo.exe"
        86⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\ugdwsi.exe
        
        C:\Windows\system32\ugdwsi.exe 932 "C:\Windows\SysWOW64\stauxh.exe"
        87⤵
        
        PID:672
        
        C:\Windows\SysWOW64\xyvmke.exe
        
        C:\Windows\system32\xyvmke.exe 952 "C:\Windows\SysWOW64\ugdwsi.exe"
        88⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\ypjcqi.exe
        
        C:\Windows\system32\ypjcqi.exe 960 "C:\Windows\SysWOW64\xyvmke.exe"
        89⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\dcckbs.exe
        
        C:\Windows\system32\dcckbs.exe 924 "C:\Windows\SysWOW64\ypjcqi.exe"
        90⤵
        Identifies Wine through registry keys
        
        PID:1508
        
        C:\Windows\SysWOW64\lgmxtd.exe
        
        C:\Windows\system32\lgmxtd.exe 980 "C:\Windows\SysWOW64\dcckbs.exe"
        91⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\ntpzoe.exe
        
        C:\Windows\system32\ntpzoe.exe 640 "C:\Windows\SysWOW64\lgmxtd.exe"
        92⤵
        Drops file in System32 directory
        
        PID:1992
        
        C:\Windows\SysWOW64\ylfxtu.exe
        
        C:\Windows\system32\ylfxtu.exe 996 "C:\Windows\SysWOW64\ntpzoe.exe"
        93⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\ftsxnj.exe
        
        C:\Windows\system32\ftsxnj.exe 988 "C:\Windows\SysWOW64\ylfxtu.exe"
        94⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\peqham.exe
        
        C:\Windows\system32\peqham.exe 928 "C:\Windows\SysWOW64\ftsxnj.exe"
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\Windows\SysWOW64\zdufll.exe
        
        C:\Windows\system32\zdufll.exe 1036 "C:\Windows\SysWOW64\peqham.exe"
        96⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\gkpxfa.exe
        
        C:\Windows\system32\gkpxfa.exe 1000 "C:\Windows\SysWOW64\zdufll.exe"
        97⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\rjtupz.exe
        
        C:\Windows\system32\rjtupz.exe 1040 "C:\Windows\SysWOW64\gkpxfa.exe"
        98⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\bcjacp.exe
        
        C:\Windows\system32\bcjacp.exe 1092 "C:\Windows\SysWOW64\rjtupz.exe"
        99⤵
        Drops file in System32 directory
        
        PID:2344
        
        C:\Windows\SysWOW64\byvxzo.exe
        
        C:\Windows\system32\byvxzo.exe 1016 "C:\Windows\SysWOW64\bcjacp.exe"
        100⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\vhxfeq.exe
        
        C:\Windows\system32\vhxfeq.exe 1008 "C:\Windows\SysWOW64\byvxzo.exe"
        101⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\pnfizg.exe
        
        C:\Windows\system32\pnfizg.exe 1004 "C:\Windows\SysWOW64\vhxfeq.exe"
        102⤵
        
        PID:796
        
        C:\Windows\SysWOW64\zmrfsf.exe
        
        C:\Windows\system32\zmrfsf.exe 1056 "C:\Windows\SysWOW64\pnfizg.exe"
        103⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\jisqzz.exe
        
        C:\Windows\system32\jisqzz.exe 1080 "C:\Windows\SysWOW64\zmrfsf.exe"
        104⤵
        
        PID:824
        
        C:\Windows\SysWOW64\rqfqux.exe
        
        C:\Windows\system32\rqfqux.exe 964 "C:\Windows\SysWOW64\jisqzz.exe"
        105⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\bprnev.exe
        
        C:\Windows\system32\bprnev.exe 1044 "C:\Windows\SysWOW64\rqfqux.exe"
        106⤵
        Identifies Wine through registry keys
        System Location Discovery: System Language Discovery
        
        PID:3008
        
        C:\Windows\SysWOW64\ocbdkr.exe
        
        C:\Windows\system32\ocbdkr.exe 1104 "C:\Windows\SysWOW64\bprnev.exe"
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:1720
        
        C:\Windows\SysWOW64\ymqnxu.exe
        
        C:\Windows\system32\ymqnxu.exe 1012 "C:\Windows\SysWOW64\ocbdkr.exe"
        108⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\iirynp.exe
        
        C:\Windows\system32\iirynp.exe 1084 "C:\Windows\SysWOW64\ymqnxu.exe"
        109⤵
        
        PID:940
        
        C:\Windows\SysWOW64\klhias.exe
        
        C:\Windows\system32\klhias.exe 1144 "C:\Windows\SysWOW64\iirynp.exe"
        110⤵
        Identifies Wine through registry keys
        System Location Discovery: System Language Discovery
        
        PID:972
        
        C:\Windows\SysWOW64\uktgkr.exe
        
        C:\Windows\system32\uktgkr.exe 1108 "C:\Windows\SysWOW64\klhias.exe"
        111⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\euiqfu.exe
        
        C:\Windows\system32\euiqfu.exe 1148 "C:\Windows\SysWOW64\uktgkr.exe"
        112⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\pqbino.exe
        
        C:\Windows\system32\pqbino.exe 1072 "C:\Windows\SysWOW64\euiqfu.exe"
        113⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\ztytar.exe
        
        C:\Windows\system32\ztytar.exe 1164 "C:\Windows\SysWOW64\pqbino.exe"
        114⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\jordqm.exe
        
        C:\Windows\system32\jordqm.exe 1116 "C:\Windows\SysWOW64\ztytar.exe"
        115⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\rsbqzx.exe
        
        C:\Windows\system32\rsbqzx.exe 1052 "C:\Windows\SysWOW64\jordqm.exe"
        116⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\bdrbua.exe
        
        C:\Windows\system32\bdrbua.exe 1088 "C:\Windows\SysWOW64\rsbqzx.exe"
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Windows\SysWOW64\oqiqae.exe
        
        C:\Windows\system32\oqiqae.exe 1172 "C:\Windows\SysWOW64\bdrbua.exe"
        118⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\vbhwpy.exe
        
        C:\Windows\system32\vbhwpy.exe 1168 "C:\Windows\SysWOW64\oqiqae.exe"
        119⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\aoadjh.exe
        
        C:\Windows\system32\aoadjh.exe 1180 "C:\Windows\SysWOW64\vbhwpy.exe"
        120⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\nevgrh.exe
        
        C:\Windows\system32\nevgrh.exe 1184 "C:\Windows\SysWOW64\aoadjh.exe"
        121⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\xawrhc.exe
        
        C:\Windows\system32\xawrhc.exe 1188 "C:\Windows\SysWOW64\nevgrh.exe"
        122⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\etvwwe.exe
        
        C:\Windows\system32\etvwwe.exe 1200 "C:\Windows\SysWOW64\xawrhc.exe"
        123⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\ppwody.exe
        
        C:\Windows\system32\ppwody.exe 968 "C:\Windows\SysWOW64\etvwwe.exe"
        124⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\bfrruy.exe
        
        C:\Windows\system32\bfrruy.exe 1196 "C:\Windows\SysWOW64\ppwody.exe"
        125⤵
        Identifies Wine through registry keys
        
        PID:548
        
        C:\Windows\SysWOW64\ltrgkg.exe
        
        C:\Windows\system32\ltrgkg.exe 1204 "C:\Windows\SysWOW64\bfrruy.exe"
        126⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\wlhmpw.exe
        
        C:\Windows\system32\wlhmpw.exe 1100 "C:\Windows\SysWOW64\ltrgkg.exe"
        127⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\gowwkz.exe
        
        C:\Windows\system32\gowwkz.exe 1216 "C:\Windows\SysWOW64\wlhmpw.exe"
        128⤵
        Drops file in System32 directory
        
        PID:1060
        
        C:\Windows\SysWOW64\qkxgst.exe
        
        C:\Windows\system32\qkxgst.exe 1212 "C:\Windows\SysWOW64\gowwkz.exe"
        129⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\ajjecs.exe
        
        C:\Windows\system32\ajjecs.exe 1220 "C:\Windows\SysWOW64\qkxgst.exe"
        130⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\iqxewi.exe
        
        C:\Windows\system32\iqxewi.exe 1076 "C:\Windows\SysWOW64\ajjecs.exe"
        131⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\rbmojl.exe
        
        C:\Windows\system32\rbmojl.exe 1176 "C:\Windows\SysWOW64\iqxewi.exe"
        132⤵
        Identifies Wine through registry keys
        System Location Discovery: System Language Discovery
        
        PID:2456
        
        C:\Windows\SysWOW64\fodepp.exe
        
        C:\Windows\system32\fodepp.exe 1140 "C:\Windows\SysWOW64\rbmojl.exe"
        133⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\mzcjmi.exe
        
        C:\Windows\system32\mzcjmi.exe 1068 "C:\Windows\SysWOW64\fodepp.exe"
        134⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\wgohxh.exe
        
        C:\Windows\system32\wgohxh.exe 1224 "C:\Windows\SysWOW64\mzcjmi.exe"
        135⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\jtywdl.exe
        
        C:\Windows\system32\jtywdl.exe 1120 "C:\Windows\SysWOW64\wgohxh.exe"
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\twnhyo.exe
        
        C:\Windows\system32\twnhyo.exe 1248 "C:\Windows\SysWOW64\jtywdl.exe"
        137⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\dsozfj.exe
        
        C:\Windows\system32\dsozfj.exe 1136 "C:\Windows\SysWOW64\twnhyo.exe"
        138⤵
        Drops file in System32 directory
        
        PID:2320
        
        C:\Windows\SysWOW64\dkpkzv.exe
        
        C:\Windows\system32\dkpkzv.exe 1260 "C:\Windows\SysWOW64\dsozfj.exe"
        139⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\swvpde.exe
        
        C:\Windows\system32\swvpde.exe 1096 "C:\Windows\SysWOW64\dkpkzv.exe"
        140⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\hisupe.exe
        
        C:\Windows\system32\hisupe.exe 1124 "C:\Windows\SysWOW64\swvpde.exe"
        141⤵
        Drops file in System32 directory
        
        PID:2892
        
        C:\Windows\SysWOW64\ejkhkq.exe
        
        C:\Windows\system32\ejkhkq.exe 1132 "C:\Windows\SysWOW64\hisupe.exe"
        142⤵
        Drops file in System32 directory
        
        PID:2204
        
        C:\Windows\SysWOW64\anghrx.exe
        
        C:\Windows\system32\anghrx.exe 1064 "C:\Windows\SysWOW64\ejkhkq.exe"
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:2244
        
        C:\Windows\SysWOW64\gldpxy.exe
        
        C:\Windows\system32\gldpxy.exe 1112 "C:\Windows\SysWOW64\anghrx.exe"
        144⤵
        Identifies Wine through registry keys
        
        PID:2932
        
        C:\Windows\SysWOW64\xeoaer.exe
        
        C:\Windows\system32\xeoaer.exe 1128 "C:\Windows\SysWOW64\gldpxy.exe"
        145⤵
        Drops file in System32 directory
        
        PID:2828
        
        C:\Windows\SysWOW64\gknpjf.exe
        
        C:\Windows\system32\gknpjf.exe 1208 "C:\Windows\SysWOW64\xeoaer.exe"
        146⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\gdoida.exe
        
        C:\Windows\system32\gdoida.exe 1160 "C:\Windows\SysWOW64\gknpjf.exe"
        147⤵
        Drops file in System32 directory
        
        PID:1860
        
        C:\Windows\SysWOW64\dxkvbu.exe
        
        C:\Windows\system32\dxkvbu.exe 1048 "C:\Windows\SysWOW64\gdoida.exe"
        148⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\vhvxin.exe
        
        C:\Windows\system32\vhvxin.exe 1152 "C:\Windows\SysWOW64\dxkvbu.exe"
        149⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\sbqszp.exe
        
        C:\Windows\system32\sbqszp.exe 1232 "C:\Windows\SysWOW64\vhvxin.exe"
        150⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Windows\SysWOW64\prxtaw.exe
        
        C:\Windows\system32\prxtaw.exe 1156 "C:\Windows\SysWOW64\sbqszp.exe"
        151⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\edvydx.exe
        
        C:\Windows\system32\edvydx.exe 1292 "C:\Windows\SysWOW64\prxtaw.exe"
        152⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\wsunil.exe
        
        C:\Windows\system32\wsunil.exe 1228 "C:\Windows\SysWOW64\edvydx.exe"
        153⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\nyulnh.exe
        
        C:\Windows\system32\nyulnh.exe 1028 "C:\Windows\SysWOW64\wsunil.exe"
        154⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\fciwgr.exe
        
        C:\Windows\system32\fciwgr.exe 1324 "C:\Windows\SysWOW64\nyulnh.exe"
        155⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cdajkc.exe
        
        C:\Windows\system32\cdajkc.exe 1256 "C:\Windows\SysWOW64\fciwgr.exe"
        156⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\rlnblz.exe
        
        C:\Windows\system32\rlnblz.exe 1264 "C:\Windows\SysWOW64\cdajkc.exe"
        157⤵
        Identifies Wine through registry keys
        
        PID:2468
        
        C:\Windows\SysWOW64\ypuycn.exe
        
        C:\Windows\system32\ypuycn.exe 1252 "C:\Windows\SysWOW64\rlnblz.exe"
        158⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\vbqmsi.exe
        
        C:\Windows\system32\vbqmsi.exe 1268 "C:\Windows\SysWOW64\ypuycn.exe"
        159⤵
        
        PID:956
        
        C:\Windows\SysWOW64\rflmzx.exe
        
        C:\Windows\system32\rflmzx.exe 1192 "C:\Windows\SysWOW64\vbqmsi.exe"
        160⤵
        Identifies Wine through registry keys
        
        PID:1760
        
        C:\Windows\SysWOW64\jraobh.exe
        
        C:\Windows\system32\jraobh.exe 1240 "C:\Windows\SysWOW64\rflmzx.exe"
        161⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\elneta.exe
        
        C:\Windows\system32\elneta.exe 1280 "C:\Windows\SysWOW64\jraobh.exe"
        162⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\yvgmyc.exe
        
        C:\Windows\system32\yvgmyc.exe 1236 "C:\Windows\SysWOW64\elneta.exe"
        163⤵
        
        PID:916
        
        C:\Windows\SysWOW64\frqzqn.exe
        
        C:\Windows\system32\frqzqn.exe 1284 "C:\Windows\SysWOW64\yvgmyc.exe"
        164⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:2552
        
        C:\Windows\SysWOW64\kivmeb.exe
        
        C:\Windows\system32\kivmeb.exe 1300 "C:\Windows\SysWOW64\frqzqn.exe"
        165⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\valrrs.exe
        
        C:\Windows\system32\valrrs.exe 1304 "C:\Windows\SysWOW64\kivmeb.exe"
        166⤵
        Drops file in System32 directory
        
        PID:2536
        
        C:\Windows\SysWOW64\xzrhpw.exe
        
        C:\Windows\system32\xzrhpw.exe 1296 "C:\Windows\SysWOW64\valrrs.exe"
        167⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\riqxhs.exe
        
        C:\Windows\system32\riqxhs.exe 1288 "C:\Windows\SysWOW64\xzrhpw.exe"
        168⤵
        Drops file in System32 directory
        
        PID:1972
        
        C:\Windows\SysWOW64\zntkqd.exe
        
        C:\Windows\system32\zntkqd.exe 1308 "C:\Windows\SysWOW64\riqxhs.exe"
        169⤵
        
        PID:948
        
        C:\Windows\SysWOW64\ipqulg.exe
        
        C:\Windows\system32\ipqulg.exe 1060 "C:\Windows\SysWOW64\zntkqd.exe"
        170⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Windows\SysWOW64\tljftb.exe
        
        C:\Windows\system32\tljftb.exe 1244 "C:\Windows\SysWOW64\ipqulg.exe"
        171⤵
        System Location Discovery: System Language Discovery
        
        PID:2076
        
        C:\Windows\SysWOW64\vkxurg.exe
        
        C:\Windows\system32\vkxurg.exe 1364 "C:\Windows\SysWOW64\tljftb.exe"
        172⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\fcmaww.exe
        
        C:\Windows\system32\fcmaww.exe 1316 "C:\Windows\SysWOW64\vkxurg.exe"
        173⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\ksrmsc.exe
        
        C:\Windows\system32\ksrmsc.exe 1336 "C:\Windows\SysWOW64\fcmaww.exe"
        174⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\swtajv.exe
        
        C:\Windows\system32\swtajv.exe 1272 "C:\Windows\SysWOW64\ksrmsc.exe"
        175⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\ukwcev.exe
        
        C:\Windows\system32\ukwcev.exe 1276 "C:\Windows\SysWOW64\swtajv.exe"
        176⤵
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\brsuql.exe
        
        C:\Windows\system32\brsuql.exe 1360 "C:\Windows\SysWOW64\ukwcev.exe"
        177⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\gelckm.exe
        
        C:\Windows\system32\gelckm.exe 1376 "C:\Windows\SysWOW64\brsuql.exe"
        178⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\nivpbf.exe
        
        C:\Windows\system32\nivpbf.exe 1408 "C:\Windows\SysWOW64\gelckm.exe"
        179⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\tkekjl.exe
        
        C:\Windows\system32\tkekjl.exe 1356 "C:\Windows\SysWOW64\nivpbf.exe"
        180⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\vxgned.exe
        
        C:\Windows\system32\vxgned.exe 1340 "C:\Windows\SysWOW64\tkekjl.exe"
        181⤵
        Identifies Wine through registry keys
        
        PID:3052
        
        C:\Windows\SysWOW64\ubtsjc.exe
        
        C:\Windows\system32\ubtsjc.exe 1368 "C:\Windows\SysWOW64\vxgned.exe"
        182⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\wlkiby.exe
        
        C:\Windows\system32\wlkiby.exe 1412 "C:\Windows\SysWOW64\ubtsjc.exe"
        183⤵
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Windows\SysWOW64\bmsdsw.exe
        
        C:\Windows\system32\bmsdsw.exe 1328 "C:\Windows\SysWOW64\wlkiby.exe"
        184⤵
        System Location Discovery: System Language Discovery
        
        PID:596
        
        C:\Windows\SysWOW64\goidjo.exe
        
        C:\Windows\system32\goidjo.exe 1312 "C:\Windows\SysWOW64\bmsdsw.exe"
        185⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\ohhdxv.exe
        
        C:\Windows\system32\ohhdxv.exe 1348 "C:\Windows\SysWOW64\goidjo.exe"
        186⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\tublqe.exe
        
        C:\Windows\system32\tublqe.exe 1404 "C:\Windows\SysWOW64\ohhdxv.exe"
        187⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\xkygek.exe
        
        C:\Windows\system32\xkygek.exe 1380 "C:\Windows\SysWOW64\tublqe.exe"
        188⤵
        Drops file in System32 directory
        
        PID:1748
        
        C:\Windows\SysWOW64\zxaiil.exe
        
        C:\Windows\system32\zxaiil.exe 1320 "C:\Windows\SysWOW64\xkygek.exe"
        189⤵
        Drops file in System32 directory
        
        PID:1264
        
        C:\Windows\SysWOW64\ehrdqq.exe
        
        C:\Windows\system32\ehrdqq.exe 1372 "C:\Windows\SysWOW64\zxaiil.exe"
        190⤵
        Drops file in System32 directory
        
        PID:1288
        
        C:\Windows\SysWOW64\moedkg.exe
        
        C:\Windows\system32\moedkg.exe 1384 "C:\Windows\SysWOW64\ehrdqq.exe"
        191⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\uhdvrm.exe
        
        C:\Windows\system32\uhdvrm.exe 1392 "C:\Windows\SysWOW64\moedkg.exe"
        192⤵
        Identifies Wine through registry keys
        
        PID:1788
        
        C:\Windows\SysWOW64\ybtdqf.exe
        
        C:\Windows\system32\ybtdqf.exe 1332 "C:\Windows\SysWOW64\uhdvrm.exe"
        193⤵
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Windows\SysWOW64\gfvihq.exe
        
        C:\Windows\system32\gfvihq.exe 1396 "C:\Windows\SysWOW64\ybtdqf.exe"
        194⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\iaytcq.exe
        
        C:\Windows\system32\iaytcq.exe 1388 "C:\Windows\SysWOW64\gfvihq.exe"
        195⤵
        
        PID:884
        
        C:\Windows\SysWOW64\pfiylb.exe
        
        C:\Windows\system32\pfiylb.exe 1352 "C:\Windows\SysWOW64\iaytcq.exe"
        196⤵
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Windows\SysWOW64\rslbgc.exe
        
        C:\Windows\system32\rslbgc.exe 1444 "C:\Windows\SysWOW64\pfiylb.exe"
        197⤵
        
        PID:592
        
        C:\Windows\SysWOW64\wfejal.exe
        
        C:\Windows\system32\wfejal.exe 1436 "C:\Windows\SysWOW64\rslbgc.exe"
        198⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\hafbhg.exe
        
        C:\Windows\system32\hafbhg.exe 1344 "C:\Windows\SysWOW64\wfejal.exe"
        199⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\oepgzr.exe
        
        C:\Windows\system32\oepgzr.exe 824 "C:\Windows\SysWOW64\hafbhg.exe"
        200⤵
        System Location Discovery: System Language Discovery
        
        PID:1712
        
        C:\Windows\SysWOW64\yeuejq.exe
        
        C:\Windows\system32\yeuejq.exe 1428 "C:\Windows\SysWOW64\oepgzr.exe"
        201⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\trwoeq.exe
        
        C:\Windows\system32\trwoeq.exe 1416 "C:\Windows\SysWOW64\yeuejq.exe"
        202⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\azsgyg.exe
        
        C:\Windows\system32\azsgyg.exe 1424 "C:\Windows\SysWOW64\trwoeq.exe"
        203⤵
        System Location Discovery: System Language Discovery
        
        PID:976
        
        C:\Windows\SysWOW64\izrhnu.exe
        
        C:\Windows\system32\izrhnu.exe 1456 "C:\Windows\SysWOW64\azsgyg.exe"
        204⤵
        System Location Discovery: System Language Discovery
        
        PID:2780
        
        C:\Windows\SysWOW64\plpmco.exe
        
        C:\Windows\system32\plpmco.exe 1432 "C:\Windows\SysWOW64\izrhnu.exe"
        205⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\xlomrv.exe
        
        C:\Windows\system32\xlomrv.exe 1448 "C:\Windows\SysWOW64\plpmco.exe"
        206⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\ewnrgx.exe
        
        C:\Windows\system32\ewnrgx.exe 1472 "C:\Windows\SysWOW64\xlomrv.exe"
        207⤵
        
        PID:664
        
        C:\Windows\SysWOW64\mxmrud.exe
        
        C:\Windows\system32\mxmrud.exe 1440 "C:\Windows\SysWOW64\ewnrgx.exe"
        208⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\wwypfc.exe
        
        C:\Windows\system32\wwypfc.exe 1468 "C:\Windows\SysWOW64\mxmrud.exe"
        209⤵
        
        PID:768
        
        C:\Windows\SysWOW64\yveech.exe
        
        C:\Windows\system32\yveech.exe 1524 "C:\Windows\SysWOW64\wwypfc.exe"
        210⤵
        Drops file in System32 directory
        
        PID:1932
        
        C:\Windows\SysWOW64\fzorus.exe
        
        C:\Windows\system32\fzorus.exe 1452 "C:\Windows\SysWOW64\yveech.exe"
        211⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\lbxmcx.exe
        
        C:\Windows\system32\lbxmcx.exe 1492 "C:\Windows\SysWOW64\fzorus.exe"
        212⤵
        
        PID:896
        
        C:\Windows\SysWOW64\mzlcic.exe
        
        C:\Windows\system32\mzlcic.exe 1548 "C:\Windows\SysWOW64\lbxmcx.exe"
        213⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\xzxztb.exe
        
        C:\Windows\system32\xzxztb.exe 1500 "C:\Windows\SysWOW64\mzlcic.exe"
        214⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\blqhmc.exe
        
        C:\Windows\system32\blqhmc.exe 1488 "C:\Windows\SysWOW64\xzxztb.exe"
        215⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\jismvw.exe
        
        C:\Windows\system32\jismvw.exe 1460 "C:\Windows\SysWOW64\blqhmc.exe"
        216⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\tdtflq.exe
        
        C:\Windows\system32\tdtflq.exe 1568 "C:\Windows\SysWOW64\jismvw.exe"
        217⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\yqnnws.exe
        
        C:\Windows\system32\yqnnws.exe 1496 "C:\Windows\SysWOW64\tdtflq.exe"
        218⤵
        
        PID:844
        
        C:\Windows\SysWOW64\alqprs.exe
        
        C:\Windows\system32\alqprs.exe 1480 "C:\Windows\SysWOW64\yqnnws.exe"
        219⤵
        Drops file in System32 directory
        
        PID:2196
        
        C:\Windows\SysWOW64\itdhlh.exe
        
        C:\Windows\system32\itdhlh.exe 1420 "C:\Windows\SysWOW64\alqprs.exe"
        220⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\nutccn.exe
        
        C:\Windows\system32\nutccn.exe 1516 "C:\Windows\SysWOW64\itdhlh.exe"
        221⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\shnknx.exe
        
        C:\Windows\system32\shnknx.exe 1512 "C:\Windows\SysWOW64\nutccn.exe"
        222⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\xmysgy.exe
        
        C:\Windows\system32\xmysgy.exe 1476 "C:\Windows\SysWOW64\shnknx.exe"
        223⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\boosfr.exe
        
        C:\Windows\system32\boosfr.exe 1508 "C:\Windows\SysWOW64\xmysgy.exe"
        224⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\myexkh.exe
        
        C:\Windows\system32\myexkh.exe 1596 "C:\Windows\SysWOW64\boosfr.exe"
        225⤵
        Identifies Wine through registry keys
        
        PID:2988
        
        C:\Windows\SysWOW64\qobsgn.exe
        
        C:\Windows\system32\qobsgn.exe 1520 "C:\Windows\SysWOW64\myexkh.exe"
        226⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\yslxxg.exe
        
        C:\Windows\system32\yslxxg.exe 1604 "C:\Windows\SysWOW64\qobsgn.exe"
        227⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\fagyjv.exe
        
        C:\Windows\system32\fagyjv.exe 1484 "C:\Windows\SysWOW64\yslxxg.exe"
        228⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\kqdkfb.exe
        
        C:\Windows\system32\kqdkfb.exe 1464 "C:\Windows\SysWOW64\fagyjv.exe"
        229⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\poiatd.exe
        
        C:\Windows\system32\poiatd.exe 1540 "C:\Windows\SysWOW64\kqdkfb.exe"
        230⤵
        
        PID:960
        
        C:\Windows\SysWOW64\uennpr.exe
        
        C:\Windows\system32\uennpr.exe 1532 "C:\Windows\SysWOW64\poiatd.exe"
        231⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\Windows\SysWOW64\zovixo.exe
        
        C:\Windows\system32\zovixo.exe 1544 "C:\Windows\SysWOW64\uennpr.exe"
        232⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\dhdqwg.exe
        
        C:\Windows\system32\dhdqwg.exe 1556 "C:\Windows\SysWOW64\zovixo.exe"
        233⤵
        Identifies Wine through registry keys
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\lacqln.exe
        
        C:\Windows\system32\lacqln.exe 1528 "C:\Windows\SysWOW64\dhdqwg.exe"
        234⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\temvug.exe
        
        C:\Windows\system32\temvug.exe 1504 "C:\Windows\SysWOW64\lacqln.exe"
        235⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\kmkgcb.exe
        
        C:\Windows\system32\kmkgcb.exe 1588 "C:\Windows\SysWOW64\temvug.exe"
        236⤵
        Identifies Wine through registry keys
        
        PID:2260
        
        C:\Windows\SysWOW64\uhcykw.exe
        
        C:\Windows\system32\uhcykw.exe 1400 "C:\Windows\SysWOW64\kmkgcb.exe"
        237⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\wvfbfw.exe
        
        C:\Windows\system32\wvfbfw.exe 1592 "C:\Windows\SysWOW64\uhcykw.exe"
        238⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\ezpowh.exe
        
        C:\Windows\system32\ezpowh.exe 1580 "C:\Windows\SysWOW64\wvfbfw.exe"
        239⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Windows\SysWOW64\jayjen.exe
        
        C:\Windows\system32\jayjen.exe 1620 "C:\Windows\SysWOW64\ezpowh.exe"
        240⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\orcwat.exe
        
        C:\Windows\system32\orcwat.exe 1552 "C:\Windows\SysWOW64\jayjen.exe"
        241⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\talyry.exe
        
        C:\Windows\system32\talyry.exe 1584 "C:\Windows\SysWOW64\orcwat.exe"
        242⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\aigrlo.exe
        
        C:\Windows\system32\aigrlo.exe 1640 "C:\Windows\SysWOW64\talyry.exe"
        243⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\cgugjs.exe
        
        C:\Windows\system32\cgugjs.exe 1628 "C:\Windows\SysWOW64\aigrlo.exe"
        244⤵
        Drops file in System32 directory
        
        PID:2272
        
        C:\Windows\SysWOW64\kdwlsd.exe
        
        C:\Windows\system32\kdwlsd.exe 1560 "C:\Windows\SysWOW64\cgugjs.exe"
        245⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\rhgzkx.exe
        
        C:\Windows\system32\rhgzkx.exe 1624 "C:\Windows\SysWOW64\kdwlsd.exe"
        246⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\zlrmti.exe
        
        C:\Windows\system32\zlrmti.exe 1572 "C:\Windows\SysWOW64\rhgzkx.exe"
        247⤵
        Identifies Wine through registry keys
        
        PID:2740
        
        C:\Windows\SysWOW64\gtmenx.exe
        
        C:\Windows\system32\gtmenx.exe 1612 "C:\Windows\SysWOW64\zlrmti.exe"
        248⤵
        System Location Discovery: System Language Discovery
        
        PID:288
        
        C:\Windows\SysWOW64\luuzec.exe
        
        C:\Windows\system32\luuzec.exe 1576 "C:\Windows\SysWOW64\gtmenx.exe"
        249⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\qkrusi.exe
        
        C:\Windows\system32\qkrusi.exe 1644 "C:\Windows\SysWOW64\luuzec.exe"
        250⤵
        Identifies Wine through registry keys
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\Windows\SysWOW64\agsehd.exe
        
        C:\Windows\system32\agsehd.exe 1636 "C:\Windows\SysWOW64\qkrusi.exe"
        251⤵
        System Location Discovery: System Language Discovery
        
        PID:3068
        
        C:\Windows\SysWOW64\fwxzdr.exe
        
        C:\Windows\system32\fwxzdr.exe 1564 "C:\Windows\SysWOW64\agsehd.exe"
        252⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\mekrqg.exe
        
        C:\Windows\system32\mekrqg.exe 1656 "C:\Windows\SysWOW64\fwxzdr.exe"
        253⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\ufjrev.exe
        
        C:\Windows\system32\ufjrev.exe 1652 "C:\Windows\SysWOW64\mekrqg.exe"
        254⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\eevppu.exe
        
        C:\Windows\system32\eevppu.exe 1664 "C:\Windows\SysWOW64\ufjrev.exe"
        255⤵
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\jrpxiw.exe
        
        C:\Windows\system32\jrpxiw.exe 1632 "C:\Windows\SysWOW64\eevppu.exe"
        256⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\ohlrek.exe
        
        C:\Windows\system32\ohlrek.exe 1600 "C:\Windows\SysWOW64\jrpxiw.exe"
        257⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Windows\SysWOW64\tmfzpl.exe
        
        C:\Windows\system32\tmfzpl.exe 1660 "C:\Windows\SysWOW64\ohlrek.exe"
        258⤵
        Drops file in System32 directory
        
        PID:2368
        
        C:\Windows\SysWOW64\dhgkfg.exe
        
        C:\Windows\system32\dhgkfg.exe 1708 "C:\Windows\SysWOW64\tmfzpl.exe"
        259⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\fguzdl.exe
        
        C:\Windows\system32\fguzdl.exe 1648 "C:\Windows\SysWOW64\dhgkfg.exe"
        260⤵
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\mohrpa.exe
        
        C:\Windows\system32\mohrpa.exe 1680 "C:\Windows\SysWOW64\fguzdl.exe"
        261⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\rxquff.exe
        
        C:\Windows\system32\rxquff.exe 1724 "C:\Windows\SysWOW64\mohrpa.exe"
        262⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Windows\SysWOW64\uhpkxb.exe
        
        C:\Windows\system32\uhpkxb.exe 1748 "C:\Windows\SysWOW64\rxquff.exe"
        263⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\uwfppk.exe
        
        C:\Windows\system32\uwfppk.exe 1688 "C:\Windows\SysWOW64\uhpkxb.exe"
        264⤵
        Identifies Wine through registry keys
        
        PID:2484
        
        C:\Windows\SysWOW64\qbahvz.exe
        
        C:\Windows\system32\qbahvz.exe 1668 "C:\Windows\SysWOW64\uwfppk.exe"
        265⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\vnupoj.exe
        
        C:\Windows\system32\vnupoj.exe 1616 "C:\Windows\SysWOW64\qbahvz.exe"
        266⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\dkecyu.exe
        
        C:\Windows\system32\dkecyu.exe 1608 "C:\Windows\SysWOW64\vnupoj.exe"
        267⤵
        
        PID:944
        
        C:\Windows\SysWOW64\ffhftu.exe
        
        C:\Windows\system32\ffhftu.exe 1692 "C:\Windows\SysWOW64\dkecyu.exe"
        268⤵
        Identifies Wine through registry keys
        
        PID:2160
        
        C:\Windows\SysWOW64\fygfhb.exe
        
        C:\Windows\system32\fygfhb.exe 1672 "C:\Windows\SysWOW64\ffhftu.exe"
        269⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\htiicc.exe
        
        C:\Windows\system32\htiicc.exe 1676 "C:\Windows\SysWOW64\fygfhb.exe"
        270⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:2896
        
        C:\Windows\SysWOW64\mgcqwl.exe
        
        C:\Windows\system32\mgcqwl.exe 1704 "C:\Windows\SysWOW64\htiicc.exe"
        271⤵
        Drops file in System32 directory
        
        PID:2816
        
        C:\Windows\SysWOW64\qohlkr.exe
        
        C:\Windows\system32\qohlkr.exe 1700 "C:\Windows\SysWOW64\mgcqwl.exe"
        272⤵
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Windows\SysWOW64\sjjnfs.exe
        
        C:\Windows\system32\sjjnfs.exe 1712 "C:\Windows\SysWOW64\qohlkr.exe"
        273⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cjolxr.exe
        
        C:\Windows\system32\cjolxr.exe 1736 "C:\Windows\SysWOW64\sjjnfs.exe"
        274⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\nbdqch.exe
        
        C:\Windows\system32\nbdqch.exe 1696 "C:\Windows\SysWOW64\cjolxr.exe"
        275⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\paryal.exe
        
        C:\Windows\system32\paryal.exe 1744 "C:\Windows\SysWOW64\nbdqch.exe"
        276⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Windows\SysWOW64\xeblrw.exe
        
        C:\Windows\system32\xeblrw.exe 1732 "C:\Windows\SysWOW64\paryal.exe"
        277⤵
        
        PID:640
        
        C:\Windows\SysWOW64\bjvtcg.exe
        
        C:\Windows\system32\bjvtcg.exe 1760 "C:\Windows\SysWOW64\xeblrw.exe"
        278⤵
        
        PID:588
        
        C:\Windows\SysWOW64\hsdotm.exe
        
        C:\Windows\system32\hsdotm.exe 1764 "C:\Windows\SysWOW64\bjvtcg.exe"
        279⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\goplqd.exe
        
        C:\Windows\system32\goplqd.exe 1720 "C:\Windows\SysWOW64\hsdotm.exe"
        280⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\qjqdfx.exe
        
        C:\Windows\system32\qjqdfx.exe 1728 "C:\Windows\SysWOW64\goplqd.exe"
        281⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\vanqbd.exe
        
        C:\Windows\system32\vanqbd.exe 1756 "C:\Windows\SysWOW64\qjqdfx.exe"
        282⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        C:\Windows\SysWOW64\aqslpr.exe
        
        C:\Windows\system32\aqslpr.exe 1776 "C:\Windows\SysWOW64\vanqbd.exe"
        283⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\fraggw.exe
        
        C:\Windows\system32\fraggw.exe 1772 "C:\Windows\SysWOW64\aqslpr.exe"
        284⤵
        Drops file in System32 directory
        
        PID:2232
        
        C:\Windows\SysWOW64\hndjbx.exe
        
        C:\Windows\system32\hndjbx.exe 1808 "C:\Windows\SysWOW64\fraggw.exe"
        285⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:2428
        
        C:\Windows\SysWOW64\mrwruz.exe
        
        C:\Windows\system32\mrwruz.exe 1828 "C:\Windows\SysWOW64\hndjbx.exe"
        286⤵
        
        PID:812
        
        C:\Windows\SysWOW64\qeqyni.exe
        
        C:\Windows\system32\qeqyni.exe 1684 "C:\Windows\SysWOW64\mrwruz.exe"
        287⤵
        System Location Discovery: System Language Discovery
        
        PID:1428
        
        C:\Windows\SysWOW64\yfpzup.exe
        
        C:\Windows\system32\yfpzup.exe 1752 "C:\Windows\SysWOW64\qeqyni.exe"
        288⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\gnkroe.exe
        
        C:\Windows\system32\gnkroe.exe 1792 "C:\Windows\SysWOW64\yfpzup.exe"
        289⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\kdhmks.exe
        
        C:\Windows\system32\kdhmks.exe 1716 "C:\Windows\SysWOW64\gnkroe.exe"
        290⤵
        Drops file in System32 directory
        
        PID:1316
        
        C:\Windows\SysWOW64\szrzte.exe
        
        C:\Windows\system32\szrzte.exe 1536 "C:\Windows\SysWOW64\kdhmks.exe"
        291⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\xmlhnn.exe
        
        C:\Windows\system32\xmlhnn.exe 1800 "C:\Windows\SysWOW64\szrzte.exe"
        292⤵
        Drops file in System32 directory
        
        PID:2976
        
        C:\Windows\SysWOW64\hlpexm.exe
        
        C:\Windows\system32\hlpexm.exe 1804 "C:\Windows\SysWOW64\xmlhnn.exe"
        293⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\myimqo.exe
        
        C:\Windows\system32\myimqo.exe 1768 "C:\Windows\SysWOW64\hlpexm.exe"
        294⤵
        System Location Discovery: System Language Discovery
        
        PID:836
        
        C:\Windows\SysWOW64\tgeell.exe
        
        C:\Windows\system32\tgeell.exe 1816 "C:\Windows\SysWOW64\myimqo.exe"
        295⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\bnrwxb.exe
        
        C:\Windows\system32\bnrwxb.exe 1836 "C:\Windows\SysWOW64\tgeell.exe"
        296⤵
        
        PID:632
        
        C:\Windows\SysWOW64\faleqk.exe
        
        C:\Windows\system32\faleqk.exe 1824 "C:\Windows\SysWOW64\bnrwxb.exe"
        297⤵
        Drops file in System32 directory
        
        PID:3000
        
        C:\Windows\SysWOW64\lypued.exe
        
        C:\Windows\system32\lypued.exe 1812 "C:\Windows\SysWOW64\faleqk.exe"
        298⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\sfdmqb.exe
        
        C:\Windows\system32\sfdmqb.exe 1740 "C:\Windows\SysWOW64\lypued.exe"
        299⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\utgplt.exe
        
        C:\Windows\system32\utgplt.exe 1892 "C:\Windows\SysWOW64\sfdmqb.exe"
        300⤵
        
        PID:780
        
        C:\Windows\SysWOW64\xlxmdp.exe
        
        C:\Windows\system32\xlxmdp.exe 1844 "C:\Windows\SysWOW64\utgplt.exe"
        301⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\rvxcvl.exe
        
        C:\Windows\system32\rvxcvl.exe 1852 "C:\Windows\SysWOW64\xlxmdp.exe"
        302⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\wluxrz.exe
        
        C:\Windows\system32\wluxrz.exe 1784 "C:\Windows\SysWOW64\rvxcvl.exe"
        303⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\bmksif.exe
        
        C:\Windows\system32\bmksif.exe 1924 "C:\Windows\SysWOW64\wluxrz.exe"
        304⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\iuxkcu.exe
        
        C:\Windows\system32\iuxkcu.exe 1780 "C:\Windows\SysWOW64\bmksif.exe"
        305⤵
        System Location Discovery: System Language Discovery
        
        PID:1312
        
        C:\Windows\SysWOW64\nhrsnw.exe
        
        C:\Windows\system32\nhrsnw.exe 1860 "C:\Windows\SysWOW64\iuxkcu.exe"
        306⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\prihfs.exe
        
        C:\Windows\system32\prihfs.exe 1848 "C:\Windows\SysWOW64\nhrsnw.exe"
        307⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\ukypek.exe
        
        C:\Windows\system32\ukypek.exe 1884 "C:\Windows\SysWOW64\prihfs.exe"
        308⤵
        Drops file in System32 directory
        
        PID:1564
        
        C:\Windows\SysWOW64\blxqtr.exe
        
        C:\Windows\system32\blxqtr.exe 1796 "C:\Windows\SysWOW64\ukypek.exe"
        309⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\gbucpf.exe
        
        C:\Windows\system32\gbucpf.exe 1868 "C:\Windows\SysWOW64\blxqtr.exe"
        310⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\qxvvwa.exe
        
        C:\Windows\system32\qxvvwa.exe 1820 "C:\Windows\SysWOW64\gbucpf.exe"
        311⤵
        Identifies Wine through registry keys
        
        PID:2772
        
        C:\Windows\SysWOW64\vnaisg.exe
        
        C:\Windows\system32\vnaisg.exe 1872 "C:\Windows\SysWOW64\qxvvwa.exe"
        312⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\apidbl.exe
        
        C:\Windows\system32\apidbl.exe 1948 "C:\Windows\SysWOW64\vnaisg.exe"
        313⤵
        Drops file in System32 directory
        
        PID:3024
        
        C:\Windows\SysWOW64\atuigc.exe
        
        C:\Windows\system32\atuigc.exe 1832 "C:\Windows\SysWOW64\apidbl.exe"
        314⤵
        
        PID:692
        
        C:\Windows\SysWOW64\exoqzm.exe
        
        C:\Windows\system32\exoqzm.exe 1840 "C:\Windows\SysWOW64\atuigc.exe"
        315⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\mymqgs.exe
        
        C:\Windows\system32\mymqgs.exe 1788 "C:\Windows\SysWOW64\exoqzm.exe"
        316⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\rordcg.exe
        
        C:\Windows\system32\rordcg.exe 1864 "C:\Windows\SysWOW64\mymqgs.exe"
        317⤵
        Identifies Wine through registry keys
        
        PID:2852
        
        C:\Windows\SysWOW64\ywfdow.exe
        
        C:\Windows\system32\ywfdow.exe 1876 "C:\Windows\SysWOW64\rordcg.exe"
        318⤵
        Identifies Wine through registry keys
        
        PID:1968
        
        C:\Windows\SysWOW64\gpevcd.exe
        
        C:\Windows\system32\gpevcd.exe 1900 "C:\Windows\SysWOW64\ywfdow.exe"
        319⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\ioslah.exe
        
        C:\Windows\system32\ioslah.exe 1880 "C:\Windows\SysWOW64\gpevcd.exe"
        320⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\kjunvi.exe
        
        C:\Windows\system32\kjunvi.exe 1928 "C:\Windows\SysWOW64\ioslah.exe"
        321⤵
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Windows\SysWOW64\pkdqmn.exe
        
        C:\Windows\system32\pkdqmn.exe 1956 "C:\Windows\SysWOW64\kjunvi.exe"
        322⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\xpnvvy.exe
        
        C:\Windows\system32\xpnvvy.exe 1936 "C:\Windows\SysWOW64\pkdqmn.exe"
        323⤵
        Drops file in System32 directory
        
        PID:1628
        
        C:\Windows\SysWOW64\wlzbap.exe
        
        C:\Windows\system32\wlzbap.exe 1916 "C:\Windows\SysWOW64\xpnvvy.exe"
        324⤵
        Identifies Wine through registry keys
        
        PID:2848
        
        C:\Windows\SysWOW64\esutmn.exe
        
        C:\Windows\system32\esutmn.exe 1908 "C:\Windows\SysWOW64\wlzbap.exe"
        325⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\lwxgdy.exe
        
        C:\Windows\system32\lwxgdy.exe 1920 "C:\Windows\SysWOW64\esutmn.exe"
        326⤵
        System Location Discovery: System Language Discovery
        
        PID:2380
        
        C:\Windows\SysWOW64\tesyqn.exe
        
        C:\Windows\system32\tesyqn.exe 1952 "C:\Windows\SysWOW64\lwxgdy.exe"
        327⤵
        Drops file in System32 directory
        
        PID:2316
        
        C:\Windows\SysWOW64\xrmgjx.exe
        
        C:\Windows\system32\xrmgjx.exe 1904 "C:\Windows\SysWOW64\tesyqn.exe"
        328⤵
        
        PID:524
        
        C:\Windows\SysWOW64\iqqetw.exe
        
        C:\Windows\system32\iqqetw.exe 1912 "C:\Windows\SysWOW64\xrmgjx.exe"
        329⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\mdjlnx.exe
        
        C:\Windows\system32\mdjlnx.exe 1964 "C:\Windows\SysWOW64\iqqetw.exe"
        330⤵
        Identifies Wine through registry keys
        System Location Discovery: System Language Discovery
        
        PID:2412
        
        C:\Windows\SysWOW64\uvimbm.exe
        
        C:\Windows\system32\uvimbm.exe 1968 "C:\Windows\SysWOW64\mdjlnx.exe"
        331⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\wuwbzr.exe
        
        C:\Windows\system32\wuwbzr.exe 1988 "C:\Windows\SysWOW64\uvimbm.exe"
        332⤵
        Identifies Wine through registry keys
        
        PID:1156
        
        C:\Windows\SysWOW64\evvbgy.exe
        
        C:\Windows\system32\evvbgy.exe 1940 "C:\Windows\SysWOW64\wuwbzr.exe"
        333⤵
        Identifies Wine through registry keys
        
        PID:2568
        
        C:\Windows\SysWOW64\mrfhxj.exe
        
        C:\Windows\system32\mrfhxj.exe 1944 "C:\Windows\SysWOW64\evvbgy.exe"
        334⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\iicbtx.exe
        
        C:\Windows\system32\iicbtx.exe 1888 "C:\Windows\SysWOW64\mrfhxj.exe"
        335⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\nuvjmg.exe
        
        C:\Windows\system32\nuvjmg.exe 1984 "C:\Windows\SysWOW64\iicbtx.exe"
        336⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\ucrbyw.exe
        
        C:\Windows\system32\ucrbyw.exe 1960 "C:\Windows\SysWOW64\nuvjmg.exe"
        337⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cdqcnd.exe
        
        C:\Windows\system32\cdqcnd.exe 1972 "C:\Windows\SysWOW64\ucrbyw.exe"
        338⤵
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\jophcw.exe
        
        C:\Windows\system32\jophcw.exe 2020 "C:\Windows\SysWOW64\cdqcnd.exe"
        339⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\mbrjxx.exe
        
        C:\Windows\system32\mbrjxx.exe 1976 "C:\Windows\SysWOW64\jophcw.exe"
        340⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\wthpkn.exe
        
        C:\Windows\system32\wthpkn.exe 2004 "C:\Windows\SysWOW64\mbrjxx.exe"
        341⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\gttmum.exe
        
        C:\Windows\system32\gttmum.exe 2036 "C:\Windows\SysWOW64\wthpkn.exe"
        342⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\lubute.exe
        
        C:\Windows\system32\lubute.exe 1932 "C:\Windows\SysWOW64\gttmum.exe"
        343⤵
        System Location Discovery: System Language Discovery
        
        PID:3732
        
        C:\Windows\SysWOW64\netkla.exe
        
        C:\Windows\system32\netkla.exe 2000 "C:\Windows\SysWOW64\lubute.exe"
        344⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\sfbfux.exe
        
        C:\Windows\system32\sfbfux.exe 1996 "C:\Windows\SysWOW64\netkla.exe"
        345⤵
        Identifies Wine through registry keys
        
        PID:4036
        
        C:\Windows\SysWOW64\sykxws.exe
        
        C:\Windows\system32\sykxws.exe 2088 "C:\Windows\SysWOW64\sfbfux.exe"
        346⤵
        Drops file in System32 directory
        
        PID:3092
        
        C:\Windows\SysWOW64\xldxpu.exe
        
        C:\Windows\system32\xldxpu.exe 2016 "C:\Windows\SysWOW64\sykxws.exe"
        347⤵
        System Location Discovery: System Language Discovery
        
        PID:3080
        
        C:\Windows\SysWOW64\bbasdi.exe
        
        C:\Windows\system32\bbasdi.exe 2028 "C:\Windows\SysWOW64\xldxpu.exe"
        348⤵
        Identifies Wine through registry keys
        
        PID:3256
        
        C:\Windows\SysWOW64\gcqntn.exe
        
        C:\Windows\system32\gcqntn.exe 2012 "C:\Windows\SysWOW64\bbasdi.exe"
        349⤵
        Identifies Wine through registry keys
        
        PID:3400
        
        C:\Windows\SysWOW64\iytppg.exe
        
        C:\Windows\system32\iytppg.exe 2100 "C:\Windows\SysWOW64\gcqntn.exe"
        350⤵
        System Location Discovery: System Language Discovery
        
        PID:3420
        
        C:\Windows\SysWOW64\ndfxip.exe
        
        C:\Windows\system32\ndfxip.exe 1980 "C:\Windows\SysWOW64\iytppg.exe"
        351⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3884
        
        C:\Windows\SysWOW64\vkaxcf.exe
        
        C:\Windows\system32\vkaxcf.exe 2044 "C:\Windows\SysWOW64\ndfxip.exe"
        352⤵
        Identifies Wine through registry keys
        
        PID:4056
        
        C:\Windows\SysWOW64\dlzxjt.exe
        
        C:\Windows\system32\dlzxjt.exe 2052 "C:\Windows\SysWOW64\vkaxcf.exe"
        353⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\cswiip.exe
        
        C:\Windows\system32\cswiip.exe 2068 "C:\Windows\SysWOW64\dlzxjt.exe"
        354⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\hqtqwq.exe
        
        C:\Windows\system32\hqtqwq.exe 2080 "C:\Windows\SysWOW64\cswiip.exe"
        355⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\jphfum.exe
        
        C:\Windows\system32\jphfum.exe 2024 "C:\Windows\SysWOW64\hqtqwq.exe"
        356⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\oubnnw.exe
        
        C:\Windows\system32\oubnnw.exe 2032 "C:\Windows\SysWOW64\jphfum.exe"
        357⤵
        Drops file in System32 directory
        
        PID:3584
        
        C:\Windows\SysWOW64\thuvgg.exe
        
        C:\Windows\system32\thuvgg.exe 2040 "C:\Windows\SysWOW64\oubnnw.exe"
        358⤵
        Identifies Wine through registry keys
        
        PID:3596
        
        C:\Windows\SysWOW64\xtodri.exe
        
        C:\Windows\system32\xtodri.exe 2056 "C:\Windows\SysWOW64\thuvgg.exe"
        359⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cyhdlr.exe
        
        C:\Windows\system32\cyhdlr.exe 1896 "C:\Windows\SysWOW64\xtodri.exe"
        360⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\kcsqcc.exe
        
        C:\Windows\system32\kcsqcc.exe 2064 "C:\Windows\SysWOW64\cyhdlr.exe"
        361⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\otolyq.exe
        
        C:\Windows\system32\otolyq.exe 2060 "C:\Windows\SysWOW64\kcsqcc.exe"
        362⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\uuxggo.exe
        
        C:\Windows\system32\uuxggo.exe 1992 "C:\Windows\SysWOW64\otolyq.exe"
        363⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\bvvgvd.exe
        
        C:\Windows\system32\bvvgvd.exe 2156 "C:\Windows\SysWOW64\uuxggo.exe"
        364⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:3292
        
        C:\Windows\SysWOW64\yzzyuk.exe
        
        C:\Windows\system32\yzzyuk.exe 2104 "C:\Windows\SysWOW64\bvvgvd.exe"
        365⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:3452
        
        C:\Windows\SysWOW64\dbhtkq.exe
        
        C:\Windows\system32\dbhtkq.exe 2124 "C:\Windows\SysWOW64\yzzyuk.exe"
        366⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\anbbdz.exe
        
        C:\Windows\system32\anbbdz.exe 2076 "C:\Windows\SysWOW64\dbhtkq.exe"
        367⤵
        System Location Discovery: System Language Discovery
        
        PID:3804
        
        C:\Windows\SysWOW64\cxsyvv.exe
        
        C:\Windows\system32\cxsyvv.exe 2112 "C:\Windows\SysWOW64\anbbdz.exe"
        368⤵
        System Location Discovery: System Language Discovery
        
        PID:3956
        
        C:\Windows\SysWOW64\zkoqud.exe
        
        C:\Windows\system32\zkoqud.exe 2092 "C:\Windows\SysWOW64\cxsyvv.exe"
        369⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\elwlki.exe
        
        C:\Windows\system32\elwlki.exe 2116 "C:\Windows\SysWOW64\zkoqud.exe"
        370⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\jbbgho.exe
        
        C:\Windows\system32\jbbgho.exe 2072 "C:\Windows\SysWOW64\elwlki.exe"
        371⤵
        Drops file in System32 directory
        
        PID:3208
        
        C:\Windows\SysWOW64\ruagvd.exe
        
        C:\Windows\system32\ruagvd.exe 2200 "C:\Windows\SysWOW64\jbbgho.exe"
        372⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\stowta.exe
        
        C:\Windows\system32\stowta.exe 2120 "C:\Windows\SysWOW64\ruagvd.exe"
        373⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\xcwrbf.exe
        
        C:\Windows\system32\xcwrbf.exe 2008 "C:\Windows\SysWOW64\stowta.exe"
        374⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\chpzvp.exe
        
        C:\Windows\system32\chpzvp.exe 1856 "C:\Windows\SysWOW64\xcwrbf.exe"
        375⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\edsbqp.exe
        
        C:\Windows\system32\edsbqp.exe 2096 "C:\Windows\SysWOW64\chpzvp.exe"
        376⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\hmkril.exe
        
        C:\Windows\system32\hmkril.exe 2128 "C:\Windows\SysWOW64\edsbqp.exe"
        377⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:3276
        
        C:\Windows\SysWOW64\ldomer.exe
        
        C:\Windows\system32\ldomer.exe 2144 "C:\Windows\SysWOW64\hmkril.exe"
        378⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\qexhux.exe
        
        C:\Windows\system32\qexhux.exe 2132 "C:\Windows\SysWOW64\ldomer.exe"
        379⤵
        System Location Discovery: System Language Discovery
        
        PID:3448
        
        C:\Windows\SysWOW64\sdlwsb.exe
        
        C:\Windows\system32\sdlwsb.exe 2148 "C:\Windows\SysWOW64\qexhux.exe"
        380⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\ahvkbn.exe
        
        C:\Windows\system32\ahvkbn.exe 2108 "C:\Windows\SysWOW64\sdlwsb.exe"
        381⤵
        Identifies Wine through registry keys
        
        PID:3816
        
        C:\Windows\SysWOW64\crnzuj.exe
        
        C:\Windows\system32\crnzuj.exe 2152 "C:\Windows\SysWOW64\ahvkbn.exe"
        382⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\empcpj.exe
        
        C:\Windows\system32\empcpj.exe 2136 "C:\Windows\SysWOW64\crnzuj.exe"
        383⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\jrjkil.exe
        
        C:\Windows\system32\jrjkil.exe 2084 "C:\Windows\SysWOW64\empcpj.exe"
        384⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\oarfyq.exe
        
        C:\Windows\system32\oarfyq.exe 2176 "C:\Windows\SysWOW64\jrjkil.exe"
        385⤵
        
        PID:584
        
        C:\Windows\SysWOW64\tflmsa.exe
        
        C:\Windows\system32\tflmsa.exe 2212 "C:\Windows\SysWOW64\oarfyq.exe"
        386⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\tylfmm.exe
        
        C:\Windows\system32\tylfmm.exe 2168 "C:\Windows\SysWOW64\tflmsa.exe"
        387⤵
        Drops file in System32 directory
        
        PID:3712
        
        C:\Windows\SysWOW64\ylfffw.exe
        
        C:\Windows\system32\ylfffw.exe 2252 "C:\Windows\SysWOW64\tylfmm.exe"
        388⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\dxynyy.exe
        
        C:\Windows\system32\dxynyy.exe 2140 "C:\Windows\SysWOW64\ylfffw.exe"
        389⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\flbpty.exe
        
        C:\Windows\system32\flbpty.exe 2188 "C:\Windows\SysWOW64\dxynyy.exe"
        390⤵
        
        PID:756
        
        C:\Windows\SysWOW64\hgeaoz.exe
        
        C:\Windows\system32\hgeaoz.exe 2172 "C:\Windows\SysWOW64\flbpty.exe"
        391⤵
        Drops file in System32 directory
        
        PID:2928
        
        C:\Windows\SysWOW64\mlyazi.exe
        
        C:\Windows\system32\mlyazi.exe 2192 "C:\Windows\SysWOW64\hgeaoz.exe"
        392⤵
        Identifies Wine through registry keys
        
        PID:3076
        
        C:\Windows\SysWOW64\tmwaop.exe
        
        C:\Windows\system32\tmwaop.exe 2164 "C:\Windows\SysWOW64\mlyazi.exe"
        393⤵
        Identifies Wine through registry keys
        
        PID:3252
        
        C:\Windows\SysWOW64\vllpmu.exe
        
        C:\Windows\system32\vllpmu.exe 2276 "C:\Windows\SysWOW64\tmwaop.exe"
        394⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\ddjqab.exe
        
        C:\Windows\system32\ddjqab.exe 2180 "C:\Windows\SysWOW64\vllpmu.exe"
        395⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\dwkiuv.exe
        
        C:\Windows\system32\dwkiuv.exe 2220 "C:\Windows\SysWOW64\ddjqab.exe"
        396⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\frnlpo.exe
        
        C:\Windows\system32\frnlpo.exe 2204 "C:\Windows\SysWOW64\dwkiuv.exe"
        397⤵
        Identifies Wine through registry keys
        
        PID:3988
        
        C:\Windows\SysWOW64\wnzimm.exe
        
        C:\Windows\system32\wnzimm.exe 2224 "C:\Windows\SysWOW64\frnlpo.exe"
        398⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\evvigc.exe
        
        C:\Windows\system32\evvigc.exe 2216 "C:\Windows\SysWOW64\wnzimm.exe"
        399⤵
        Identifies Wine through registry keys
        
        PID:3616
        
        C:\Windows\SysWOW64\jtsqmd.exe
        
        C:\Windows\system32\jtsqmd.exe 2268 "C:\Windows\SysWOW64\evvigc.exe"
        400⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\oflyff.exe
        
        C:\Windows\system32\oflyff.exe 2236 "C:\Windows\SysWOW64\jtsqmd.exe"
        401⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\tsfgyo.exe
        
        C:\Windows\system32\tsfgyo.exe 2232 "C:\Windows\SysWOW64\oflyff.exe"
        402⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\ujtvwt.exe
        
        C:\Windows\system32\ujtvwt.exe 2248 "C:\Windows\SysWOW64\tsfgyo.exe"
        403⤵
        Drops file in System32 directory
        
        PID:3060
        
        C:\Windows\SysWOW64\xbklpp.exe
        
        C:\Windows\system32\xbklpp.exe 2240 "C:\Windows\SysWOW64\ujtvwt.exe"
        404⤵
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Windows\SysWOW64\ejgdjf.exe
        
        C:\Windows\system32\ejgdjf.exe 2208 "C:\Windows\SysWOW64\xbklpp.exe"
        405⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:3432
        
        C:\Windows\SysWOW64\mnqqsq.exe
        
        C:\Windows\system32\mnqqsq.exe 2196 "C:\Windows\SysWOW64\ejgdjf.exe"
        406⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\tjsdkj.exe
        
        C:\Windows\system32\tjsdkj.exe 2184 "C:\Windows\SysWOW64\mnqqsq.exe"
        407⤵
        System Location Discovery: System Language Discovery
        
        PID:3660
        
        C:\Windows\SysWOW64\ywmlvk.exe
        
        C:\Windows\system32\ywmlvk.exe 2256 "C:\Windows\SysWOW64\tjsdkj.exe"
        408⤵
        System Location Discovery: System Language Discovery
        
        PID:3644
        
        C:\Windows\SysWOW64\gawrme.exe
        
        C:\Windows\system32\gawrme.exe 2284 "C:\Windows\SysWOW64\ywmlvk.exe"
        409⤵
        Drops file in System32 directory
        
        PID:3532
        
        C:\Windows\SysWOW64\lqblik.exe
        
        C:\Windows\system32\lqblik.exe 2260 "C:\Windows\SysWOW64\gawrme.exe"
        410⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\qsjgzp.exe
        
        C:\Windows\system32\qsjgzp.exe 2272 "C:\Windows\SysWOW64\lqblik.exe"
        411⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\arnejo.exe
        
        C:\Windows\system32\arnejo.exe 2264 "C:\Windows\SysWOW64\qsjgzp.exe"
        412⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\ehszfu.exe
        
        C:\Windows\system32\ehszfu.exe 2280 "C:\Windows\SysWOW64\arnejo.exe"
        413⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\kqatvz.exe
        
        C:\Windows\system32\kqatvz.exe 2244 "C:\Windows\SysWOW64\ehszfu.exe"
        414⤵
        System Location Discovery: System Language Discovery
        
        PID:3408
        
        C:\Windows\SysWOW64\okitmk.exe
        
        C:\Windows\system32\okitmk.exe 2228 "C:\Windows\SysWOW64\kqatvz.exe"
        415⤵
        Drops file in System32 directory
        
        PID:1328
        
        C:\Windows\SysWOW64\wlptby.exe
        
        C:\Windows\system32\wlptby.exe 2288 "C:\Windows\SysWOW64\okitmk.exe"
        416⤵
        
        PID:968
        
        C:\Windows\SysWOW64\dscuvo.exe
        
        C:\Windows\system32\dscuvo.exe 2160 "C:\Windows\SysWOW64\wlptby.exe"
        417⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\fcujnk.exe
        
        C:\Windows\system32\fcujnk.exe 2332 "C:\Windows\SysWOW64\dscuvo.exe"
        418⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3268
        
        C:\Windows\SysWOW64\ktzeby.exe
        
        C:\Windows\system32\ktzeby.exe 2308 "C:\Windows\SysWOW64\fcujnk.exe"
        419⤵
        Identifies Wine through registry keys
        
        PID:3328
        
        C:\Windows\SysWOW64\puhzsv.exe
        
        C:\Windows\system32\puhzsv.exe 2388 "C:\Windows\SysWOW64\ktzeby.exe"
        420⤵
        Identifies Wine through registry keys
        
        PID:3704
        
        C:\Windows\SysWOW64\wfgepp.exe
        
        C:\Windows\system32\wfgepp.exe 2312 "C:\Windows\SysWOW64\puhzsv.exe"
        421⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\clkmuq.exe
        
        C:\Windows\system32\clkmuq.exe 2352 "C:\Windows\SysWOW64\wfgepp.exe"
        422⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\hqeuoa.exe
        
        C:\Windows\system32\hqeuoa.exe 2296 "C:\Windows\SysWOW64\clkmuq.exe"
        423⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\guqrkr.exe
        
        C:\Windows\system32\guqrkr.exe 2324 "C:\Windows\SysWOW64\hqeuoa.exe"
        424⤵
        Identifies Wine through registry keys
        
        PID:3384
        
        C:\Windows\SysWOW64\qprkal.exe
        
        C:\Windows\system32\qprkal.exe 2392 "C:\Windows\SysWOW64\guqrkr.exe"
        425⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\vgoxwz.exe
        
        C:\Windows\system32\vgoxwz.exe 2336 "C:\Windows\SysWOW64\qprkal.exe"
        426⤵
        
        PID:3332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\btmttb.exe

Filesize
498KB

MD5
81cc11a664618647600e1680dd772a57

SHA1
b964473a5b3afb316242ea11e26391783da6c6ba

SHA256
08c6abfb2bb8814fa487937e9ea7900fe5469dd8557b2f057b6e5bc2a9c5d626

SHA512
464117c4496d0600c73bd9474be05a7a7aa763e903f4c95186bd9a7386c97749d79b45bae9d904e6455aec4d696688ec5c4811506940ebe92499f528dafcfc91

Download Submit
memory/112-452-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/368-298-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/612-417-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/776-107-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/776-104-0x0000000004A00000-0x0000000004BB7000-memory.dmp

Filesize
1.7MB

Download
memory/776-92-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/876-291-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/924-480-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/928-225-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/928-221-0x00000000048C0000-0x0000000004A77000-memory.dmp

Filesize
1.7MB

Download
memory/928-222-0x00000000048C0000-0x0000000004A77000-memory.dmp

Filesize
1.7MB

Download
memory/928-209-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/952-438-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/1096-347-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/1100-211-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/1100-210-0x00000000048D0000-0x0000000004A87000-memory.dmp

Filesize
1.7MB

Download
memory/1252-529-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/1296-198-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/1296-194-0x00000000048B0000-0x0000000004A67000-memory.dmp

Filesize
1.7MB

Download
memory/1296-195-0x00000000048B0000-0x0000000004A67000-memory.dmp

Filesize
1.7MB

Download
memory/1296-183-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/1500-424-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/1520-473-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/1532-361-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/1544-233-0x0000000004840000-0x00000000049F7000-memory.dmp

Filesize
1.7MB

Download
memory/1544-237-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/1544-234-0x0000000004840000-0x00000000049F7000-memory.dmp

Filesize
1.7MB

Download
memory/1568-543-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/1588-564-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/1604-550-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/1620-431-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/1656-340-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/1680-263-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/1708-487-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/1740-354-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/1792-403-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/1916-459-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/1944-270-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/1964-333-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2012-571-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2016-522-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2104-536-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2108-90-0x0000000004910000-0x0000000004AC7000-memory.dmp

Filesize
1.7MB

Download
memory/2108-94-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2108-78-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2200-319-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2256-312-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2288-494-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2304-277-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2328-501-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2348-120-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2348-117-0x00000000048F0000-0x0000000004AA7000-memory.dmp

Filesize
1.7MB

Download
memory/2436-284-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2440-20-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2440-25-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2444-145-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2444-131-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2444-142-0x00000000048F0000-0x0000000004AA7000-memory.dmp

Filesize
1.7MB

Download
memory/2448-466-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2504-132-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2548-0-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2548-4-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2548-10-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2548-3-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2548-6-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2548-17-0x0000000004960000-0x0000000004B17000-memory.dmp

Filesize
1.7MB

Download
memory/2548-19-0x0000000004960000-0x0000000004B17000-memory.dmp

Filesize
1.7MB

Download
memory/2548-1-0x0000000000401000-0x0000000000410000-memory.dmp

Filesize
60KB

Download
memory/2548-2-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2548-5-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2556-382-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2608-515-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2616-56-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2616-49-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2616-65-0x00000000048C0000-0x0000000004A77000-memory.dmp

Filesize
1.7MB

Download
memory/2616-62-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2616-63-0x00000000048C0000-0x0000000004A77000-memory.dmp

Filesize
1.7MB

Download
memory/2616-50-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2624-508-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2672-557-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2692-184-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2692-182-0x00000000049E0000-0x0000000004B97000-memory.dmp

Filesize
1.7MB

Download
memory/2696-389-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2704-34-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2704-42-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2704-41-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2704-35-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2712-246-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2712-235-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2712-244-0x0000000004840000-0x00000000049F7000-memory.dmp

Filesize
1.7MB

Download
memory/2732-255-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2732-253-0x0000000004900000-0x0000000004AB7000-memory.dmp

Filesize
1.7MB

Download
memory/2788-368-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2808-156-0x0000000004940000-0x0000000004AF7000-memory.dmp

Filesize
1.7MB

Download
memory/2808-157-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2808-158-0x0000000004940000-0x0000000004AF7000-memory.dmp

Filesize
1.7MB

Download
memory/2840-326-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2856-445-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2864-305-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2904-375-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2936-168-0x00000000049D0000-0x0000000004B87000-memory.dmp

Filesize
1.7MB

Download
memory/2936-171-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2956-80-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2956-76-0x0000000004910000-0x0000000004AC7000-memory.dmp

Filesize
1.7MB

Download
memory/2956-64-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/3004-396-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/3016-410-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download