metasploit | cb54b281d83fd949fca3317e5d7b9fa941ebb6cc183bea69c7334bd0c0b92461

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 16:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ebb8f6a9404068518cf8e14da9df95c5_JaffaCakes118.exe
Size

519KB
MD5

ebb8f6a9404068518cf8e14da9df95c5
SHA1

06851421db48a190c656eaf65d6919cb242572cc
SHA256

cb54b281d83fd949fca3317e5d7b9fa941ebb6cc183bea69c7334bd0c0b92461
SHA512

6538129c0b64c6d738f3b51eee41d7d6120811106fba35efdbe72b39c08339ee23af657a622608e914a0e156186fadde25fbd3d3a63c24ccc343d14402a56f59
SSDEEP

12288:7+wUcCTJ5iUtD/ZDedM7hxUysgX3GkN1+O7YricUWe:7+PcCTJ5igVSWPX3GkmJr9UWe

Score

10^/10

metasploit backdoor discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 64 IoCs

pid	Process
2784	nhlduqy.exe
2668	fhlltzr.exe
1236	jtftmae.exe
1144	zczlnej.exe
1988	logtseg.exe
1716	swclnth.exe
1736	xfkgdyn.exe
2944	xbwlape.exe
2564	zlnbslm.exe
1856	bdnrkhm.exe
1508	dutgimz.exe
888	lvagxtd.exe
2536	ntgwvyr.exe
2108	qauhkpa.exe
2936	rrioiuf.exe
2080	uxpzxmo.exe
2776	zkihivt.exe
1792	excpcxg.exe
1604	voezpdm.exe
1064	gkfrxxm.exe
2188	smlhikr.exe
2172	fdfczkw.exe
1080	sbiehsc.exe
1676	ceypvvi.exe
1984	pcsrddo.exe
1940	ctnumel.exe
2356	mhorkly.exe
2020	zufhqpx.exe
328	mkakypd.exe
2152	ymgakch.exe
2924	ldjcskn.exe
3004	nnyffnt.exe
3008	aethwny.exe
2952	ngzxhad.exe
2352	awcaqii.exe
2448	nvxczio.exe
1128	wjyappb.exe
2112	jwhpvta.exe
876	wqnxgye.exe
684	galibbk.exe
1148	wflcfoh.exe
868	gtlavnu.exe
1564	sjgdewa.exe
1756	fijfmef.exe
2608	syeived.exe
2856	zkdnsgt.exe
448	mifqbgz.exe
1204	xeyaiaa.exe
1100	kubdzix.exe
3000	ufqnmml.exe
2768	gvlqvuj.exe
2908	opkvsnz.exe
2576	etsqotw.exe
1624	lervlme.exe
600	xgxlwzr.exe
1936	kxsofho.exe
2212	xvvqnhu.exe
1068	kmptepz.exe
1764	xckwnyx.exe
2468	hqlldxk.exe
2756	upoolfq.exe
2176	gfiqunv.exe
2732	twdtcnt.exe
1952	dgtdyrh.exe

Identifies Wine through registry keys 2 TTPs 64 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	iqvjheh.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	xetllhk.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	uyseeqt.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	ebb8f6a9404068518cf8e14da9df95c5_JaffaCakes118.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	isfjlhg.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	rtywtim.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	fhfzsrr.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	yzpkgsl.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	qsznjek.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	iruukge.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	fhbudnj.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	qnyukmd.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	jzskjsl.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	ulspodl.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	gppdman.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	cvayrkr.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	kgzawuo.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	vvmlxua.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	apivxqy.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	xeyaiaa.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	bsafuig.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	icmndwx.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	zexskqt.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	ztmxbyx.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	vtxdmgb.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	ddatazz.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	efamesc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	mkakypd.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	wqnxgye.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	fijfmef.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	ovvftvl.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	dvkuyzb.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	gsjbqdz.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	vapqlec.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	vmgdzws.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	gilnkyr.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	texglkk.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	mvwbnkg.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	czutlwu.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	xpicrww.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	bweigcu.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	erszbqk.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	zdbfnfh.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	rfmvqkw.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	xdcehxm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	bkgjquc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	knsqyzs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	hbrxbbf.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	tnwbihs.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	pvnexnr.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	cstuclc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	jvwgocr.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	twkeini.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	cvwjgtm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	nkwyjwj.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	msgkowm.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	vxqxhop.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	xjzinkn.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	nhawtpx.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	itvinpw.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	avwqstz.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	clkideb.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	ywfoyvi.exe
Key opened	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine	mjwzwaz.exe

Loads dropped DLL 64 IoCs

pid	Process
2280	ebb8f6a9404068518cf8e14da9df95c5_JaffaCakes118.exe
2280	ebb8f6a9404068518cf8e14da9df95c5_JaffaCakes118.exe
2784	nhlduqy.exe
2784	nhlduqy.exe
2668	fhlltzr.exe
2668	fhlltzr.exe
1236	jtftmae.exe
1236	jtftmae.exe
1144	zczlnej.exe
1144	zczlnej.exe
1988	logtseg.exe
1988	logtseg.exe
1716	swclnth.exe
1716	swclnth.exe
1736	xfkgdyn.exe
1736	xfkgdyn.exe
2840	mvtykdg.exe
2840	mvtykdg.exe
2564	zlnbslm.exe
2564	zlnbslm.exe
1856	bdnrkhm.exe
1856	bdnrkhm.exe
1508	dutgimz.exe
1508	dutgimz.exe
888	lvagxtd.exe
888	lvagxtd.exe
2536	ntgwvyr.exe
2536	ntgwvyr.exe
2108	qauhkpa.exe
2108	qauhkpa.exe
2936	rrioiuf.exe
2936	rrioiuf.exe
2080	uxpzxmo.exe
2080	uxpzxmo.exe
2776	zkihivt.exe
2776	zkihivt.exe
1792	excpcxg.exe
1792	excpcxg.exe
1604	voezpdm.exe
1604	voezpdm.exe
1064	gkfrxxm.exe
1064	gkfrxxm.exe
2188	smlhikr.exe
2188	smlhikr.exe
2172	fdfczkw.exe
2172	fdfczkw.exe
1080	sbiehsc.exe
1080	sbiehsc.exe
1676	ceypvvi.exe
1676	ceypvvi.exe
1984	pcsrddo.exe
1984	pcsrddo.exe
1940	ctnumel.exe
1940	ctnumel.exe
2356	mhorkly.exe
2356	mhorkly.exe
2020	zufhqpx.exe
2020	zufhqpx.exe
328	mkakypd.exe
328	mkakypd.exe
2152	ymgakch.exe
2152	ymgakch.exe
2924	ldjcskn.exe
2924	ldjcskn.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\syopeyb.exe	isozozo.exe
File created	C:\Windows\SysWOW64\efcsxos.exe	rohpgov.exe
File opened for modification	C:\Windows\SysWOW64\prxnfel.exe	cbclwwf.exe
File created	C:\Windows\SysWOW64\ohlkshw.exe	bjrhjzr.exe
File opened for modification	C:\Windows\SysWOW64\ztmxbyx.exe	mcsvsyr.exe
File opened for modification	C:\Windows\SysWOW64\vevroig.exe	iobpgaa.exe
File created	C:\Windows\SysWOW64\jirutsq.exe	zurevkl.exe
File created	C:\Windows\SysWOW64\npbpprj.exe	cqprxsj.exe
File created	C:\Windows\SysWOW64\zmrepfy.exe	mvobyfa.exe
File opened for modification	C:\Windows\SysWOW64\ngjuibr.exe	xbbzeou.exe
File opened for modification	C:\Windows\SysWOW64\vfqogkc.exe	iovlxcw.exe
File created	C:\Windows\SysWOW64\rnmuepf.exe	fwjrngz.exe
File opened for modification	C:\Windows\SysWOW64\xpicrww.exe	kznzbvq.exe
File opened for modification	C:\Windows\SysWOW64\purjmoj.exe	calcbbx.exe
File opened for modification	C:\Windows\SysWOW64\sbpdklo.exe	ivpfudb.exe
File opened for modification	C:\Windows\SysWOW64\jrbvdfv.exe	zdbfnfh.exe
File created	C:\Windows\SysWOW64\jartfnl.exe	zmrepfy.exe
File opened for modification	C:\Windows\SysWOW64\zkdnsgt.exe	syeived.exe
File opened for modification	C:\Windows\SysWOW64\qiztjdl.exe	dgtdyrh.exe
File created	C:\Windows\SysWOW64\eectezg.exe	rnhqvrb.exe
File opened for modification	C:\Windows\SysWOW64\aqpgjns.exe	nzudafm.exe
File created	C:\Windows\SysWOW64\egtbsja.exe	rpyyciv.exe
File opened for modification	C:\Windows\SysWOW64\qtnxhzg.exe	dvkuyzb.exe
File opened for modification	C:\Windows\SysWOW64\kdasnql.exe	apivxqy.exe
File created	C:\Windows\SysWOW64\mqyagah.exe	ccxditu.exe
File created	C:\Windows\SysWOW64\digmkwn.exe	qrlkbop.exe
File opened for modification	C:\Windows\SysWOW64\gtlavnu.exe	wflcfoh.exe
File opened for modification	C:\Windows\SysWOW64\rpccfsi.exe	ezhaxkk.exe
File created	C:\Windows\SysWOW64\axvybxc.exe	nhawtpx.exe
File opened for modification	C:\Windows\SysWOW64\nwpbkxa.exe	axvybxc.exe
File created	C:\Windows\SysWOW64\iobpgaa.exe	zaaritn.exe
File created	C:\Windows\SysWOW64\lhmohmn.exe	yrrlqeq.exe
File created	C:\Windows\SysWOW64\zlnbslm.exe	mvtykdg.exe
File created	C:\Windows\SysWOW64\ypphwri.exe	mymenrk.exe
File created	C:\Windows\SysWOW64\ndumlzg.exe	dsfbqwz.exe
File opened for modification	C:\Windows\SysWOW64\msgkowm.exe	ztlhyoo.exe
File created	C:\Windows\SysWOW64\ovrqlta.exe	ceoncku.exe
File opened for modification	C:\Windows\SysWOW64\mqyagah.exe	ccxditu.exe
File created	C:\Windows\SysWOW64\zkdnsgt.exe	syeived.exe
File opened for modification	C:\Windows\SysWOW64\tkhtplu.exe	gumzgko.exe
File created	C:\Windows\SysWOW64\ilzieuh.exe	vnwnwmk.exe
File opened for modification	C:\Windows\SysWOW64\zivtzos.exe	qcvwjhe.exe
File opened for modification	C:\Windows\SysWOW64\kosimav.exe	xqxfeaq.exe
File opened for modification	C:\Windows\SysWOW64\zenpzuz.exe	pqmrbvu.exe
File opened for modification	C:\Windows\SysWOW64\gppdman.exe	tymadap.exe
File created	C:\Windows\SysWOW64\zctgzwe.exe	mlzdroh.exe
File created	C:\Windows\SysWOW64\eaunquo.exe	rbzkimi.exe
File created	C:\Windows\SysWOW64\ridlufh.exe	foxwiad.exe
File created	C:\Windows\SysWOW64\awcaqii.exe	ngzxhad.exe
File created	C:\Windows\SysWOW64\pqdbydd.exe	crizqcy.exe
File opened for modification	C:\Windows\SysWOW64\krmlsxk.exe	xbjikof.exe
File opened for modification	C:\Windows\SysWOW64\vttxgrj.exe	idquxid.exe
File opened for modification	C:\Windows\SysWOW64\akobryt.exe	qeodbrg.exe
File created	C:\Windows\SysWOW64\zvsubzj.exe	mtleqme.exe
File created	C:\Windows\SysWOW64\lvagxtd.exe	dutgimz.exe
File created	C:\Windows\SysWOW64\kkefwkh.exe	bweigcu.exe
File opened for modification	C:\Windows\SysWOW64\celiabk.exe	pfjfrtf.exe
File opened for modification	C:\Windows\SysWOW64\kdruocw.exe	ffxrgcq.exe
File created	C:\Windows\SysWOW64\aqmbrdm.exe	ndumlzg.exe
File opened for modification	C:\Windows\SysWOW64\lhfgsya.exe	bxpvfvu.exe
File created	C:\Windows\SysWOW64\gdkmdgc.exe	tnpkvyw.exe
File created	C:\Windows\SysWOW64\vdzxkqu.exe	ineucqo.exe
File opened for modification	C:\Windows\SysWOW64\ttxartk.exe	jfwdblf.exe
File created	C:\Windows\SysWOW64\xafjpcq.exe	hwfolpu.exe

Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dqbqreq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sewwcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcafehr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pkvbhhh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zkrfpji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vziogko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fthazoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mgywhpp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lervlme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kxsofho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kattrns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dlitoee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ilzieuh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcuknun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bijfdol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gqjiiva.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uogtgxj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ucsfcii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zkmnpcm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	thmyjwe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	idtqotz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mjfpzkp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ffxrgcq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zvsubzj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xujjyje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	caqxrcw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jhuvuzt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bgmftze.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiwxmns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	giqpwsx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efamesc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kmptepz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zvruvkv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	necojlt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kznzbvq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mjhwkef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mpshrwx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iypdvgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vehlvxo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mhorkly.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvwjgtm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nwpbkxa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ikevuva.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vlrtuwr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kbehqfs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shoothw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tqqrdtt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pvcxmuu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cbclwwf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pldazlo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xbbzeou.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arnsmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zbraqyy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nkpnxap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rmqhzwt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	exmomrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gumzgko.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bqcxlev.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	napqzji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	boyposk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pytaalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fhbudnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	purjmoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jhycagl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2784	2280	ebb8f6a9404068518cf8e14da9df95c5_JaffaCakes118.exe	31
PID 2280 wrote to memory of 2784	2280	ebb8f6a9404068518cf8e14da9df95c5_JaffaCakes118.exe	31
PID 2280 wrote to memory of 2784	2280	ebb8f6a9404068518cf8e14da9df95c5_JaffaCakes118.exe	31
PID 2280 wrote to memory of 2784	2280	ebb8f6a9404068518cf8e14da9df95c5_JaffaCakes118.exe	31
PID 2784 wrote to memory of 2668	2784	nhlduqy.exe	32
PID 2784 wrote to memory of 2668	2784	nhlduqy.exe	32
PID 2784 wrote to memory of 2668	2784	nhlduqy.exe	32
PID 2784 wrote to memory of 2668	2784	nhlduqy.exe	32
PID 2668 wrote to memory of 1236	2668	fhlltzr.exe	33
PID 2668 wrote to memory of 1236	2668	fhlltzr.exe	33
PID 2668 wrote to memory of 1236	2668	fhlltzr.exe	33
PID 2668 wrote to memory of 1236	2668	fhlltzr.exe	33
PID 1236 wrote to memory of 1144	1236	jtftmae.exe	34
PID 1236 wrote to memory of 1144	1236	jtftmae.exe	34
PID 1236 wrote to memory of 1144	1236	jtftmae.exe	34
PID 1236 wrote to memory of 1144	1236	jtftmae.exe	34
PID 1144 wrote to memory of 1988	1144	zczlnej.exe	35
PID 1144 wrote to memory of 1988	1144	zczlnej.exe	35
PID 1144 wrote to memory of 1988	1144	zczlnej.exe	35
PID 1144 wrote to memory of 1988	1144	zczlnej.exe	35
PID 1988 wrote to memory of 1716	1988	logtseg.exe	36
PID 1988 wrote to memory of 1716	1988	logtseg.exe	36
PID 1988 wrote to memory of 1716	1988	logtseg.exe	36
PID 1988 wrote to memory of 1716	1988	logtseg.exe	36
PID 1716 wrote to memory of 1736	1716	swclnth.exe	37
PID 1716 wrote to memory of 1736	1716	swclnth.exe	37
PID 1716 wrote to memory of 1736	1716	swclnth.exe	37
PID 1716 wrote to memory of 1736	1716	swclnth.exe	37
PID 1736 wrote to memory of 2944	1736	xfkgdyn.exe	38
PID 1736 wrote to memory of 2944	1736	xfkgdyn.exe	38
PID 1736 wrote to memory of 2944	1736	xfkgdyn.exe	38
PID 1736 wrote to memory of 2944	1736	xfkgdyn.exe	38
PID 2840 wrote to memory of 2564	2840	mvtykdg.exe	40
PID 2840 wrote to memory of 2564	2840	mvtykdg.exe	40
PID 2840 wrote to memory of 2564	2840	mvtykdg.exe	40
PID 2840 wrote to memory of 2564	2840	mvtykdg.exe	40
PID 2564 wrote to memory of 1856	2564	zlnbslm.exe	41
PID 2564 wrote to memory of 1856	2564	zlnbslm.exe	41
PID 2564 wrote to memory of 1856	2564	zlnbslm.exe	41
PID 2564 wrote to memory of 1856	2564	zlnbslm.exe	41
PID 1856 wrote to memory of 1508	1856	bdnrkhm.exe	42
PID 1856 wrote to memory of 1508	1856	bdnrkhm.exe	42
PID 1856 wrote to memory of 1508	1856	bdnrkhm.exe	42
PID 1856 wrote to memory of 1508	1856	bdnrkhm.exe	42
PID 1508 wrote to memory of 888	1508	dutgimz.exe	43
PID 1508 wrote to memory of 888	1508	dutgimz.exe	43
PID 1508 wrote to memory of 888	1508	dutgimz.exe	43
PID 1508 wrote to memory of 888	1508	dutgimz.exe	43
PID 888 wrote to memory of 2536	888	lvagxtd.exe	44
PID 888 wrote to memory of 2536	888	lvagxtd.exe	44
PID 888 wrote to memory of 2536	888	lvagxtd.exe	44
PID 888 wrote to memory of 2536	888	lvagxtd.exe	44
PID 2536 wrote to memory of 2108	2536	ntgwvyr.exe	45
PID 2536 wrote to memory of 2108	2536	ntgwvyr.exe	45
PID 2536 wrote to memory of 2108	2536	ntgwvyr.exe	45
PID 2536 wrote to memory of 2108	2536	ntgwvyr.exe	45
PID 2108 wrote to memory of 2936	2108	qauhkpa.exe	46
PID 2108 wrote to memory of 2936	2108	qauhkpa.exe	46
PID 2108 wrote to memory of 2936	2108	qauhkpa.exe	46
PID 2108 wrote to memory of 2936	2108	qauhkpa.exe	46
PID 2936 wrote to memory of 2080	2936	rrioiuf.exe	47
PID 2936 wrote to memory of 2080	2936	rrioiuf.exe	47
PID 2936 wrote to memory of 2080	2936	rrioiuf.exe	47
PID 2936 wrote to memory of 2080	2936	rrioiuf.exe	47

C:\Users\Admin\AppData\Local\Temp\ebb8f6a9404068518cf8e14da9df95c5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ebb8f6a9404068518cf8e14da9df95c5_JaffaCakes118.exe"
1⤵
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\SysWOW64\nhlduqy.exe
  C:\Windows\system32\nhlduqy.exe 636 "C:\Users\Admin\AppData\Local\Temp\ebb8f6a9404068518cf8e14da9df95c5_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SysWOW64\fhlltzr.exe
    C:\Windows\system32\fhlltzr.exe 616 "C:\Windows\SysWOW64\nhlduqy.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\SysWOW64\jtftmae.exe
      C:\Windows\system32\jtftmae.exe 612 "C:\Windows\SysWOW64\fhlltzr.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1236
    - - C:\Windows\SysWOW64\zczlnej.exe
        
        C:\Windows\system32\zczlnej.exe 620 "C:\Windows\SysWOW64\jtftmae.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1144
      - C:\Windows\SysWOW64\logtseg.exe
        
        C:\Windows\system32\logtseg.exe 624 "C:\Windows\SysWOW64\zczlnej.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1988
        
        C:\Windows\SysWOW64\swclnth.exe
        
        C:\Windows\system32\swclnth.exe 716 "C:\Windows\SysWOW64\logtseg.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\SysWOW64\xfkgdyn.exe
        
        C:\Windows\system32\xfkgdyn.exe 628 "C:\Windows\SysWOW64\swclnth.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\SysWOW64\xbwlape.exe
        
        C:\Windows\system32\xbwlape.exe 632 "C:\Windows\SysWOW64\xfkgdyn.exe"
        9⤵
        Executes dropped EXE
        
        PID:2944
        
        C:\Windows\SysWOW64\mvtykdg.exe
        
        C:\Windows\system32\mvtykdg.exe 732 "C:\Windows\SysWOW64\xbwlape.exe"
        10⤵
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\zlnbslm.exe
        
        C:\Windows\system32\zlnbslm.exe 720 "C:\Windows\SysWOW64\mvtykdg.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\bdnrkhm.exe
        
        C:\Windows\system32\bdnrkhm.exe 656 "C:\Windows\SysWOW64\zlnbslm.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\SysWOW64\dutgimz.exe
        
        C:\Windows\system32\dutgimz.exe 644 "C:\Windows\SysWOW64\bdnrkhm.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\SysWOW64\lvagxtd.exe
        
        C:\Windows\system32\lvagxtd.exe 648 "C:\Windows\SysWOW64\dutgimz.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:888
        
        C:\Windows\SysWOW64\ntgwvyr.exe
        
        C:\Windows\system32\ntgwvyr.exe 700 "C:\Windows\SysWOW64\lvagxtd.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\qauhkpa.exe
        
        C:\Windows\system32\qauhkpa.exe 672 "C:\Windows\SysWOW64\ntgwvyr.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\rrioiuf.exe
        
        C:\Windows\system32\rrioiuf.exe 712 "C:\Windows\SysWOW64\qauhkpa.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\SysWOW64\uxpzxmo.exe
        
        C:\Windows\system32\uxpzxmo.exe 676 "C:\Windows\SysWOW64\rrioiuf.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2080
        
        C:\Windows\SysWOW64\zkihivt.exe
        
        C:\Windows\system32\zkihivt.exe 660 "C:\Windows\SysWOW64\uxpzxmo.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2776
        
        C:\Windows\SysWOW64\excpcxg.exe
        
        C:\Windows\system32\excpcxg.exe 688 "C:\Windows\SysWOW64\zkihivt.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1792
        
        C:\Windows\SysWOW64\voezpdm.exe
        
        C:\Windows\system32\voezpdm.exe 772 "C:\Windows\SysWOW64\excpcxg.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1604
        
        C:\Windows\SysWOW64\gkfrxxm.exe
        
        C:\Windows\system32\gkfrxxm.exe 768 "C:\Windows\SysWOW64\voezpdm.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1064
        
        C:\Windows\SysWOW64\smlhikr.exe
        
        C:\Windows\system32\smlhikr.exe 776 "C:\Windows\SysWOW64\gkfrxxm.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2188
        
        C:\Windows\SysWOW64\fdfczkw.exe
        
        C:\Windows\system32\fdfczkw.exe 764 "C:\Windows\SysWOW64\smlhikr.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2172
        
        C:\Windows\SysWOW64\sbiehsc.exe
        
        C:\Windows\system32\sbiehsc.exe 780 "C:\Windows\SysWOW64\fdfczkw.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1080
        
        C:\Windows\SysWOW64\ceypvvi.exe
        
        C:\Windows\system32\ceypvvi.exe 788 "C:\Windows\SysWOW64\sbiehsc.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1676
        
        C:\Windows\SysWOW64\pcsrddo.exe
        
        C:\Windows\system32\pcsrddo.exe 792 "C:\Windows\SysWOW64\ceypvvi.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1984
        
        C:\Windows\SysWOW64\ctnumel.exe
        
        C:\Windows\system32\ctnumel.exe 796 "C:\Windows\SysWOW64\pcsrddo.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1940
        
        C:\Windows\SysWOW64\mhorkly.exe
        
        C:\Windows\system32\mhorkly.exe 800 "C:\Windows\SysWOW64\ctnumel.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Windows\SysWOW64\zufhqpx.exe
        
        C:\Windows\system32\zufhqpx.exe 804 "C:\Windows\SysWOW64\mhorkly.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2020
        
        C:\Windows\SysWOW64\mkakypd.exe
        
        C:\Windows\system32\mkakypd.exe 784 "C:\Windows\SysWOW64\zufhqpx.exe"
        31⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        
        PID:328
        
        C:\Windows\SysWOW64\ymgakch.exe
        
        C:\Windows\system32\ymgakch.exe 816 "C:\Windows\SysWOW64\mkakypd.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2152
        
        C:\Windows\SysWOW64\ldjcskn.exe
        
        C:\Windows\system32\ldjcskn.exe 812 "C:\Windows\SysWOW64\ymgakch.exe"
        33⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2924
        
        C:\Windows\SysWOW64\nnyffnt.exe
        
        C:\Windows\system32\nnyffnt.exe 824 "C:\Windows\SysWOW64\ldjcskn.exe"
        34⤵
        Executes dropped EXE
        
        PID:3004
        
        C:\Windows\SysWOW64\aethwny.exe
        
        C:\Windows\system32\aethwny.exe 820 "C:\Windows\SysWOW64\nnyffnt.exe"
        35⤵
        Executes dropped EXE
        
        PID:3008
        
        C:\Windows\SysWOW64\ngzxhad.exe
        
        C:\Windows\system32\ngzxhad.exe 832 "C:\Windows\SysWOW64\aethwny.exe"
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2952
        
        C:\Windows\SysWOW64\awcaqii.exe
        
        C:\Windows\system32\awcaqii.exe 808 "C:\Windows\SysWOW64\ngzxhad.exe"
        37⤵
        Executes dropped EXE
        
        PID:2352
        
        C:\Windows\SysWOW64\nvxczio.exe
        
        C:\Windows\system32\nvxczio.exe 840 "C:\Windows\SysWOW64\awcaqii.exe"
        38⤵
        Executes dropped EXE
        
        PID:2448
        
        C:\Windows\SysWOW64\wjyappb.exe
        
        C:\Windows\system32\wjyappb.exe 836 "C:\Windows\SysWOW64\nvxczio.exe"
        39⤵
        Executes dropped EXE
        
        PID:1128
        
        C:\Windows\SysWOW64\jwhpvta.exe
        
        C:\Windows\system32\jwhpvta.exe 852 "C:\Windows\SysWOW64\wjyappb.exe"
        40⤵
        Executes dropped EXE
        
        PID:2112
        
        C:\Windows\SysWOW64\wqnxgye.exe
        
        C:\Windows\system32\wqnxgye.exe 844 "C:\Windows\SysWOW64\jwhpvta.exe"
        41⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        
        PID:876
        
        C:\Windows\SysWOW64\galibbk.exe
        
        C:\Windows\system32\galibbk.exe 856 "C:\Windows\SysWOW64\wqnxgye.exe"
        42⤵
        Executes dropped EXE
        
        PID:684
        
        C:\Windows\SysWOW64\wflcfoh.exe
        
        C:\Windows\system32\wflcfoh.exe 828 "C:\Windows\SysWOW64\galibbk.exe"
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1148
        
        C:\Windows\SysWOW64\gtlavnu.exe
        
        C:\Windows\system32\gtlavnu.exe 864 "C:\Windows\SysWOW64\wflcfoh.exe"
        44⤵
        Executes dropped EXE
        
        PID:868
        
        C:\Windows\SysWOW64\sjgdewa.exe
        
        C:\Windows\system32\sjgdewa.exe 860 "C:\Windows\SysWOW64\gtlavnu.exe"
        45⤵
        Executes dropped EXE
        
        PID:1564
        
        C:\Windows\SysWOW64\fijfmef.exe
        
        C:\Windows\system32\fijfmef.exe 868 "C:\Windows\SysWOW64\sjgdewa.exe"
        46⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        
        PID:1756
        
        C:\Windows\SysWOW64\syeived.exe
        
        C:\Windows\system32\syeived.exe 872 "C:\Windows\SysWOW64\fijfmef.exe"
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2608
        
        C:\Windows\SysWOW64\zkdnsgt.exe
        
        C:\Windows\system32\zkdnsgt.exe 888 "C:\Windows\SysWOW64\syeived.exe"
        48⤵
        Executes dropped EXE
        
        PID:2856
        
        C:\Windows\SysWOW64\mifqbgz.exe
        
        C:\Windows\system32\mifqbgz.exe 880 "C:\Windows\SysWOW64\zkdnsgt.exe"
        49⤵
        Executes dropped EXE
        
        PID:448
        
        C:\Windows\SysWOW64\xeyaiaa.exe
        
        C:\Windows\system32\xeyaiaa.exe 884 "C:\Windows\SysWOW64\mifqbgz.exe"
        50⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        
        PID:1204
        
        C:\Windows\SysWOW64\kubdzix.exe
        
        C:\Windows\system32\kubdzix.exe 848 "C:\Windows\SysWOW64\xeyaiaa.exe"
        51⤵
        Executes dropped EXE
        
        PID:1100
        
        C:\Windows\SysWOW64\ufqnmml.exe
        
        C:\Windows\system32\ufqnmml.exe 892 "C:\Windows\SysWOW64\kubdzix.exe"
        52⤵
        Executes dropped EXE
        
        PID:3000
        
        C:\Windows\SysWOW64\gvlqvuj.exe
        
        C:\Windows\system32\gvlqvuj.exe 876 "C:\Windows\SysWOW64\ufqnmml.exe"
        53⤵
        Executes dropped EXE
        
        PID:2768
        
        C:\Windows\SysWOW64\opkvsnz.exe
        
        C:\Windows\system32\opkvsnz.exe 912 "C:\Windows\SysWOW64\gvlqvuj.exe"
        54⤵
        Executes dropped EXE
        
        PID:2908
        
        C:\Windows\SysWOW64\etsqotw.exe
        
        C:\Windows\system32\etsqotw.exe 900 "C:\Windows\SysWOW64\opkvsnz.exe"
        55⤵
        Executes dropped EXE
        
        PID:2576
        
        C:\Windows\SysWOW64\lervlme.exe
        
        C:\Windows\system32\lervlme.exe 920 "C:\Windows\SysWOW64\etsqotw.exe"
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Windows\SysWOW64\xgxlwzr.exe
        
        C:\Windows\system32\xgxlwzr.exe 896 "C:\Windows\SysWOW64\lervlme.exe"
        57⤵
        Executes dropped EXE
        
        PID:600
        
        C:\Windows\SysWOW64\kxsofho.exe
        
        C:\Windows\system32\kxsofho.exe 928 "C:\Windows\SysWOW64\xgxlwzr.exe"
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1936
        
        C:\Windows\SysWOW64\xvvqnhu.exe
        
        C:\Windows\system32\xvvqnhu.exe 904 "C:\Windows\SysWOW64\kxsofho.exe"
        59⤵
        Executes dropped EXE
        
        PID:2212
        
        C:\Windows\SysWOW64\kmptepz.exe
        
        C:\Windows\system32\kmptepz.exe 924 "C:\Windows\SysWOW64\xvvqnhu.exe"
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1068
        
        C:\Windows\SysWOW64\xckwnyx.exe
        
        C:\Windows\system32\xckwnyx.exe 908 "C:\Windows\SysWOW64\kmptepz.exe"
        61⤵
        Executes dropped EXE
        
        PID:1764
        
        C:\Windows\SysWOW64\hqlldxk.exe
        
        C:\Windows\system32\hqlldxk.exe 932 "C:\Windows\SysWOW64\xckwnyx.exe"
        62⤵
        Executes dropped EXE
        
        PID:2468
        
        C:\Windows\SysWOW64\upoolfq.exe
        
        C:\Windows\system32\upoolfq.exe 916 "C:\Windows\SysWOW64\hqlldxk.exe"
        63⤵
        Executes dropped EXE
        
        PID:2756
        
        C:\Windows\SysWOW64\gfiqunv.exe
        
        C:\Windows\system32\gfiqunv.exe 952 "C:\Windows\SysWOW64\upoolfq.exe"
        64⤵
        Executes dropped EXE
        
        PID:2176
        
        C:\Windows\SysWOW64\twdtcnt.exe
        
        C:\Windows\system32\twdtcnt.exe 936 "C:\Windows\SysWOW64\gfiqunv.exe"
        65⤵
        Executes dropped EXE
        
        PID:2732
        
        C:\Windows\SysWOW64\dgtdyrh.exe
        
        C:\Windows\system32\dgtdyrh.exe 948 "C:\Windows\SysWOW64\twdtcnt.exe"
        66⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1952
        
        C:\Windows\SysWOW64\qiztjdl.exe
        
        C:\Windows\system32\qiztjdl.exe 944 "C:\Windows\SysWOW64\dgtdyrh.exe"
        67⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\fuvgtro.exe
        
        C:\Windows\system32\fuvgtro.exe 956 "C:\Windows\SysWOW64\qiztjdl.exe"
        68⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\ssyjbzt.exe
        
        C:\Windows\system32\ssyjbzt.exe 940 "C:\Windows\SysWOW64\fuvgtro.exe"
        69⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\fjtlkhz.exe
        
        C:\Windows\system32\fjtlkhz.exe 968 "C:\Windows\SysWOW64\ssyjbzt.exe"
        70⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\shoothw.exe
        
        C:\Windows\system32\shoothw.exe 964 "C:\Windows\SysWOW64\fjtlkhz.exe"
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Windows\SysWOW64\fyrrbqc.exe
        
        C:\Windows\system32\fyrrbqc.exe 972 "C:\Windows\SysWOW64\shoothw.exe"
        72⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\pmrgzxp.exe
        
        C:\Windows\system32\pmrgzxp.exe 976 "C:\Windows\SysWOW64\fyrrbqc.exe"
        73⤵
        
        PID:572
        
        C:\Windows\SysWOW64\ccmjixv.exe
        
        C:\Windows\system32\ccmjixv.exe 984 "C:\Windows\SysWOW64\pmrgzxp.exe"
        74⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\obhmqfs.exe
        
        C:\Windows\system32\obhmqfs.exe 980 "C:\Windows\SysWOW64\ccmjixv.exe"
        75⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\brkozny.exe
        
        C:\Windows\system32\brkozny.exe 1000 "C:\Windows\SysWOW64\obhmqfs.exe"
        76⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\oieriod.exe
        
        C:\Windows\system32\oieriod.exe 988 "C:\Windows\SysWOW64\brkozny.exe"
        77⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\ywfoyvi.exe
        
        C:\Windows\system32\ywfoyvi.exe 996 "C:\Windows\SysWOW64\oieriod.exe"
        78⤵
        Identifies Wine through registry keys
        
        PID:2808
        
        C:\Windows\SysWOW64\luargdo.exe
        
        C:\Windows\system32\luargdo.exe 992 "C:\Windows\SysWOW64\ywfoyvi.exe"
        79⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\ylvuxlt.exe
        
        C:\Windows\system32\ylvuxlt.exe 1004 "C:\Windows\SysWOW64\luargdo.exe"
        80⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\lbywfmz.exe
        
        C:\Windows\system32\lbywfmz.exe 1008 "C:\Windows\SysWOW64\ylvuxlt.exe"
        81⤵
        
        PID:1908
        
        C:\Windows\SysWOW64\yasroux.exe
        
        C:\Windows\system32\yasroux.exe 1012 "C:\Windows\SysWOW64\lbywfmz.exe"
        82⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\zotoebk.exe
        
        C:\Windows\system32\zotoebk.exe 1016 "C:\Windows\SysWOW64\yasroux.exe"
        83⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\meornbp.exe
        
        C:\Windows\system32\meornbp.exe 1036 "C:\Windows\SysWOW64\zotoebk.exe"
        84⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\zvruvkv.exe
        
        C:\Windows\system32\zvruvkv.exe 1020 "C:\Windows\SysWOW64\meornbp.exe"
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\Windows\SysWOW64\mtlwess.exe
        
        C:\Windows\system32\mtlwess.exe 1028 "C:\Windows\SysWOW64\zvruvkv.exe"
        86⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\zkgzusy.exe
        
        C:\Windows\system32\zkgzusy.exe 1032 "C:\Windows\SysWOW64\mtlwess.exe"
        87⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\jyhplzl.exe
        
        C:\Windows\system32\jyhplzl.exe 1040 "C:\Windows\SysWOW64\zkgzusy.exe"
        88⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\vokrthr.exe
        
        C:\Windows\system32\vokrthr.exe 1044 "C:\Windows\SysWOW64\jyhplzl.exe"
        89⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\ineucqo.exe
        
        C:\Windows\system32\ineucqo.exe 1048 "C:\Windows\SysWOW64\vokrthr.exe"
        90⤵
        Drops file in System32 directory
        
        PID:2596
        
        C:\Windows\SysWOW64\vdzxkqu.exe
        
        C:\Windows\system32\vdzxkqu.exe 1052 "C:\Windows\SysWOW64\ineucqo.exe"
        91⤵
        
        PID:720
        
        C:\Windows\SysWOW64\iccztyz.exe
        
        C:\Windows\system32\iccztyz.exe 1056 "C:\Windows\SysWOW64\vdzxkqu.exe"
        92⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\sivxrfm.exe
        
        C:\Windows\system32\sivxrfm.exe 1060 "C:\Windows\SysWOW64\iccztyz.exe"
        93⤵
        
        PID:996
        
        C:\Windows\SysWOW64\fhyzagk.exe
        
        C:\Windows\system32\fhyzagk.exe 1064 "C:\Windows\SysWOW64\sivxrfm.exe"
        94⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\sxsciop.exe
        
        C:\Windows\system32\sxsciop.exe 1068 "C:\Windows\SysWOW64\fhyzagk.exe"
        95⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\fwnfrwv.exe
        
        C:\Windows\system32\fwnfrwv.exe 1072 "C:\Windows\SysWOW64\sxsciop.exe"
        96⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\rmqhzwt.exe
        
        C:\Windows\system32\rmqhzwt.exe 960 "C:\Windows\SysWOW64\fwnfrwv.exe"
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        C:\Windows\SysWOW64\barxxdg.exe
        
        C:\Windows\system32\barxxdg.exe 1080 "C:\Windows\SysWOW64\rmqhzwt.exe"
        98⤵
        
        PID:832
        
        C:\Windows\SysWOW64\orlzgml.exe
        
        C:\Windows\system32\orlzgml.exe 1076 "C:\Windows\SysWOW64\barxxdg.exe"
        99⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\bpgcpur.exe
        
        C:\Windows\system32\bpgcpur.exe 1088 "C:\Windows\SysWOW64\orlzgml.exe"
        100⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\ogjfxuo.exe
        
        C:\Windows\system32\ogjfxuo.exe 1092 "C:\Windows\SysWOW64\bpgcpur.exe"
        101⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\bweigcu.exe
        
        C:\Windows\system32\bweigcu.exe 1096 "C:\Windows\SysWOW64\ogjfxuo.exe"
        102⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:2100
        
        C:\Windows\SysWOW64\kkefwkh.exe
        
        C:\Windows\system32\kkefwkh.exe 1084 "C:\Windows\SysWOW64\bweigcu.exe"
        103⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\xjzinkn.exe
        
        C:\Windows\system32\xjzinkn.exe 1104 "C:\Windows\SysWOW64\kkefwkh.exe"
        104⤵
        Identifies Wine through registry keys
        
        PID:628
        
        C:\Windows\SysWOW64\kzucvsk.exe
        
        C:\Windows\system32\kzucvsk.exe 1100 "C:\Windows\SysWOW64\xjzinkn.exe"
        105⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\xqxfeaq.exe
        
        C:\Windows\system32\xqxfeaq.exe 1116 "C:\Windows\SysWOW64\kzucvsk.exe"
        106⤵
        Drops file in System32 directory
        
        PID:2428
        
        C:\Windows\SysWOW64\kosimav.exe
        
        C:\Windows\system32\kosimav.exe 1112 "C:\Windows\SysWOW64\xqxfeaq.exe"
        107⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\ucsfcii.exe
        
        C:\Windows\system32\ucsfcii.exe 1120 "C:\Windows\SysWOW64\kosimav.exe"
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\htnilqg.exe
        
        C:\Windows\system32\htnilqg.exe 1124 "C:\Windows\SysWOW64\ucsfcii.exe"
        109⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\ujqkuyl.exe
        
        C:\Windows\system32\ujqkuyl.exe 1140 "C:\Windows\SysWOW64\htnilqg.exe"
        110⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\gilnkyr.exe
        
        C:\Windows\system32\gilnkyr.exe 1128 "C:\Windows\SysWOW64\ujqkuyl.exe"
        111⤵
        Identifies Wine through registry keys
        
        PID:348
        
        C:\Windows\SysWOW64\tygqtgp.exe
        
        C:\Windows\system32\tygqtgp.exe 1136 "C:\Windows\SysWOW64\gilnkyr.exe"
        112⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\dmgfjoc.exe
        
        C:\Windows\system32\dmgfjoc.exe 1132 "C:\Windows\SysWOW64\tygqtgp.exe"
        113⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\qdjiroh.exe
        
        C:\Windows\system32\qdjiroh.exe 1144 "C:\Windows\SysWOW64\dmgfjoc.exe"
        114⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\dbelawn.exe
        
        C:\Windows\system32\dbelawn.exe 1148 "C:\Windows\SysWOW64\qdjiroh.exe"
        115⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\qsznjek.exe
        
        C:\Windows\system32\qsznjek.exe 1152 "C:\Windows\SysWOW64\dbelawn.exe"
        116⤵
        Identifies Wine through registry keys
        
        PID:1512
        
        C:\Windows\SysWOW64\dqbqreq.exe
        
        C:\Windows\system32\dqbqreq.exe 1156 "C:\Windows\SysWOW64\qsznjek.exe"
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\mwunpmd.exe
        
        C:\Windows\system32\mwunpmd.exe 1168 "C:\Windows\SysWOW64\dqbqreq.exe"
        118⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\zvxqyui.exe
        
        C:\Windows\system32\zvxqyui.exe 1160 "C:\Windows\SysWOW64\mwunpmd.exe"
        119⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\mlstgug.exe
        
        C:\Windows\system32\mlstgug.exe 1164 "C:\Windows\SysWOW64\zvxqyui.exe"
        120⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\zkmnpcm.exe
        
        C:\Windows\system32\zkmnpcm.exe 1172 "C:\Windows\SysWOW64\mlstgug.exe"
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Windows\SysWOW64\mapqykr.exe
        
        C:\Windows\system32\mapqykr.exe 1176 "C:\Windows\SysWOW64\zkmnpcm.exe"
        122⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\wpqnwse.exe
        
        C:\Windows\system32\wpqnwse.exe 1180 "C:\Windows\SysWOW64\mapqykr.exe"
        123⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\jflqesc.exe
        
        C:\Windows\system32\jflqesc.exe 1184 "C:\Windows\SysWOW64\wpqnwse.exe"
        124⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\veftnah.exe
        
        C:\Windows\system32\veftnah.exe 1188 "C:\Windows\SysWOW64\jflqesc.exe"
        125⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\iuiwwin.exe
        
        C:\Windows\system32\iuiwwin.exe 1192 "C:\Windows\SysWOW64\veftnah.exe"
        126⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\vkdyejs.exe
        
        C:\Windows\system32\vkdyejs.exe 1196 "C:\Windows\SysWOW64\iuiwwin.exe"
        127⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\fzeocqy.exe
        
        C:\Windows\system32\fzeocqy.exe 1200 "C:\Windows\SysWOW64\vkdyejs.exe"
        128⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\sxzqlyd.exe
        
        C:\Windows\system32\sxzqlyd.exe 1208 "C:\Windows\SysWOW64\fzeocqy.exe"
        129⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\fotttyj.exe
        
        C:\Windows\system32\fotttyj.exe 1220 "C:\Windows\SysWOW64\sxzqlyd.exe"
        130⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\sewwcgo.exe
        
        C:\Windows\system32\sewwcgo.exe 1108 "C:\Windows\SysWOW64\fotttyj.exe"
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:2544
        
        C:\Windows\SysWOW64\fdrylpm.exe
        
        C:\Windows\system32\fdrylpm.exe 1212 "C:\Windows\SysWOW64\sewwcgo.exe"
        132⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\grswbwz.exe
        
        C:\Windows\system32\grswbwz.exe 1216 "C:\Windows\SysWOW64\fdrylpm.exe"
        133⤵
        
        PID:984
        
        C:\Windows\SysWOW64\thmyjwe.exe
        
        C:\Windows\system32\thmyjwe.exe 1228 "C:\Windows\SysWOW64\grswbwz.exe"
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:1732
        
        C:\Windows\SysWOW64\gueoxad.exe
        
        C:\Windows\system32\gueoxad.exe 1224 "C:\Windows\SysWOW64\thmyjwe.exe"
        135⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\twkeini.exe
        
        C:\Windows\system32\twkeini.exe 1236 "C:\Windows\SysWOW64\gueoxad.exe"
        136⤵
        Identifies Wine through registry keys
        
        PID:1516
        
        C:\Windows\SysWOW64\gnfyrnn.exe
        
        C:\Windows\system32\gnfyrnn.exe 1232 "C:\Windows\SysWOW64\twkeini.exe"
        137⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\tlibavt.exe
        
        C:\Windows\system32\tlibavt.exe 1240 "C:\Windows\SysWOW64\gnfyrnn.exe"
        138⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\crizqcy.exe
        
        C:\Windows\system32\crizqcy.exe 1204 "C:\Windows\SysWOW64\tlibavt.exe"
        139⤵
        Drops file in System32 directory
        
        PID:2968
        
        C:\Windows\SysWOW64\pqdbydd.exe
        
        C:\Windows\system32\pqdbydd.exe 1260 "C:\Windows\SysWOW64\crizqcy.exe"
        140⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cgyehlj.exe
        
        C:\Windows\system32\cgyehlj.exe 1256 "C:\Windows\SysWOW64\pqdbydd.exe"
        141⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\pfbhyto.exe
        
        C:\Windows\system32\pfbhyto.exe 1264 "C:\Windows\SysWOW64\cgyehlj.exe"
        142⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cvwjgtm.exe
        
        C:\Windows\system32\cvwjgtm.exe 1268 "C:\Windows\SysWOW64\pfbhyto.exe"
        143⤵
        Identifies Wine through registry keys
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Windows\SysWOW64\mjwzwaz.exe
        
        C:\Windows\system32\mjwzwaz.exe 1248 "C:\Windows\SysWOW64\cvwjgtm.exe"
        144⤵
        Identifies Wine through registry keys
        
        PID:2832
        
        C:\Windows\SysWOW64\zarbfjf.exe
        
        C:\Windows\system32\zarbfjf.exe 1252 "C:\Windows\SysWOW64\mjwzwaz.exe"
        145⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\mymenrk.exe
        
        C:\Windows\system32\mymenrk.exe 1272 "C:\Windows\SysWOW64\zarbfjf.exe"
        146⤵
        Drops file in System32 directory
        
        PID:2192
        
        C:\Windows\SysWOW64\ypphwri.exe
        
        C:\Windows\system32\ypphwri.exe 1244 "C:\Windows\SysWOW64\mymenrk.exe"
        147⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\lfjjfzn.exe
        
        C:\Windows\system32\lfjjfzn.exe 1280 "C:\Windows\SysWOW64\ypphwri.exe"
        148⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\vtkhdha.exe
        
        C:\Windows\system32\vtkhdha.exe 1276 "C:\Windows\SysWOW64\lfjjfzn.exe"
        149⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\isfjlhg.exe
        
        C:\Windows\system32\isfjlhg.exe 1300 "C:\Windows\SysWOW64\vtkhdha.exe"
        150⤵
        Identifies Wine through registry keys
        
        PID:2584
        
        C:\Windows\SysWOW64\vfwzrlf.exe
        
        C:\Windows\system32\vfwzrlf.exe 1288 "C:\Windows\SysWOW64\isfjlhg.exe"
        151⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\flxxhss.exe
        
        C:\Windows\system32\flxxhss.exe 1292 "C:\Windows\SysWOW64\vfwzrlf.exe"
        152⤵
        
        PID:776
        
        C:\Windows\SysWOW64\sjsryap.exe
        
        C:\Windows\system32\sjsryap.exe 1296 "C:\Windows\SysWOW64\flxxhss.exe"
        153⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\fwjpdwo.exe
        
        C:\Windows\system32\fwjpdwo.exe 1304 "C:\Windows\SysWOW64\sjsryap.exe"
        154⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\olkeudb.exe
        
        C:\Windows\system32\olkeudb.exe 1308 "C:\Windows\SysWOW64\fwjpdwo.exe"
        155⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cyuczha.exe
        
        C:\Windows\system32\cyuczha.exe 1324 "C:\Windows\SysWOW64\olkeudb.exe"
        156⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\lajevko.exe
        
        C:\Windows\system32\lajevko.exe 1312 "C:\Windows\SysWOW64\cyuczha.exe"
        157⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\yzmhdlm.exe
        
        C:\Windows\system32\yzmhdlm.exe 1320 "C:\Windows\SysWOW64\lajevko.exe"
        158⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\lphkmtr.exe
        
        C:\Windows\system32\lphkmtr.exe 1284 "C:\Windows\SysWOW64\yzmhdlm.exe"
        159⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\vawuzwy.exe
        
        C:\Windows\system32\vawuzwy.exe 1328 "C:\Windows\SysWOW64\lphkmtr.exe"
        160⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\innkfaf.exe
        
        C:\Windows\system32\innkfaf.exe 1332 "C:\Windows\SysWOW64\vawuzwy.exe"
        161⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\vpuaqej.exe
        
        C:\Windows\system32\vpuaqej.exe 1336 "C:\Windows\SysWOW64\innkfaf.exe"
        162⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\ifoczmo.exe
        
        C:\Windows\system32\ifoczmo.exe 1316 "C:\Windows\SysWOW64\vpuaqej.exe"
        163⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\stpaxuu.exe
        
        C:\Windows\system32\stpaxuu.exe 1352 "C:\Windows\SysWOW64\ifoczmo.exe"
        164⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\fkkcfcz.exe
        
        C:\Windows\system32\fkkcfcz.exe 1344 "C:\Windows\SysWOW64\stpaxuu.exe"
        165⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\rinxocf.exe
        
        C:\Windows\system32\rinxocf.exe 1348 "C:\Windows\SysWOW64\fkkcfcz.exe"
        166⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\ezhaxkk.exe
        
        C:\Windows\system32\ezhaxkk.exe 1356 "C:\Windows\SysWOW64\rinxocf.exe"
        167⤵
        Drops file in System32 directory
        
        PID:2980
        
        C:\Windows\SysWOW64\rpccfsi.exe
        
        C:\Windows\system32\rpccfsi.exe 1372 "C:\Windows\SysWOW64\ezhaxkk.exe"
        168⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\bddadsv.exe
        
        C:\Windows\system32\bddadsv.exe 1360 "C:\Windows\SysWOW64\rpccfsi.exe"
        169⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\ocgcmaa.exe
        
        C:\Windows\system32\ocgcmaa.exe 1364 "C:\Windows\SysWOW64\bddadsv.exe"
        170⤵
        
        PID:664
        
        C:\Windows\SysWOW64\bsafuig.exe
        
        C:\Windows\system32\bsafuig.exe 1368 "C:\Windows\SysWOW64\ocgcmaa.exe"
        171⤵
        Identifies Wine through registry keys
        
        PID:1568
        
        C:\Windows\SysWOW64\ojvidid.exe
        
        C:\Windows\system32\ojvidid.exe 1376 "C:\Windows\SysWOW64\bsafuig.exe"
        172⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\bhqlmqj.exe
        
        C:\Windows\system32\bhqlmqj.exe 1340 "C:\Windows\SysWOW64\ojvidid.exe"
        173⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\kvracyw.exe
        
        C:\Windows\system32\kvracyw.exe 1384 "C:\Windows\SysWOW64\bhqlmqj.exe"
        174⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\xmudsgc.exe
        
        C:\Windows\system32\xmudsgc.exe 1380 "C:\Windows\SysWOW64\kvracyw.exe"
        175⤵
        
        PID:924
        
        C:\Windows\SysWOW64\kcofbgz.exe
        
        C:\Windows\system32\kcofbgz.exe 1392 "C:\Windows\SysWOW64\xmudsgc.exe"
        176⤵
        
        PID:872
        
        C:\Windows\SysWOW64\xbjikof.exe
        
        C:\Windows\system32\xbjikof.exe 1388 "C:\Windows\SysWOW64\kcofbgz.exe"
        177⤵
        Drops file in System32 directory
        
        PID:836
        
        C:\Windows\SysWOW64\krmlsxk.exe
        
        C:\Windows\system32\krmlsxk.exe 1400 "C:\Windows\SysWOW64\xbjikof.exe"
        178⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\tgniiwx.exe
        
        C:\Windows\system32\tgniiwx.exe 1404 "C:\Windows\SysWOW64\krmlsxk.exe"
        179⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\gwhlrev.exe
        
        C:\Windows\system32\gwhlrev.exe 1412 "C:\Windows\SysWOW64\tgniiwx.exe"
        180⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\tvcnzmb.exe
        
        C:\Windows\system32\tvcnzmb.exe 1396 "C:\Windows\SysWOW64\gwhlrev.exe"
        181⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\ylfiqng.exe
        
        C:\Windows\system32\ylfiqng.exe 1428 "C:\Windows\SysWOW64\tvcnzmb.exe"
        182⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\lkalzve.exe
        
        C:\Windows\system32\lkalzve.exe 1408 "C:\Windows\SysWOW64\ylfiqng.exe"
        183⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\vqaipcr.exe
        
        C:\Windows\system32\vqaipcr.exe 1420 "C:\Windows\SysWOW64\lkalzve.exe"
        184⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\iovlxcw.exe
        
        C:\Windows\system32\iovlxcw.exe 1424 "C:\Windows\SysWOW64\vqaipcr.exe"
        185⤵
        Drops file in System32 directory
        
        PID:1772
        
        C:\Windows\SysWOW64\vfqogkc.exe
        
        C:\Windows\system32\vfqogkc.exe 1432 "C:\Windows\SysWOW64\iovlxcw.exe"
        186⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\idtqotz.exe
        
        C:\Windows\system32\idtqotz.exe 1436 "C:\Windows\SysWOW64\vfqogkc.exe"
        187⤵
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Windows\SysWOW64\uuotxtf.exe
        
        C:\Windows\system32\uuotxtf.exe 1440 "C:\Windows\SysWOW64\idtqotz.exe"
        188⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\eioivas.exe
        
        C:\Windows\system32\eioivas.exe 1444 "C:\Windows\SysWOW64\uuotxtf.exe"
        189⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\ryjleiy.exe
        
        C:\Windows\system32\ryjleiy.exe 1416 "C:\Windows\SysWOW64\eioivas.exe"
        190⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\exmomrv.exe
        
        C:\Windows\system32\exmomrv.exe 1448 "C:\Windows\SysWOW64\ryjleiy.exe"
        191⤵
        System Location Discovery: System Language Discovery
        
        PID:2560
        
        C:\Windows\SysWOW64\rnhqvrb.exe
        
        C:\Windows\system32\rnhqvrb.exe 1460 "C:\Windows\SysWOW64\exmomrv.exe"
        192⤵
        Drops file in System32 directory
        
        PID:1140
        
        C:\Windows\SysWOW64\eectezg.exe
        
        C:\Windows\system32\eectezg.exe 1452 "C:\Windows\SysWOW64\rnhqvrb.exe"
        193⤵
        
        PID:948
        
        C:\Windows\SysWOW64\nscqcgt.exe
        
        C:\Windows\system32\nscqcgt.exe 1464 "C:\Windows\SysWOW64\eectezg.exe"
        194⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\aqxtkgr.exe
        
        C:\Windows\system32\aqxtkgr.exe 1456 "C:\Windows\SysWOW64\nscqcgt.exe"
        195⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\nhawtpx.exe
        
        C:\Windows\system32\nhawtpx.exe 1472 "C:\Windows\SysWOW64\aqxtkgr.exe"
        196⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:2988
        
        C:\Windows\SysWOW64\axvybxc.exe
        
        C:\Windows\system32\axvybxc.exe 1476 "C:\Windows\SysWOW64\nhawtpx.exe"
        197⤵
        Drops file in System32 directory
        
        PID:1048
        
        C:\Windows\SysWOW64\nwpbkxa.exe
        
        C:\Windows\system32\nwpbkxa.exe 1480 "C:\Windows\SysWOW64\axvybxc.exe"
        198⤵
        System Location Discovery: System Language Discovery
        
        PID:2248
        
        C:\Windows\SysWOW64\xcqrien.exe
        
        C:\Windows\system32\xcqrien.exe 1484 "C:\Windows\SysWOW64\nwpbkxa.exe"
        199⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\kattrns.exe
        
        C:\Windows\system32\kattrns.exe 1492 "C:\Windows\SysWOW64\xcqrien.exe"
        200⤵
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\SysWOW64\xrowzvy.exe
        
        C:\Windows\system32\xrowzvy.exe 1488 "C:\Windows\SysWOW64\kattrns.exe"
        201⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\jpizivv.exe
        
        C:\Windows\system32\jpizivv.exe 1504 "C:\Windows\SysWOW64\xrowzvy.exe"
        202⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\wglbqdb.exe
        
        C:\Windows\system32\wglbqdb.exe 1496 "C:\Windows\SysWOW64\jpizivv.exe"
        203⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\gumzgko.exe
        
        C:\Windows\system32\gumzgko.exe 1500 "C:\Windows\SysWOW64\wglbqdb.exe"
        204⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Windows\SysWOW64\tkhtplu.exe
        
        C:\Windows\system32\tkhtplu.exe 1508 "C:\Windows\SysWOW64\gumzgko.exe"
        205⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\gjbwgtr.exe
        
        C:\Windows\system32\gjbwgtr.exe 1512 "C:\Windows\SysWOW64\tkhtplu.exe"
        206⤵
        
        PID:540
        
        C:\Windows\SysWOW64\tzezobx.exe
        
        C:\Windows\system32\tzezobx.exe 1516 "C:\Windows\SysWOW64\gjbwgtr.exe"
        207⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\gyzbxbc.exe
        
        C:\Windows\system32\gyzbxbc.exe 1520 "C:\Windows\SysWOW64\tzezobx.exe"
        208⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\qbomkej.exe
        
        C:\Windows\system32\qbomkej.exe 1524 "C:\Windows\SysWOW64\gyzbxbc.exe"
        209⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\crjotmo.exe
        
        C:\Windows\system32\crjotmo.exe 1468 "C:\Windows\SysWOW64\qbomkej.exe"
        210⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\pqmrbvu.exe
        
        C:\Windows\system32\pqmrbvu.exe 1532 "C:\Windows\SysWOW64\crjotmo.exe"
        211⤵
        Drops file in System32 directory
        
        PID:1920
        
        C:\Windows\SysWOW64\zenpzuz.exe
        
        C:\Windows\system32\zenpzuz.exe 1540 "C:\Windows\SysWOW64\pqmrbvu.exe"
        212⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\muirice.exe
        
        C:\Windows\system32\muirice.exe 1528 "C:\Windows\SysWOW64\zenpzuz.exe"
        213⤵
        
        PID:764
        
        C:\Windows\SysWOW64\zlcurkk.exe
        
        C:\Windows\system32\zlcurkk.exe 1544 "C:\Windows\SysWOW64\muirice.exe"
        214⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\mjfpzkp.exe
        
        C:\Windows\system32\mjfpzkp.exe 1536 "C:\Windows\SysWOW64\zlcurkk.exe"
        215⤵
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\Windows\SysWOW64\zaaritn.exe
        
        C:\Windows\system32\zaaritn.exe 1552 "C:\Windows\SysWOW64\mjfpzkp.exe"
        216⤵
        Drops file in System32 directory
        
        PID:2436
        
        C:\Windows\SysWOW64\iobpgaa.exe
        
        C:\Windows\system32\iobpgaa.exe 1556 "C:\Windows\SysWOW64\zaaritn.exe"
        217⤵
        Drops file in System32 directory
        
        PID:1164
        
        C:\Windows\SysWOW64\vevroig.exe
        
        C:\Windows\system32\vevroig.exe 1560 "C:\Windows\SysWOW64\iobpgaa.exe"
        218⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\idquxid.exe
        
        C:\Windows\system32\idquxid.exe 1564 "C:\Windows\SysWOW64\vevroig.exe"
        219⤵
        Drops file in System32 directory
        
        PID:1992
        
        C:\Windows\SysWOW64\vttxgrj.exe
        
        C:\Windows\system32\vttxgrj.exe 1580 "C:\Windows\SysWOW64\idquxid.exe"
        220⤵
        
        PID:784
        
        C:\Windows\SysWOW64\isozozo.exe
        
        C:\Windows\system32\isozozo.exe 1568 "C:\Windows\SysWOW64\vttxgrj.exe"
        221⤵
        Drops file in System32 directory
        
        PID:1620
        
        C:\Windows\SysWOW64\syopeyb.exe
        
        C:\Windows\system32\syopeyb.exe 1572 "C:\Windows\SysWOW64\isozozo.exe"
        222⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\fwjrngz.exe
        
        C:\Windows\system32\fwjrngz.exe 1548 "C:\Windows\SysWOW64\syopeyb.exe"
        223⤵
        Drops file in System32 directory
        
        PID:584
        
        C:\Windows\SysWOW64\rnmuepf.exe
        
        C:\Windows\system32\rnmuepf.exe 1584 "C:\Windows\SysWOW64\fwjrngz.exe"
        224⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\elhxmpk.exe
        
        C:\Windows\system32\elhxmpk.exe 1588 "C:\Windows\SysWOW64\rnmuepf.exe"
        225⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\rccavxq.exe
        
        C:\Windows\system32\rccavxq.exe 1596 "C:\Windows\SysWOW64\elhxmpk.exe"
        226⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\bqcxlev.exe
        
        C:\Windows\system32\bqcxlev.exe 1592 "C:\Windows\SysWOW64\rccavxq.exe"
        227⤵
        System Location Discovery: System Language Discovery
        
        PID:1192
        
        C:\Windows\SysWOW64\ogxatma.exe
        
        C:\Windows\system32\ogxatma.exe 1604 "C:\Windows\SysWOW64\bqcxlev.exe"
        228⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\bfaccng.exe
        
        C:\Windows\system32\bfaccng.exe 1600 "C:\Windows\SysWOW64\ogxatma.exe"
        229⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\ovvftvl.exe
        
        C:\Windows\system32\ovvftvl.exe 1608 "C:\Windows\SysWOW64\bfaccng.exe"
        230⤵
        Identifies Wine through registry keys
        
        PID:1848
        
        C:\Windows\SysWOW64\tmqabdj.exe
        
        C:\Windows\system32\tmqabdj.exe 1612 "C:\Windows\SysWOW64\ovvftvl.exe"
        231⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\caqxrcw.exe
        
        C:\Windows\system32\caqxrcw.exe 1616 "C:\Windows\SysWOW64\tmqabdj.exe"
        232⤵
        System Location Discovery: System Language Discovery
        
        PID:1040
        
        C:\Windows\SysWOW64\pytaalc.exe
        
        C:\Windows\system32\pytaalc.exe 1620 "C:\Windows\SysWOW64\caqxrcw.exe"
        233⤵
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Windows\SysWOW64\cpocith.exe
        
        C:\Windows\system32\cpocith.exe 1624 "C:\Windows\SysWOW64\pytaalc.exe"
        234⤵
        
        PID:380
        
        C:\Windows\SysWOW64\pfjfrtf.exe
        
        C:\Windows\system32\pfjfrtf.exe 1576 "C:\Windows\SysWOW64\cpocith.exe"
        235⤵
        Drops file in System32 directory
        
        PID:2976
        
        C:\Windows\SysWOW64\celiabk.exe
        
        C:\Windows\system32\celiabk.exe 1636 "C:\Windows\SysWOW64\pfjfrtf.exe"
        236⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\lsmxyix.exe
        
        C:\Windows\system32\lsmxyix.exe 1628 "C:\Windows\SysWOW64\celiabk.exe"
        237⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\yihagrd.exe
        
        C:\Windows\system32\yihagrd.exe 1640 "C:\Windows\SysWOW64\lsmxyix.exe"
        238⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\lzcdprb.exe
        
        C:\Windows\system32\lzcdprb.exe 1632 "C:\Windows\SysWOW64\yihagrd.exe"
        239⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\yxefxzg.exe
        
        C:\Windows\system32\yxefxzg.exe 1648 "C:\Windows\SysWOW64\lzcdprb.exe"
        240⤵
        
        PID:992
        
        C:\Windows\SysWOW64\lozighm.exe
        
        C:\Windows\system32\lozighm.exe 1652 "C:\Windows\SysWOW64\yxefxzg.exe"
        241⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\vcafehr.exe
        
        C:\Windows\system32\vcafehr.exe 1656 "C:\Windows\SysWOW64\lozighm.exe"
        242⤵
        System Location Discovery: System Language Discovery
        
        PID:1752
        
        C:\Windows\SysWOW64\itvinpw.exe
        
        C:\Windows\system32\itvinpw.exe 1644 "C:\Windows\SysWOW64\vcafehr.exe"
        243⤵
        Identifies Wine through registry keys
        
        PID:2648
        
        C:\Windows\SysWOW64\vrqlvxc.exe
        
        C:\Windows\system32\vrqlvxc.exe 1664 "C:\Windows\SysWOW64\itvinpw.exe"
        244⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\iisnexh.exe
        
        C:\Windows\system32\iisnexh.exe 1668 "C:\Windows\SysWOW64\vrqlvxc.exe"
        245⤵
        
        PID:808
        
        C:\Windows\SysWOW64\ugnqnff.exe
        
        C:\Windows\system32\ugnqnff.exe 1672 "C:\Windows\SysWOW64\iisnexh.exe"
        246⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\emofdns.exe
        
        C:\Windows\system32\emofdns.exe 1660 "C:\Windows\SysWOW64\ugnqnff.exe"
        247⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\rljitvy.exe
        
        C:\Windows\system32\rljitvy.exe 1692 "C:\Windows\SysWOW64\emofdns.exe"
        248⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\ebllcvd.exe
        
        C:\Windows\system32\ebllcvd.exe 1680 "C:\Windows\SysWOW64\rljitvy.exe"
        249⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\ragokdb.exe
        
        C:\Windows\system32\ragokdb.exe 1684 "C:\Windows\SysWOW64\ebllcvd.exe"
        250⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\eqbqtlg.exe
        
        C:\Windows\system32\eqbqtlg.exe 1688 "C:\Windows\SysWOW64\ragokdb.exe"
        251⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\necojlt.exe
        
        C:\Windows\system32\necojlt.exe 1700 "C:\Windows\SysWOW64\eqbqtlg.exe"
        252⤵
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Windows\SysWOW64\avwqstz.exe
        
        C:\Windows\system32\avwqstz.exe 1696 "C:\Windows\SysWOW64\necojlt.exe"
        253⤵
        Identifies Wine through registry keys
        
        PID:2864
        
        C:\Windows\SysWOW64\ntzlabw.exe
        
        C:\Windows\system32\ntzlabw.exe 1704 "C:\Windows\SysWOW64\avwqstz.exe"
        254⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\akuorbc.exe
        
        C:\Windows\system32\akuorbc.exe 1676 "C:\Windows\SysWOW64\ntzlabw.exe"
        255⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\napqzji.exe
        
        C:\Windows\system32\napqzji.exe 1712 "C:\Windows\SysWOW64\akuorbc.exe"
        256⤵
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Windows\SysWOW64\xoqoqrv.exe
        
        C:\Windows\system32\xoqoqrv.exe 1716 "C:\Windows\SysWOW64\napqzji.exe"
        257⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\knsqyzs.exe
        
        C:\Windows\system32\knsqyzs.exe 1724 "C:\Windows\SysWOW64\xoqoqrv.exe"
        258⤵
        Identifies Wine through registry keys
        
        PID:1812
        
        C:\Windows\SysWOW64\wdnthzy.exe
        
        C:\Windows\system32\wdnthzy.exe 1720 "C:\Windows\SysWOW64\knsqyzs.exe"
        259⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\ggcdcce.exe
        
        C:\Windows\system32\ggcdcce.exe 1708 "C:\Windows\SysWOW64\wdnthzy.exe"
        260⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\texglkk.exe
        
        C:\Windows\system32\texglkk.exe 1732 "C:\Windows\SysWOW64\ggcdcce.exe"
        261⤵
        Identifies Wine through registry keys
        
        PID:2572
        
        C:\Windows\SysWOW64\ddjevjr.exe
        
        C:\Windows\system32\ddjevjr.exe 1748 "C:\Windows\SysWOW64\texglkk.exe"
        262⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\qfplgow.exe
        
        C:\Windows\system32\qfplgow.exe 1736 "C:\Windows\SysWOW64\ddjevjr.exe"
        263⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\dwkopwb.exe
        
        C:\Windows\system32\dwkopwb.exe 1744 "C:\Windows\SysWOW64\qfplgow.exe"
        264⤵
        
        PID:768
        
        C:\Windows\SysWOW64\qunryez.exe
        
        C:\Windows\system32\qunryez.exe 1740 "C:\Windows\SysWOW64\dwkopwb.exe"
        265⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\dlitoee.exe
        
        C:\Windows\system32\dlitoee.exe 1752 "C:\Windows\SysWOW64\qunryez.exe"
        266⤵
        System Location Discovery: System Language Discovery
        
        PID:952
        
        C:\Windows\SysWOW64\qbdwxmk.exe
        
        C:\Windows\system32\qbdwxmk.exe 1756 "C:\Windows\SysWOW64\dlitoee.exe"
        267⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\zqdtnux.exe
        
        C:\Windows\system32\zqdtnux.exe 1760 "C:\Windows\SysWOW64\qbdwxmk.exe"
        268⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\moywvuu.exe
        
        C:\Windows\system32\moywvuu.exe 1764 "C:\Windows\SysWOW64\zqdtnux.exe"
        269⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\zfbzeca.exe
        
        C:\Windows\system32\zfbzeca.exe 1768 "C:\Windows\SysWOW64\moywvuu.exe"
        270⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\mvwbnkg.exe
        
        C:\Windows\system32\mvwbnkg.exe 1772 "C:\Windows\SysWOW64\zfbzeca.exe"
        271⤵
        Identifies Wine through registry keys
        
        PID:556
        
        C:\Windows\SysWOW64\zurevkl.exe
        
        C:\Windows\system32\zurevkl.exe 1776 "C:\Windows\SysWOW64\mvwbnkg.exe"
        272⤵
        Drops file in System32 directory
        
        PID:2684
        
        C:\Windows\SysWOW64\jirutsq.exe
        
        C:\Windows\system32\jirutsq.exe 1728 "C:\Windows\SysWOW64\zurevkl.exe"
        273⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\wyuwcaw.exe
        
        C:\Windows\system32\wyuwcaw.exe 1784 "C:\Windows\SysWOW64\jirutsq.exe"
        274⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\jppzlib.exe
        
        C:\Windows\system32\jppzlib.exe 1788 "C:\Windows\SysWOW64\wyuwcaw.exe"
        275⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\vnkctih.exe
        
        C:\Windows\system32\vnkctih.exe 1800 "C:\Windows\SysWOW64\jppzlib.exe"
        276⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\iemecre.exe
        
        C:\Windows\system32\iemecre.exe 1792 "C:\Windows\SysWOW64\vnkctih.exe"
        277⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\ssncayr.exe
        
        C:\Windows\system32\ssncayr.exe 1796 "C:\Windows\SysWOW64\iemecre.exe"
        278⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\ffxrgcq.exe
        
        C:\Windows\system32\ffxrgcq.exe 1804 "C:\Windows\SysWOW64\ssncayr.exe"
        279⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Windows\SysWOW64\kdruocw.exe
        
        C:\Windows\system32\kdruocw.exe 1812 "C:\Windows\SysWOW64\ffxrgcq.exe"
        280⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\ujsjejj.exe
        
        C:\Windows\system32\ujsjejj.exe 1808 "C:\Windows\SysWOW64\kdruocw.exe"
        281⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\hwkhkni.exe
        
        C:\Windows\system32\hwkhkni.exe 1820 "C:\Windows\SysWOW64\ujsjejj.exe"
        282⤵
        
        PID:300
        
        C:\Windows\SysWOW64\uvectnn.exe
        
        C:\Windows\system32\uvectnn.exe 1816 "C:\Windows\SysWOW64\hwkhkni.exe"
        283⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\djfzrva.exe
        
        C:\Windows\system32\djfzrva.exe 1828 "C:\Windows\SysWOW64\uvectnn.exe"
        284⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\qzaczdy.exe
        
        C:\Windows\system32\qzaczdy.exe 1824 "C:\Windows\SysWOW64\djfzrva.exe"
        285⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\dqdfild.exe
        
        C:\Windows\system32\dqdfild.exe 1832 "C:\Windows\SysWOW64\qzaczdy.exe"
        286⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\naspvgk.exe
        
        C:\Windows\system32\naspvgk.exe 1836 "C:\Windows\SysWOW64\dqdfild.exe"
        287⤵
        
        PID:916
        
        C:\Windows\SysWOW64\arnsmop.exe
        
        C:\Windows\system32\arnsmop.exe 1840 "C:\Windows\SysWOW64\naspvgk.exe"
        288⤵
        System Location Discovery: System Language Discovery
        
        PID:936
        
        C:\Windows\SysWOW64\npquuxv.exe
        
        C:\Windows\system32\npquuxv.exe 1780 "C:\Windows\SysWOW64\arnsmop.exe"
        289⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\agkxdxs.exe
        
        C:\Windows\system32\agkxdxs.exe 1848 "C:\Windows\SysWOW64\npquuxv.exe"
        290⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\nefalfy.exe
        
        C:\Windows\system32\nefalfy.exe 1852 "C:\Windows\SysWOW64\agkxdxs.exe"
        291⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\aviuune.exe
        
        C:\Windows\system32\aviuune.exe 1860 "C:\Windows\SysWOW64\nefalfy.exe"
        292⤵
        
        PID:980
        
        C:\Windows\SysWOW64\jjjskvr.exe
        
        C:\Windows\system32\jjjskvr.exe 1856 "C:\Windows\SysWOW64\aviuune.exe"
        293⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\waeutvo.exe
        
        C:\Windows\system32\waeutvo.exe 1868 "C:\Windows\SysWOW64\jjjskvr.exe"
        294⤵
        
        PID:316
        
        C:\Windows\SysWOW64\jyyxjdu.exe
        
        C:\Windows\system32\jyyxjdu.exe 1864 "C:\Windows\SysWOW64\waeutvo.exe"
        295⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\wptaslz.exe
        
        C:\Windows\system32\wptaslz.exe 1872 "C:\Windows\SysWOW64\jyyxjdu.exe"
        296⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\jfwdblf.exe
        
        C:\Windows\system32\jfwdblf.exe 1876 "C:\Windows\SysWOW64\wptaslz.exe"
        297⤵
        Drops file in System32 directory
        
        PID:2124
        
        C:\Windows\SysWOW64\ttxartk.exe
        
        C:\Windows\system32\ttxartk.exe 1880 "C:\Windows\SysWOW64\jfwdblf.exe"
        298⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\gsrvzbp.exe
        
        C:\Windows\system32\gsrvzbp.exe 1884 "C:\Windows\SysWOW64\ttxartk.exe"
        299⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\timxibv.exe
        
        C:\Windows\system32\timxibv.exe 1892 "C:\Windows\SysWOW64\gsrvzbp.exe"
        300⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\clkideb.exe
        
        C:\Windows\system32\clkideb.exe 1888 "C:\Windows\SysWOW64\timxibv.exe"
        301⤵
        Identifies Wine through registry keys
        
        PID:608
        
        C:\Windows\SysWOW64\qgtxjia.exe
        
        C:\Windows\system32\qgtxjia.exe 1896 "C:\Windows\SysWOW64\clkideb.exe"
        302⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cwoarqg.exe
        
        C:\Windows\system32\cwoarqg.exe 1912 "C:\Windows\SysWOW64\qgtxjia.exe"
        303⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\mkpxhyt.exe
        
        C:\Windows\system32\mkpxhyt.exe 1900 "C:\Windows\SysWOW64\cwoarqg.exe"
        304⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\zbraqyy.exe
        
        C:\Windows\system32\zbraqyy.exe 1904 "C:\Windows\SysWOW64\mkpxhyt.exe"
        305⤵
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Windows\SysWOW64\mzmdhgw.exe
        
        C:\Windows\system32\mzmdhgw.exe 1916 "C:\Windows\SysWOW64\zbraqyy.exe"
        306⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\zqhgpob.exe
        
        C:\Windows\system32\zqhgpob.exe 1908 "C:\Windows\SysWOW64\mzmdhgw.exe"
        307⤵
        
        PID:580
        
        C:\Windows\SysWOW64\jswqdji.exe
        
        C:\Windows\system32\jswqdji.exe 1920 "C:\Windows\SysWOW64\zqhgpob.exe"
        308⤵
        
        PID:620
        
        C:\Windows\SysWOW64\wrztlrn.exe
        
        C:\Windows\system32\wrztlrn.exe 1924 "C:\Windows\SysWOW64\jswqdji.exe"
        309⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\jhuvuzt.exe
        
        C:\Windows\system32\jhuvuzt.exe 1932 "C:\Windows\SysWOW64\wrztlrn.exe"
        310⤵
        System Location Discovery: System Language Discovery
        
        PID:1804
        
        C:\Windows\SysWOW64\vgpycaq.exe
        
        C:\Windows\system32\vgpycaq.exe 1928 "C:\Windows\SysWOW64\jhuvuzt.exe"
        311⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\gfbvvyy.exe
        
        C:\Windows\system32\gfbvvyy.exe 1940 "C:\Windows\SysWOW64\vgpycaq.exe"
        312⤵
        
        PID:292
        
        C:\Windows\SysWOW64\ptcllgl.exe
        
        C:\Windows\system32\ptcllgl.exe 1936 "C:\Windows\SysWOW64\gfbvvyy.exe"
        313⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\ckwntor.exe
        
        C:\Windows\system32\ckwntor.exe 1948 "C:\Windows\SysWOW64\ptcllgl.exe"
        314⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\pirqcwo.exe
        
        C:\Windows\system32\pirqcwo.exe 1844 "C:\Windows\SysWOW64\ckwntor.exe"
        315⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\czutlwu.exe
        
        C:\Windows\system32\czutlwu.exe 1952 "C:\Windows\SysWOW64\pirqcwo.exe"
        316⤵
        Identifies Wine through registry keys
        
        PID:2376
        
        C:\Windows\SysWOW64\pppwtfz.exe
        
        C:\Windows\system32\pppwtfz.exe 1944 "C:\Windows\SysWOW64\czutlwu.exe"
        317⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\zdptrmm.exe
        
        C:\Windows\system32\zdptrmm.exe 1972 "C:\Windows\SysWOW64\pppwtfz.exe"
        318⤵
        
        PID:304
        
        C:\Windows\SysWOW64\lukwamk.exe
        
        C:\Windows\system32\lukwamk.exe 1960 "C:\Windows\SysWOW64\zdptrmm.exe"
        319⤵
        
        PID:796
        
        C:\Windows\SysWOW64\ysnyiuq.exe
        
        C:\Windows\system32\ysnyiuq.exe 1968 "C:\Windows\SysWOW64\lukwamk.exe"
        320⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\ljitrcv.exe
        
        C:\Windows\system32\ljitrcv.exe 1964 "C:\Windows\SysWOW64\ysnyiuq.exe"
        321⤵
        
        PID:896
        
        C:\Windows\SysWOW64\vtxdmgb.exe
        
        C:\Windows\system32\vtxdmgb.exe 1980 "C:\Windows\SysWOW64\ljitrcv.exe"
        322⤵
        Identifies Wine through registry keys
        
        PID:2064
        
        C:\Windows\SysWOW64\iksgvgh.exe
        
        C:\Windows\system32\iksgvgh.exe 1976 "C:\Windows\SysWOW64\vtxdmgb.exe"
        323⤵
        
        PID:940
        
        C:\Windows\SysWOW64\vivjdom.exe
        
        C:\Windows\system32\vivjdom.exe 1992 "C:\Windows\SysWOW64\iksgvgh.exe"
        324⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\izqlmwk.exe
        
        C:\Windows\system32\izqlmwk.exe 1984 "C:\Windows\SysWOW64\vivjdom.exe"
        325⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\sjfwzry.exe
        
        C:\Windows\system32\sjfwzry.exe 1996 "C:\Windows\SysWOW64\izqlmwk.exe"
        326⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\faiyizw.exe
        
        C:\Windows\system32\faiyizw.exe 1988 "C:\Windows\SysWOW64\sjfwzry.exe"
        327⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\sqdbrhb.exe
        
        C:\Windows\system32\sqdbrhb.exe 2000 "C:\Windows\SysWOW64\faiyizw.exe"
        328⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\tedzppp.exe
        
        C:\Windows\system32\tedzppp.exe 2004 "C:\Windows\SysWOW64\sqdbrhb.exe"
        329⤵
        
        PID:308
        
        C:\Windows\SysWOW64\grnouln.exe
        
        C:\Windows\system32\grnouln.exe 2012 "C:\Windows\SysWOW64\tedzppp.exe"
        330⤵
        
        PID:828
        
        C:\Windows\SysWOW64\tqqrdtt.exe
        
        C:\Windows\system32\tqqrdtt.exe 2008 "C:\Windows\SysWOW64\grnouln.exe"
        331⤵
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Windows\SysWOW64\dsfbqwz.exe
        
        C:\Windows\system32\dsfbqwz.exe 2020 "C:\Windows\SysWOW64\tqqrdtt.exe"
        332⤵
        Drops file in System32 directory
        
        PID:2700
        
        C:\Windows\SysWOW64\ndumlzg.exe
        
        C:\Windows\system32\ndumlzg.exe 2016 "C:\Windows\SysWOW64\dsfbqwz.exe"
        333⤵
        Drops file in System32 directory
        
        PID:884
        
        C:\Windows\SysWOW64\aqmbrdm.exe
        
        C:\Windows\system32\aqmbrdm.exe 2036 "C:\Windows\SysWOW64\ndumlzg.exe"
        334⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\ktbmeyt.exe
        
        C:\Windows\system32\ktbmeyt.exe 2024 "C:\Windows\SysWOW64\aqmbrdm.exe"
        335⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\uafjxxa.exe
        
        C:\Windows\system32\uafjxxa.exe 2028 "C:\Windows\SysWOW64\ktbmeyt.exe"
        336⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\inxzdbz.exe
        
        C:\Windows\system32\inxzdbz.exe 2032 "C:\Windows\SysWOW64\uafjxxa.exe"
        337⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\rtywtim.exe
        
        C:\Windows\system32\rtywtim.exe 2040 "C:\Windows\SysWOW64\inxzdbz.exe"
        338⤵
        Identifies Wine through registry keys
        
        PID:3232
        
        C:\Windows\SysWOW64\erszbqk.exe
        
        C:\Windows\system32\erszbqk.exe 2044 "C:\Windows\SysWOW64\rtywtim.exe"
        339⤵
        Identifies Wine through registry keys
        
        PID:3384
        
        C:\Windows\SysWOW64\rinukrp.exe
        
        C:\Windows\system32\rinukrp.exe 2056 "C:\Windows\SysWOW64\erszbqk.exe"
        340⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\egqwtzv.exe
        
        C:\Windows\system32\egqwtzv.exe 2052 "C:\Windows\SysWOW64\rinukrp.exe"
        341⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\rxlzbhs.exe
        
        C:\Windows\system32\rxlzbhs.exe 2064 "C:\Windows\SysWOW64\egqwtzv.exe"
        342⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\bhajwkh.exe
        
        C:\Windows\system32\bhajwkh.exe 2060 "C:\Windows\SysWOW64\rxlzbhs.exe"
        343⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\oydmfke.exe
        
        C:\Windows\system32\oydmfke.exe 2072 "C:\Windows\SysWOW64\bhajwkh.exe"
        344⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\boyposk.exe
        
        C:\Windows\system32\boyposk.exe 2068 "C:\Windows\SysWOW64\oydmfke.exe"
        345⤵
        System Location Discovery: System Language Discovery
        
        PID:1052
        
        C:\Windows\SysWOW64\kznzbvq.exe
        
        C:\Windows\system32\kznzbvq.exe 2076 "C:\Windows\SysWOW64\boyposk.exe"
        346⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3172
        
        C:\Windows\SysWOW64\xpicrww.exe
        
        C:\Windows\system32\xpicrww.exe 2080 "C:\Windows\SysWOW64\kznzbvq.exe"
        347⤵
        Identifies Wine through registry keys
        
        PID:3328
        
        C:\Windows\SysWOW64\haxmfzc.exe
        
        C:\Windows\system32\haxmfzc.exe 1956 "C:\Windows\SysWOW64\xpicrww.exe"
        348⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\urapnhh.exe
        
        C:\Windows\system32\urapnhh.exe 2088 "C:\Windows\SysWOW64\haxmfzc.exe"
        349⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\ebqzakw.exe
        
        C:\Windows\system32\ebqzakw.exe 2104 "C:\Windows\SysWOW64\urapnhh.exe"
        350⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\rohpgov.exe
        
        C:\Windows\system32\rohpgov.exe 2092 "C:\Windows\SysWOW64\ebqzakw.exe"
        351⤵
        Drops file in System32 directory
        
        PID:3956
        
        C:\Windows\SysWOW64\efcsxos.exe
        
        C:\Windows\system32\efcsxos.exe 2100 "C:\Windows\SysWOW64\rohpgov.exe"
        352⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\oprckrg.exe
        
        C:\Windows\system32\oprckrg.exe 2096 "C:\Windows\SysWOW64\efcsxos.exe"
        353⤵
        
        PID:332
        
        C:\Windows\SysWOW64\bgmftze.exe
        
        C:\Windows\system32\bgmftze.exe 2108 "C:\Windows\SysWOW64\oprckrg.exe"
        354⤵
        System Location Discovery: System Language Discovery
        
        PID:3136
        
        C:\Windows\SysWOW64\lqkpgcs.exe
        
        C:\Windows\system32\lqkpgcs.exe 2112 "C:\Windows\SysWOW64\bgmftze.exe"
        355⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\ydtfmyr.exe
        
        C:\Windows\system32\ydtfmyr.exe 2116 "C:\Windows\SysWOW64\lqkpgcs.exe"
        356⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\iruukge.exe
        
        C:\Windows\system32\iruukge.exe 2120 "C:\Windows\SysWOW64\ydtfmyr.exe"
        357⤵
        Identifies Wine through registry keys
        
        PID:3620
        
        C:\Windows\SysWOW64\srysuem.exe
        
        C:\Windows\system32\srysuem.exe 2124 "C:\Windows\SysWOW64\iruukge.exe"
        358⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\fhbudnj.exe
        
        C:\Windows\system32\fhbudnj.exe 2128 "C:\Windows\SysWOW64\srysuem.exe"
        359⤵
        Identifies Wine through registry keys
        System Location Discovery: System Language Discovery
        
        PID:3808
        
        C:\Windows\SysWOW64\sfvxlvp.exe
        
        C:\Windows\system32\sfvxlvp.exe 2084 "C:\Windows\SysWOW64\fhbudnj.exe"
        360⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\fwqacvu.exe
        
        C:\Windows\system32\fwqacvu.exe 2136 "C:\Windows\SysWOW64\sfvxlvp.exe"
        361⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\pvcxmuu.exe
        
        C:\Windows\system32\pvcxmuu.exe 2144 "C:\Windows\SysWOW64\fwqacvu.exe"
        362⤵
        System Location Discovery: System Language Discovery
        
        PID:3288
        
        C:\Windows\SysWOW64\cuxavcz.exe
        
        C:\Windows\system32\cuxavcz.exe 2132 "C:\Windows\SysWOW64\pvcxmuu.exe"
        363⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\mwnkifg.exe
        
        C:\Windows\system32\mwnkifg.exe 2152 "C:\Windows\SysWOW64\cuxavcz.exe"
        364⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\yytaujs.exe
        
        C:\Windows\system32\yytaujs.exe 2140 "C:\Windows\SysWOW64\mwnkifg.exe"
        365⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\lpvdksq.exe
        
        C:\Windows\system32\lpvdksq.exe 2156 "C:\Windows\SysWOW64\yytaujs.exe"
        366⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\ynqftav.exe
        
        C:\Windows\system32\ynqftav.exe 2160 "C:\Windows\SysWOW64\lpvdksq.exe"
        367⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\lelibab.exe
        
        C:\Windows\system32\lelibab.exe 2164 "C:\Windows\SysWOW64\ynqftav.exe"
        368⤵
        
        PID:920
        
        C:\Windows\SysWOW64\vsmxrho.exe
        
        C:\Windows\system32\vsmxrho.exe 2168 "C:\Windows\SysWOW64\lelibab.exe"
        369⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\ifdvxln.exe
        
        C:\Windows\system32\ifdvxln.exe 2172 "C:\Windows\SysWOW64\vsmxrho.exe"
        370⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\vvyqgts.exe
        
        C:\Windows\system32\vvyqgts.exe 2188 "C:\Windows\SysWOW64\ifdvxln.exe"
        371⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\ejznetx.exe
        
        C:\Windows\system32\ejznetx.exe 2148 "C:\Windows\SysWOW64\vvyqgts.exe"
        372⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\ritqmbd.exe
        
        C:\Windows\system32\ritqmbd.exe 2176 "C:\Windows\SysWOW64\ejznetx.exe"
        373⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\evlgsfc.exe
        
        C:\Windows\system32\evlgsfc.exe 2184 "C:\Windows\SysWOW64\ritqmbd.exe"
        374⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\ojmdimp.exe
        
        C:\Windows\system32\ojmdimp.exe 2192 "C:\Windows\SysWOW64\evlgsfc.exe"
        375⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\bzggrmu.exe
        
        C:\Windows\system32\bzggrmu.exe 2180 "C:\Windows\SysWOW64\ojmdimp.exe"
        376⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\gqjiiva.exe
        
        C:\Windows\system32\gqjiiva.exe 2200 "C:\Windows\SysWOW64\bzggrmu.exe"
        377⤵
        System Location Discovery: System Language Discovery
        
        PID:3220
        
        C:\Windows\SysWOW64\toelqdx.exe
        
        C:\Windows\system32\toelqdx.exe 2204 "C:\Windows\SysWOW64\gqjiiva.exe"
        378⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\gfzozdd.exe
        
        C:\Windows\system32\gfzozdd.exe 2208 "C:\Windows\SysWOW64\toelqdx.exe"
        379⤵
        
        PID:3420
        
        C:\Windows\SysWOW64\ptadpkq.exe
        
        C:\Windows\system32\ptadpkq.exe 2196 "C:\Windows\SysWOW64\gfzozdd.exe"
        380⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\cjugxtw.exe
        
        C:\Windows\system32\cjugxtw.exe 2216 "C:\Windows\SysWOW64\ptadpkq.exe"
        381⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\pixjgtt.exe
        
        C:\Windows\system32\pixjgtt.exe 2220 "C:\Windows\SysWOW64\cjugxtw.exe"
        382⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cyslpbz.exe
        
        C:\Windows\system32\cyslpbz.exe 2224 "C:\Windows\SysWOW64\pixjgtt.exe"
        383⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\mjhwkef.exe
        
        C:\Windows\system32\mjhwkef.exe 2228 "C:\Windows\SysWOW64\cyslpbz.exe"
        384⤵
        System Location Discovery: System Language Discovery
        
        PID:3324
        
        C:\Windows\SysWOW64\zakysml.exe
        
        C:\Windows\system32\zakysml.exe 2232 "C:\Windows\SysWOW64\mjhwkef.exe"
        385⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\mqfbbmq.exe
        
        C:\Windows\system32\mqfbbmq.exe 2248 "C:\Windows\SysWOW64\zakysml.exe"
        386⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\zpaekuo.exe
        
        C:\Windows\system32\zpaekuo.exe 2236 "C:\Windows\SysWOW64\mqfbbmq.exe"
        387⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\idaticb.exe
        
        C:\Windows\system32\idaticb.exe 2240 "C:\Windows\SysWOW64\zpaekuo.exe"
        388⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\vtvwqcg.exe
        
        C:\Windows\system32\vtvwqcg.exe 2244 "C:\Windows\SysWOW64\idaticb.exe"
        389⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\ikyyzkm.exe
        
        C:\Windows\system32\ikyyzkm.exe 2252 "C:\Windows\SysWOW64\vtvwqcg.exe"
        390⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\vitbisj.exe
        
        C:\Windows\system32\vitbisj.exe 2268 "C:\Windows\SysWOW64\ikyyzkm.exe"
        391⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\fhfzsrr.exe
        
        C:\Windows\system32\fhfzsrr.exe 2272 "C:\Windows\SysWOW64\vitbisj.exe"
        392⤵
        Identifies Wine through registry keys
        
        PID:3476
        
        C:\Windows\SysWOW64\sgabbrw.exe
        
        C:\Windows\system32\sgabbrw.exe 2256 "C:\Windows\SysWOW64\fhfzsrr.exe"
        393⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\cmazzzk.exe
        
        C:\Windows\system32\cmazzzk.exe 2260 "C:\Windows\SysWOW64\sgabbrw.exe"
        394⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\pkvbhhh.exe
        
        C:\Windows\system32\pkvbhhh.exe 2276 "C:\Windows\SysWOW64\cmazzzk.exe"
        395⤵
        System Location Discovery: System Language Discovery
        
        PID:3896
        
        C:\Windows\SysWOW64\zjzzsgp.exe
        
        C:\Windows\system32\zjzzsgp.exe 2280 "C:\Windows\SysWOW64\pkvbhhh.exe"
        396⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\llnodkt.exe
        
        C:\Windows\system32\llnodkt.exe 2264 "C:\Windows\SysWOW64\zjzzsgp.exe"
        397⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\zyxejoa.exe
        
        C:\Windows\system32\zyxejoa.exe 2288 "C:\Windows\SysWOW64\llnodkt.exe"
        398⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\mpshrwx.exe
        
        C:\Windows\system32\mpshrwx.exe 2284 "C:\Windows\SysWOW64\zyxejoa.exe"
        399⤵
        System Location Discovery: System Language Discovery
        
        PID:3776
        
        C:\Windows\SysWOW64\woeekvf.exe
        
        C:\Windows\system32\woeekvf.exe 2292 "C:\Windows\SysWOW64\mpshrwx.exe"
        400⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\aqmejfp.exe
        
        C:\Windows\system32\aqmejfp.exe 2296 "C:\Windows\SysWOW64\woeekvf.exe"
        401⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\tporgyr.exe
        
        C:\Windows\system32\tporgyr.exe 2300 "C:\Windows\SysWOW64\aqmejfp.exe"
        402⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\calcbbx.exe
        
        C:\Windows\system32\calcbbx.exe 2212 "C:\Windows\SysWOW64\tporgyr.exe"
        403⤵
        Drops file in System32 directory
        
        PID:1916
        
        C:\Windows\SysWOW64\purjmoj.exe
        
        C:\Windows\system32\purjmoj.exe 2304 "C:\Windows\SysWOW64\calcbbx.exe"
        404⤵
        System Location Discovery: System Language Discovery
        
        PID:3248
        
        C:\Windows\SysWOW64\cpbhssi.exe
        
        C:\Windows\system32\cpbhssi.exe 2316 "C:\Windows\SysWOW64\purjmoj.exe"
        405⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\pfecbso.exe
        
        C:\Windows\system32\pfecbso.exe 2312 "C:\Windows\SysWOW64\cpbhssi.exe"
        406⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\zqtmovu.exe
        
        C:\Windows\system32\zqtmovu.exe 2324 "C:\Windows\SysWOW64\pfecbso.exe"
        407⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\mgopxda.exe
        
        C:\Windows\system32\mgopxda.exe 2320 "C:\Windows\SysWOW64\zqtmovu.exe"
        408⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\wjdzsgg.exe
        
        C:\Windows\system32\wjdzsgg.exe 2328 "C:\Windows\SysWOW64\mgopxda.exe"
        409⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\jhycagl.exe
        
        C:\Windows\system32\jhycagl.exe 2332 "C:\Windows\SysWOW64\wjdzsgg.exe"
        410⤵
        System Location Discovery: System Language Discovery
        
        PID:3608
        
        C:\Windows\SysWOW64\tkwmoks.exe
        
        C:\Windows\system32\tkwmoks.exe 2344 "C:\Windows\SysWOW64\jhycagl.exe"
        411⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\giqpwsx.exe
        
        C:\Windows\system32\giqpwsx.exe 2336 "C:\Windows\SysWOW64\tkwmoks.exe"
        412⤵
        System Location Discovery: System Language Discovery
        
        PID:3408
        
        C:\Windows\SysWOW64\szlsnav.exe
        
        C:\Windows\system32\szlsnav.exe 2348 "C:\Windows\SysWOW64\giqpwsx.exe"
        413⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\ckbcavj.exe
        
        C:\Windows\system32\ckbcavj.exe 2340 "C:\Windows\SysWOW64\szlsnav.exe"
        414⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\padfjdh.exe
        
        C:\Windows\system32\padfjdh.exe 2352 "C:\Windows\SysWOW64\ckbcavj.exe"
        415⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\czyhrlm.exe
        
        C:\Windows\system32\czyhrlm.exe 2356 "C:\Windows\SysWOW64\padfjdh.exe"
        416⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\pptkaus.exe
        
        C:\Windows\system32\pptkaus.exe 2372 "C:\Windows\SysWOW64\czyhrlm.exe"
        417⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\cgwniup.exe
        
        C:\Windows\system32\cgwniup.exe 2360 "C:\Windows\SysWOW64\pptkaus.exe"
        418⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\muwcgbd.exe
        
        C:\Windows\system32\muwcgbd.exe 2380 "C:\Windows\SysWOW64\cgwniup.exe"
        419⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\zkrfpji.exe
        
        C:\Windows\system32\zkrfpji.exe 2364 "C:\Windows\SysWOW64\muwcgbd.exe"
        420⤵
        System Location Discovery: System Language Discovery
        
        PID:3864
        
        C:\Windows\SysWOW64\mjmiyjo.exe
        
        C:\Windows\system32\mjmiyjo.exe 2376 "C:\Windows\SysWOW64\zkrfpji.exe"
        421⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\yzpkgsl.exe
        
        C:\Windows\system32\yzpkgsl.exe 2368 "C:\Windows\SysWOW64\mjmiyjo.exe"
        422⤵
        Identifies Wine through registry keys
        
        PID:3372
        
        C:\Windows\SysWOW64\ikevuva.exe
        
        C:\Windows\system32\ikevuva.exe 2396 "C:\Windows\SysWOW64\yzpkgsl.exe"
        423⤵
        System Location Discovery: System Language Discovery
        
        PID:3484
        
        C:\Windows\SysWOW64\vazxkdx.exe
        
        C:\Windows\system32\vazxkdx.exe 2384 "C:\Windows\SysWOW64\ikevuva.exe"
        424⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\xloixyl.exe
        
        C:\Windows\system32\xloixyl.exe 2392 "C:\Windows\SysWOW64\vazxkdx.exe"
        425⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\kbrkggj.exe
        
        C:\Windows\system32\kbrkggj.exe 2388 "C:\Windows\SysWOW64\xloixyl.exe"
        426⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\xamnpop.exe
        
        C:\Windows\system32\xamnpop.exe 2408 "C:\Windows\SysWOW64\kbrkggj.exe"
        427⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\kqhqxou.exe
        
        C:\Windows\system32\kqhqxou.exe 2400 "C:\Windows\SysWOW64\xamnpop.exe"
        428⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\utwsssa.exe
        
        C:\Windows\system32\utwsssa.exe 2412 "C:\Windows\SysWOW64\kqhqxou.exe"
        429⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\hrzvbag.exe
        
        C:\Windows\system32\hrzvbag.exe 2404 "C:\Windows\SysWOW64\utwsssa.exe"
        430⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\uiuykil.exe
        
        C:\Windows\system32\uiuykil.exe 2428 "C:\Windows\SysWOW64\hrzvbag.exe"
        431⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\ggpasij.exe
        
        C:\Windows\system32\ggpasij.exe 2416 "C:\Windows\SysWOW64\uiuykil.exe"
        432⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\qjmlflx.exe
        
        C:\Windows\system32\qjmlflx.exe 2420 "C:\Windows\SysWOW64\ggpasij.exe"
        433⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\dhhnotv.exe
        
        C:\Windows\system32\dhhnotv.exe 2308 "C:\Windows\SysWOW64\qjmlflx.exe"
        434⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\nkwyjwj.exe
        
        C:\Windows\system32\nkwyjwj.exe 2436 "C:\Windows\SysWOW64\dhhnotv.exe"
        435⤵
        Identifies Wine through registry keys
        
        PID:3380
        
        C:\Windows\SysWOW64\abrasxh.exe
        
        C:\Windows\system32\abrasxh.exe 2432 "C:\Windows\SysWOW64\nkwyjwj.exe"
        436⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\nzudafm.exe
        
        C:\Windows\system32\nzudafm.exe 2444 "C:\Windows\SysWOW64\abrasxh.exe"
        437⤵
        Drops file in System32 directory
        
        PID:3940
        
        C:\Windows\SysWOW64\aqpgjns.exe
        
        C:\Windows\system32\aqpgjns.exe 2440 "C:\Windows\SysWOW64\nzudafm.exe"
        438⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\kxtdtmz.exe
        
        C:\Windows\system32\kxtdtmz.exe 2452 "C:\Windows\SysWOW64\aqpgjns.exe"
        439⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\xnwgcmx.exe
        
        C:\Windows\system32\xnwgcmx.exe 2448 "C:\Windows\SysWOW64\kxtdtmz.exe"
        440⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\hqlqxpl.exe
        
        C:\Windows\system32\hqlqxpl.exe 2464 "C:\Windows\SysWOW64\xnwgcmx.exe"
        441⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\uogtgxj.exe
        
        C:\Windows\system32\uogtgxj.exe 2456 "C:\Windows\SysWOW64\hqlqxpl.exe"
        442⤵
        System Location Discovery: System Language Discovery
        
        PID:852
        
        C:\Windows\SysWOW64\ervdtax.exe
        
        C:\Windows\system32\ervdtax.exe 2460 "C:\Windows\SysWOW64\uogtgxj.exe"
        443⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\rpyyciv.exe
        
        C:\Windows\system32\rpyyciv.exe 2468 "C:\Windows\SysWOW64\ervdtax.exe"
        444⤵
        Drops file in System32 directory
        
        PID:1708
        
        C:\Windows\SysWOW64\egtbsja.exe
        
        C:\Windows\system32\egtbsja.exe 2472 "C:\Windows\SysWOW64\rpyyciv.exe"
        445⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\qeodbrg.exe
        
        C:\Windows\system32\qeodbrg.exe 2476 "C:\Windows\SysWOW64\egtbsja.exe"
        446⤵
        Drops file in System32 directory
        
        PID:1912
        
        C:\Windows\SysWOW64\akobryt.exe
        
        C:\Windows\system32\akobryt.exe 2480 "C:\Windows\SysWOW64\qeodbrg.exe"
        447⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\njrdayq.exe
        
        C:\Windows\system32\njrdayq.exe 2484 "C:\Windows\SysWOW64\akobryt.exe"
        448⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\awbtfcp.exe
        
        C:\Windows\system32\awbtfcp.exe 2488 "C:\Windows\SysWOW64\njrdayq.exe"
        449⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\kkbrdkc.exe
        
        C:\Windows\system32\kkbrdkc.exe 2492 "C:\Windows\SysWOW64\awbtfcp.exe"
        450⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\xawtmsi.exe
        
        C:\Windows\system32\xawtmsi.exe 2424 "C:\Windows\SysWOW64\kkbrdkc.exe"
        451⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\knojsoh.exe
        
        C:\Windows\system32\knojsoh.exe 2496 "C:\Windows\SysWOW64\xawtmsi.exe"
        452⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\ucogivu.exe
        
        C:\Windows\system32\ucogivu.exe 2516 "C:\Windows\SysWOW64\knojsoh.exe"
        453⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\gsjbqdz.exe
        
        C:\Windows\system32\gsjbqdz.exe 2504 "C:\Windows\SysWOW64\ucogivu.exe"
        454⤵
        Identifies Wine through registry keys
        
        PID:3356
        
        C:\Windows\SysWOW64\trmezdx.exe
        
        C:\Windows\system32\trmezdx.exe 2508 "C:\Windows\SysWOW64\gsjbqdz.exe"
        455⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\ghhgqmc.exe
        
        C:\Windows\system32\ghhgqmc.exe 2512 "C:\Windows\SysWOW64\trmezdx.exe"
        456⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\tgbjyui.exe
        
        C:\Windows\system32\tgbjyui.exe 2520 "C:\Windows\SysWOW64\ghhgqmc.exe"
        457⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\dmcgobv.exe
        
        C:\Windows\system32\dmcgobv.exe 2524 "C:\Windows\SysWOW64\tgbjyui.exe"
        458⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\qkxjxbt.exe
        
        C:\Windows\system32\qkxjxbt.exe 2528 "C:\Windows\SysWOW64\dmcgobv.exe"
        459⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\dbamgky.exe
        
        C:\Windows\system32\dbamgky.exe 2532 "C:\Windows\SysWOW64\qkxjxbt.exe"
        460⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\qzupose.exe
        
        C:\Windows\system32\qzupose.exe 2548 "C:\Windows\SysWOW64\dbamgky.exe"
        461⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cqprxsj.exe
        
        C:\Windows\system32\cqprxsj.exe 2536 "C:\Windows\SysWOW64\qzupose.exe"
        462⤵
        Drops file in System32 directory
        
        PID:3448
        
        C:\Windows\SysWOW64\npbpprj.exe
        
        C:\Windows\system32\npbpprj.exe 2540 "C:\Windows\SysWOW64\cqprxsj.exe"
        463⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\zrhwbdv.exe
        
        C:\Windows\system32\zrhwbdv.exe 2544 "C:\Windows\SysWOW64\npbpprj.exe"
        464⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\jtxhogc.exe
        
        C:\Windows\system32\jtxhogc.exe 2556 "C:\Windows\SysWOW64\zrhwbdv.exe"
        465⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\wssjwgh.exe
        
        C:\Windows\system32\wssjwgh.exe 2564 "C:\Windows\SysWOW64\jtxhogc.exe"
        466⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\jiumfpf.exe
        
        C:\Windows\system32\jiumfpf.exe 2572 "C:\Windows\SysWOW64\wssjwgh.exe"
        467⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\whppwxk.exe
        
        C:\Windows\system32\whppwxk.exe 2568 "C:\Windows\SysWOW64\jiumfpf.exe"
        468⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\gnqmmex.exe
        
        C:\Windows\system32\gnqmmex.exe 2552 "C:\Windows\SysWOW64\whppwxk.exe"
        469⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\sllpued.exe
        
        C:\Windows\system32\sllpued.exe 2500 "C:\Windows\SysWOW64\gnqmmex.exe"
        470⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\fcnsdna.exe
        
        C:\Windows\system32\fcnsdna.exe 2576 "C:\Windows\SysWOW64\sllpued.exe"
        471⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\saiulvg.exe
        
        C:\Windows\system32\saiulvg.exe 2580 "C:\Windows\SysWOW64\fcnsdna.exe"
        472⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\frdpuvl.exe
        
        C:\Windows\system32\frdpuvl.exe 2584 "C:\Windows\SysWOW64\saiulvg.exe"
        473⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\hfemscz.exe
        
        C:\Windows\system32\hfemscz.exe 2588 "C:\Windows\SysWOW64\frdpuvl.exe"
        474⤵
        
        PID:760
        
        C:\Windows\SysWOW64\uvzpbkw.exe
        
        C:\Windows\system32\uvzpbkw.exe 2592 "C:\Windows\SysWOW64\hfemscz.exe"
        475⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\hubsjlc.exe
        
        C:\Windows\system32\hubsjlc.exe 2596 "C:\Windows\SysWOW64\uvzpbkw.exe"
        476⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\ukwusth.exe
        
        C:\Windows\system32\ukwusth.exe 2560 "C:\Windows\SysWOW64\hubsjlc.exe"
        477⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\hbrxbbf.exe
        
        C:\Windows\system32\hbrxbbf.exe 2604 "C:\Windows\SysWOW64\ukwusth.exe"
        478⤵
        Identifies Wine through registry keys
        
        PID:3948
        
        C:\Windows\SysWOW64\qpsuzis.exe
        
        C:\Windows\system32\qpsuzis.exe 2612 "C:\Windows\SysWOW64\hbrxbbf.exe"
        479⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\douphjx.exe
        
        C:\Windows\system32\douphjx.exe 2600 "C:\Windows\SysWOW64\qpsuzis.exe"
        480⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\qepsqrd.exe
        
        C:\Windows\system32\qepsqrd.exe 2624 "C:\Windows\SysWOW64\douphjx.exe"
        481⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\dvkuyzb.exe
        
        C:\Windows\system32\dvkuyzb.exe 2620 "C:\Windows\SysWOW64\qepsqrd.exe"
        482⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:3104
        
        C:\Windows\SysWOW64\qtnxhzg.exe
        
        C:\Windows\system32\qtnxhzg.exe 2628 "C:\Windows\SysWOW64\dvkuyzb.exe"
        483⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\zhnvxgt.exe
        
        C:\Windows\system32\zhnvxgt.exe 2616 "C:\Windows\SysWOW64\qtnxhzg.exe"
        484⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\myixopz.exe
        
        C:\Windows\system32\myixopz.exe 2644 "C:\Windows\SysWOW64\zhnvxgt.exe"
        485⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\zodawpw.exe
        
        C:\Windows\system32\zodawpw.exe 2608 "C:\Windows\SysWOW64\myixopz.exe"
        486⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\jzskjsl.exe
        
        C:\Windows\system32\jzskjsl.exe 2636 "C:\Windows\SysWOW64\zodawpw.exe"
        487⤵
        Identifies Wine through registry keys
        
        PID:2052
        
        C:\Windows\SysWOW64\zdbfnfh.exe
        
        C:\Windows\system32\zdbfnfh.exe 2640 "C:\Windows\SysWOW64\jzskjsl.exe"
        488⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:3404
        
        C:\Windows\SysWOW64\jrbvdfv.exe
        
        C:\Windows\system32\jrbvdfv.exe 2648 "C:\Windows\SysWOW64\zdbfnfh.exe"
        489⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\wiwxmns.exe
        
        C:\Windows\system32\wiwxmns.exe 2652 "C:\Windows\SysWOW64\jrbvdfv.exe"
        490⤵
        System Location Discovery: System Language Discovery
        
        PID:3928
        
        C:\Windows\SysWOW64\jgravvy.exe
        
        C:\Windows\system32\jgravvy.exe 2660 "C:\Windows\SysWOW64\wiwxmns.exe"
        491⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\vxudldd.exe
        
        C:\Windows\system32\vxudldd.exe 2656 "C:\Windows\SysWOW64\jgravvy.exe"
        492⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\ivpfudb.exe
        
        C:\Windows\system32\ivpfudb.exe 2668 "C:\Windows\SysWOW64\vxudldd.exe"
        493⤵
        Drops file in System32 directory
        
        PID:3088
        
        C:\Windows\SysWOW64\sbpdklo.exe
        
        C:\Windows\system32\sbpdklo.exe 2664 "C:\Windows\SysWOW64\ivpfudb.exe"
        494⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\fakfttt.exe
        
        C:\Windows\system32\fakfttt.exe 2672 "C:\Windows\SysWOW64\sbpdklo.exe"
        495⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\sqnabtz.exe
        
        C:\Windows\system32\sqnabtz.exe 2676 "C:\Windows\SysWOW64\fakfttt.exe"
        496⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\cbclwwf.exe
        
        C:\Windows\system32\cbclwwf.exe 2684 "C:\Windows\SysWOW64\sqnabtz.exe"
        497⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3960
        
        C:\Windows\SysWOW64\prxnfel.exe
        
        C:\Windows\system32\prxnfel.exe 2680 "C:\Windows\SysWOW64\cbclwwf.exe"
        498⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\cqsqomi.exe
        
        C:\Windows\system32\cqsqomi.exe 2688 "C:\Windows\SysWOW64\prxnfel.exe"
        499⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\pgvtwno.exe
        
        C:\Windows\system32\pgvtwno.exe 2692 "C:\Windows\SysWOW64\cqsqomi.exe"
        500⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\bxpvfvu.exe
        
        C:\Windows\system32\bxpvfvu.exe 2700 "C:\Windows\SysWOW64\pgvtwno.exe"
        501⤵
        Drops file in System32 directory
        
        PID:3464
        
        C:\Windows\SysWOW64\lhfgsya.exe
        
        C:\Windows\system32\lhfgsya.exe 2704 "C:\Windows\SysWOW64\bxpvfvu.exe"
        502⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\yyiijyf.exe
        
        C:\Windows\system32\yyiijyf.exe 2712 "C:\Windows\SysWOW64\lhfgsya.exe"
        503⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\lwclrgl.exe
        
        C:\Windows\system32\lwclrgl.exe 2696 "C:\Windows\SysWOW64\yyiijyf.exe"
        504⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\vddahoq.exe
        
        C:\Windows\system32\vddahoq.exe 2708 "C:\Windows\SysWOW64\lwclrgl.exe"
        505⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\ibydqww.exe
        
        C:\Windows\system32\ibydqww.exe 2716 "C:\Windows\SysWOW64\vddahoq.exe"
        506⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\vstgywb.exe
        
        C:\Windows\system32\vstgywb.exe 2632 "C:\Windows\SysWOW64\ibydqww.exe"
        507⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\iqvjheh.exe
        
        C:\Windows\system32\iqvjheh.exe 2724 "C:\Windows\SysWOW64\vstgywb.exe"
        508⤵
        Identifies Wine through registry keys
        
        PID:4028
        
        C:\Windows\SysWOW64\ugqlqme.exe
        
        C:\Windows\system32\ugqlqme.exe 2740 "C:\Windows\SysWOW64\iqvjheh.exe"
        509⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\evrjomr.exe
        
        C:\Windows\system32\evrjomr.exe 2732 "C:\Windows\SysWOW64\ugqlqme.exe"
        510⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\rlmlwux.exe
        
        C:\Windows\system32\rlmlwux.exe 2720 "C:\Windows\SysWOW64\evrjomr.exe"
        511⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\ekpofcc.exe
        
        C:\Windows\system32\ekpofcc.exe 2736 "C:\Windows\SysWOW64\rlmlwux.exe"
        512⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\rajroca.exe
        
        C:\Windows\system32\rajroca.exe 2744 "C:\Windows\SysWOW64\ekpofcc.exe"
        513⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\eretwkg.exe
        
        C:\Windows\system32\eretwkg.exe 2748 "C:\Windows\SysWOW64\rajroca.exe"
        514⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\nffjust.exe
        
        C:\Windows\system32\nffjust.exe 2756 "C:\Windows\SysWOW64\eretwkg.exe"
        515⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\adalday.exe
        
        C:\Windows\system32\adalday.exe 2752 "C:\Windows\SysWOW64\nffjust.exe"
        516⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\nucolaw.exe
        
        C:\Windows\system32\nucolaw.exe 2764 "C:\Windows\SysWOW64\adalday.exe"
        517⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\akxruib.exe
        
        C:\Windows\system32\akxruib.exe 2728 "C:\Windows\SysWOW64\nucolaw.exe"
        518⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\njstdqh.exe
        
        C:\Windows\system32\njstdqh.exe 2768 "C:\Windows\SysWOW64\akxruib.exe"
        519⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\xxtrbqm.exe
        
        C:\Windows\system32\xxtrbqm.exe 2772 "C:\Windows\SysWOW64\njstdqh.exe"
        520⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\hwfolpu.exe
        
        C:\Windows\system32\hwfolpu.exe 2780 "C:\Windows\SysWOW64\xxtrbqm.exe"
        521⤵
        Drops file in System32 directory
        
        PID:3320
        
        C:\Windows\SysWOW64\xafjpcq.exe
        
        C:\Windows\system32\xafjpcq.exe 2776 "C:\Windows\SysWOW64\hwfolpu.exe"
        522⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\zzrhzby.exe
        
        C:\Windows\system32\zzrhzby.exe 2788 "C:\Windows\SysWOW64\xafjpcq.exe"
        523⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\jnseqil.exe
        
        C:\Windows\system32\jnseqil.exe 2784 "C:\Windows\SysWOW64\zzrhzby.exe"
        524⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\tnwbihs.exe
        
        C:\Windows\system32\tnwbihs.exe 2796 "C:\Windows\SysWOW64\jnseqil.exe"
        525⤵
        Identifies Wine through registry keys
        
        PID:2940
        
        C:\Windows\SysWOW64\jzewmmp.exe
        
        C:\Windows\system32\jzewmmp.exe 2760 "C:\Windows\SysWOW64\tnwbihs.exe"
        526⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\sfxmcuc.exe
        
        C:\Windows\system32\sfxmcuc.exe 2804 "C:\Windows\SysWOW64\jzewmmp.exe"
        527⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\feaolua.exe
        
        C:\Windows\system32\feaolua.exe 2800 "C:\Windows\SysWOW64\sfxmcuc.exe"
        528⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\srjeqyh.exe
        
        C:\Windows\system32\srjeqyh.exe 2812 "C:\Windows\SysWOW64\feaolua.exe"
        529⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cfkcofm.exe
        
        C:\Windows\system32\cfkcofm.exe 2808 "C:\Windows\SysWOW64\srjeqyh.exe"
        530⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\pvnexnr.exe
        
        C:\Windows\system32\pvnexnr.exe 2828 "C:\Windows\SysWOW64\cfkcofm.exe"
        531⤵
        Identifies Wine through registry keys
        
        PID:3668
        
        C:\Windows\SysWOW64\ciwudjq.exe
        
        C:\Windows\system32\ciwudjq.exe 2820 "C:\Windows\SysWOW64\pvnexnr.exe"
        532⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\mtleqme.exe
        
        C:\Windows\system32\mtleqme.exe 2816 "C:\Windows\SysWOW64\ciwudjq.exe"
        533⤵
        Drops file in System32 directory
        
        PID:2792
        
        C:\Windows\SysWOW64\zvsubzj.exe
        
        C:\Windows\system32\zvsubzj.exe 2824 "C:\Windows\SysWOW64\mtleqme.exe"
        534⤵
        System Location Discovery: System Language Discovery
        
        PID:3676
        
        C:\Windows\SysWOW64\mluxkho.exe
        
        C:\Windows\system32\mluxkho.exe 2832 "C:\Windows\SysWOW64\zvsubzj.exe"
        535⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\ycpzthm.exe
        
        C:\Windows\system32\ycpzthm.exe 2844 "C:\Windows\SysWOW64\mluxkho.exe"
        536⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\imfcoka.exe
        
        C:\Windows\system32\imfcoka.exe 2840 "C:\Windows\SysWOW64\ycpzthm.exe"
        537⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\vdhewsy.exe
        
        C:\Windows\system32\vdhewsy.exe 2836 "C:\Windows\SysWOW64\imfcoka.exe"
        538⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\ibchfsd.exe
        
        C:\Windows\system32\ibchfsd.exe 2860 "C:\Windows\SysWOW64\vdhewsy.exe"
        539⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\vsxkobj.exe
        
        C:\Windows\system32\vsxkobj.exe 2856 "C:\Windows\SysWOW64\ibchfsd.exe"
        540⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\fgyhmiw.exe
        
        C:\Windows\system32\fgyhmiw.exe 2852 "C:\Windows\SysWOW64\vsxkobj.exe"
        541⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\stpxsmv.exe
        
        C:\Windows\system32\stpxsmv.exe 2848 "C:\Windows\SysWOW64\fgyhmiw.exe"
        542⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\cstuclc.exe
        
        C:\Windows\system32\cstuclc.exe 2864 "C:\Windows\SysWOW64\stpxsmv.exe"
        543⤵
        Identifies Wine through registry keys
        
        PID:3120
        
        C:\Windows\SysWOW64\puzknph.exe
        
        C:\Windows\system32\puzknph.exe 2868 "C:\Windows\SysWOW64\cstuclc.exe"
        544⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\ztlhyoo.exe
        
        C:\Windows\system32\ztlhyoo.exe 2876 "C:\Windows\SysWOW64\puzknph.exe"
        545⤵
        Drops file in System32 directory
        
        PID:1288
        
        C:\Windows\SysWOW64\msgkowm.exe
        
        C:\Windows\system32\msgkowm.exe 2872 "C:\Windows\SysWOW64\ztlhyoo.exe"
        546⤵
        Identifies Wine through registry keys
        
        PID:1552
        
        C:\Windows\SysWOW64\zibnxer.exe
        
        C:\Windows\system32\zibnxer.exe 2792 "C:\Windows\SysWOW64\msgkowm.exe"
        547⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\iwcknee.exe
        
        C:\Windows\system32\iwcknee.exe 2884 "C:\Windows\SysWOW64\zibnxer.exe"
        548⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\vnwnwmk.exe
        
        C:\Windows\system32\vnwnwmk.exe 2888 "C:\Windows\SysWOW64\iwcknee.exe"
        549⤵
        Drops file in System32 directory
        
        PID:3240
        
        C:\Windows\SysWOW64\ilzieuh.exe
        
        C:\Windows\system32\ilzieuh.exe 2892 "C:\Windows\SysWOW64\vnwnwmk.exe"
        550⤵
        System Location Discovery: System Language Discovery
        
        PID:3768
        
        C:\Windows\SysWOW64\vcuknun.exe
        
        C:\Windows\system32\vcuknun.exe 2896 "C:\Windows\SysWOW64\ilzieuh.exe"
        551⤵
        System Location Discovery: System Language Discovery
        
        PID:3160
        
        C:\Windows\SysWOW64\fejvixt.exe
        
        C:\Windows\system32\fejvixt.exe 2900 "C:\Windows\SysWOW64\vcuknun.exe"
        552⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\sdmxrfz.exe
        
        C:\Windows\system32\sdmxrfz.exe 2904 "C:\Windows\SysWOW64\fejvixt.exe"
        553⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\fthazoe.exe
        
        C:\Windows\system32\fthazoe.exe 2908 "C:\Windows\SysWOW64\sdmxrfz.exe"
        554⤵
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Windows\SysWOW64\sscdioc.exe
        
        C:\Windows\system32\sscdioc.exe 2912 "C:\Windows\SysWOW64\fthazoe.exe"
        555⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\bydayvp.exe
        
        C:\Windows\system32\bydayvp.exe 2916 "C:\Windows\SysWOW64\sscdioc.exe"
        556⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\ptuqmzo.exe
        
        C:\Windows\system32\ptuqmzo.exe 2920 "C:\Windows\SysWOW64\bydayvp.exe"
        557⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\yvjazcc.exe
        
        C:\Windows\system32\yvjazcc.exe 2924 "C:\Windows\SysWOW64\ptuqmzo.exe"
        558⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\lmedica.exe
        
        C:\Windows\system32\lmedica.exe 2940 "C:\Windows\SysWOW64\yvjazcc.exe"
        559⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\vwunvfo.exe
        
        C:\Windows\system32\vwunvfo.exe 2928 "C:\Windows\SysWOW64\lmedica.exe"
        560⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\inwqdom.exe
        
        C:\Windows\system32\inwqdom.exe 2932 "C:\Windows\SysWOW64\vwunvfo.exe"
        561⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\vlrtuwr.exe
        
        C:\Windows\system32\vlrtuwr.exe 2936 "C:\Windows\SysWOW64\inwqdom.exe"
        562⤵
        System Location Discovery: System Language Discovery
        
        PID:3888
        
        C:\Windows\SysWOW64\icmndwx.exe
        
        C:\Windows\system32\icmndwx.exe 2880 "C:\Windows\SysWOW64\vlrtuwr.exe"
        563⤵
        Identifies Wine through registry keys
        
        PID:3780
        
        C:\Windows\SysWOW64\vapqlec.exe
        
        C:\Windows\system32\vapqlec.exe 2944 "C:\Windows\SysWOW64\icmndwx.exe"
        564⤵
        Identifies Wine through registry keys
        
        PID:3692
        
        C:\Windows\SysWOW64\fhqnbmh.exe
        
        C:\Windows\system32\fhqnbmh.exe 2952 "C:\Windows\SysWOW64\vapqlec.exe"
        565⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\sczdhho.exe
        
        C:\Windows\system32\sczdhho.exe 2956 "C:\Windows\SysWOW64\fhqnbmh.exe"
        566⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\ceoncku.exe
        
        C:\Windows\system32\ceoncku.exe 2960 "C:\Windows\SysWOW64\sczdhho.exe"
        567⤵
        Drops file in System32 directory
        
        PID:3700
        
        C:\Windows\SysWOW64\ovrqlta.exe
        
        C:\Windows\system32\ovrqlta.exe 2976 "C:\Windows\SysWOW64\ceoncku.exe"
        568⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\btmttby.exe
        
        C:\Windows\system32\btmttby.exe 2964 "C:\Windows\SysWOW64\ovrqlta.exe"
        569⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\okhwcbd.exe
        
        C:\Windows\system32\okhwcbd.exe 2968 "C:\Windows\SysWOW64\btmttby.exe"
        570⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\quwgpej.exe
        
        C:\Windows\system32\quwgpej.exe 2980 "C:\Windows\SysWOW64\okhwcbd.exe"
        571⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\docobrw.exe
        
        C:\Windows\system32\docobrw.exe 2972 "C:\Windows\SysWOW64\quwgpej.exe"
        572⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\qnfqrzt.exe
        
        C:\Windows\system32\qnfqrzt.exe 2984 "C:\Windows\SysWOW64\docobrw.exe"
        573⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\ddatazz.exe
        
        C:\Windows\system32\ddatazz.exe 2988 "C:\Windows\SysWOW64\qnfqrzt.exe"
        574⤵
        Identifies Wine through registry keys
        
        PID:3656
        
        C:\Windows\SysWOW64\qcvwjhe.exe
        
        C:\Windows\system32\qcvwjhe.exe 2996 "C:\Windows\SysWOW64\ddatazz.exe"
        575⤵
        Drops file in System32 directory
        
        PID:3416
        
        C:\Windows\SysWOW64\zivtzos.exe
        
        C:\Windows\system32\zivtzos.exe 2992 "C:\Windows\SysWOW64\qcvwjhe.exe"
        576⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\mgywhpp.exe
        
        C:\Windows\system32\mgywhpp.exe 3004 "C:\Windows\SysWOW64\zivtzos.exe"
        577⤵
        System Location Discovery: System Language Discovery
        
        PID:3296
        
        C:\Windows\SysWOW64\zxtyqxv.exe
        
        C:\Windows\system32\zxtyqxv.exe 3000 "C:\Windows\SysWOW64\mgywhpp.exe"
        578⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\mvobyfa.exe
        
        C:\Windows\system32\mvobyfa.exe 3008 "C:\Windows\SysWOW64\zxtyqxv.exe"
        579⤵
        Drops file in System32 directory
        
        PID:3224
        
        C:\Windows\SysWOW64\zmrepfy.exe
        
        C:\Windows\system32\zmrepfy.exe 2948 "C:\Windows\SysWOW64\mvobyfa.exe"
        580⤵
        Drops file in System32 directory
        
        PID:3936
        
        C:\Windows\SysWOW64\jartfnl.exe
        
        C:\Windows\system32\jartfnl.exe 3020 "C:\Windows\SysWOW64\zmrepfy.exe"
        581⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\wnbjlqk.exe
        
        C:\Windows\system32\wnbjlqk.exe 3016 "C:\Windows\SysWOW64\jartfnl.exe"
        582⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\iphzwvw.exe
        
        C:\Windows\system32\iphzwvw.exe 3036 "C:\Windows\SysWOW64\wnbjlqk.exe"
        583⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\vfkbfdu.exe
        
        C:\Windows\system32\vfkbfdu.exe 3012 "C:\Windows\SysWOW64\iphzwvw.exe"
        584⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\iweenlz.exe
        
        C:\Windows\system32\iweenlz.exe 3028 "C:\Windows\SysWOW64\vfkbfdu.exe"
        585⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\skfbltm.exe
        
        C:\Windows\system32\skfbltm.exe 3032 "C:\Windows\SysWOW64\iweenlz.exe"
        586⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\fiaeuts.exe
        
        C:\Windows\system32\fiaeuts.exe 3040 "C:\Windows\SysWOW64\skfbltm.exe"
        587⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\szvhdbp.exe
        
        C:\Windows\system32\szvhdbp.exe 3044 "C:\Windows\SysWOW64\fiaeuts.exe"
        588⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\fpybljv.exe
        
        C:\Windows\system32\fpybljv.exe 3052 "C:\Windows\SysWOW64\szvhdbp.exe"
        589⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\roseuja.exe
        
        C:\Windows\system32\roseuja.exe 3024 "C:\Windows\SysWOW64\fpybljv.exe"
        590⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\bctbsro.exe
        
        C:\Windows\system32\bctbsro.exe 3060 "C:\Windows\SysWOW64\roseuja.exe"
        591⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\otoebzl.exe
        
        C:\Windows\system32\otoebzl.exe 3056 "C:\Windows\SysWOW64\bctbsro.exe"
        592⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\bjrhjzr.exe
        
        C:\Windows\system32\bjrhjzr.exe 3064 "C:\Windows\SysWOW64\otoebzl.exe"
        593⤵
        Drops file in System32 directory
        
        PID:4868
        
        C:\Windows\SysWOW64\ohlkshw.exe
        
        C:\Windows\system32\ohlkshw.exe 3048 "C:\Windows\SysWOW64\bjrhjzr.exe"
        594⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\bygmapc.exe
        
        C:\Windows\system32\bygmapc.exe 3076 "C:\Windows\SysWOW64\ohlkshw.exe"
        595⤵
        
        PID:484
        
        C:\Windows\SysWOW64\owjpjqz.exe
        
        C:\Windows\system32\owjpjqz.exe 3080 "C:\Windows\SysWOW64\bygmapc.exe"
        596⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\xdcehxm.exe
        
        C:\Windows\system32\xdcehxm.exe 3088 "C:\Windows\SysWOW64\owjpjqz.exe"
        597⤵
        Identifies Wine through registry keys
        
        PID:4196
        
        C:\Windows\SysWOW64\kbehqfs.exe
        
        C:\Windows\system32\kbehqfs.exe 3068 "C:\Windows\SysWOW64\xdcehxm.exe"
        598⤵
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Windows\SysWOW64\xszkynp.exe
        
        C:\Windows\system32\xszkynp.exe 3092 "C:\Windows\SysWOW64\kbehqfs.exe"
        599⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\kqumhov.exe
        
        C:\Windows\system32\kqumhov.exe 3096 "C:\Windows\SysWOW64\xszkynp.exe"
        600⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\xhxppwb.exe
        
        C:\Windows\system32\xhxppwb.exe 3100 "C:\Windows\SysWOW64\kqumhov.exe"
        601⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\hvxmfdo.exe
        
        C:\Windows\system32\hvxmfdo.exe 3084 "C:\Windows\SysWOW64\xhxppwb.exe"
        602⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\ulspodl.exe
        
        C:\Windows\system32\ulspodl.exe 3108 "C:\Windows\SysWOW64\hvxmfdo.exe"
        603⤵
        Identifies Wine through registry keys
        
        PID:3648
        
        C:\Windows\SysWOW64\gknsflr.exe
        
        C:\Windows\system32\gknsflr.exe 3112 "C:\Windows\SysWOW64\ulspodl.exe"
        604⤵
        
        PID:648
        
        C:\Windows\SysWOW64\taqmnuw.exe
        
        C:\Windows\system32\taqmnuw.exe 3116 "C:\Windows\SysWOW64\gknsflr.exe"
        605⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\grlpwuc.exe
        
        C:\Windows\system32\grlpwuc.exe 3120 "C:\Windows\SysWOW64\taqmnuw.exe"
        606⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\qflnmbh.exe
        
        C:\Windows\system32\qflnmbh.exe 3128 "C:\Windows\SysWOW64\grlpwuc.exe"
        607⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\ddgpvjn.exe
        
        C:\Windows\system32\ddgpvjn.exe 3104 "C:\Windows\SysWOW64\qflnmbh.exe"
        608⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\qujsdss.exe
        
        C:\Windows\system32\qujsdss.exe 3132 "C:\Windows\SysWOW64\ddgpvjn.exe"
        609⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\dkevmsy.exe
        
        C:\Windows\system32\dkevmsy.exe 3124 "C:\Windows\SysWOW64\qujsdss.exe"
        610⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\qjzxcav.exe
        
        C:\Windows\system32\qjzxcav.exe 3152 "C:\Windows\SysWOW64\dkevmsy.exe"
        611⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\zxznshi.exe
        
        C:\Windows\system32\zxznshi.exe 3136 "C:\Windows\SysWOW64\qjzxcav.exe"
        612⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\mnupbho.exe
        
        C:\Windows\system32\mnupbho.exe 3148 "C:\Windows\SysWOW64\zxznshi.exe"
        613⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\zexskqt.exe
        
        C:\Windows\system32\zexskqt.exe 3144 "C:\Windows\SysWOW64\mnupbho.exe"
        614⤵
        Identifies Wine through registry keys
        
        PID:4476
        
        C:\Windows\SysWOW64\mcsvsyr.exe
        
        C:\Windows\system32\mcsvsyr.exe 3140 "C:\Windows\SysWOW64\zexskqt.exe"
        615⤵
        Drops file in System32 directory
        
        PID:4836
        
        C:\Windows\SysWOW64\ztmxbyx.exe
        
        C:\Windows\system32\ztmxbyx.exe 3160 "C:\Windows\SysWOW64\mcsvsyr.exe"
        616⤵
        Identifies Wine through registry keys
        
        PID:5000
        
        C:\Windows\SysWOW64\jhnvzfk.exe
        
        C:\Windows\system32\jhnvzfk.exe 3168 "C:\Windows\SysWOW64\ztmxbyx.exe"
        617⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\vxqxhop.exe
        
        C:\Windows\system32\vxqxhop.exe 3156 "C:\Windows\SysWOW64\jhnvzfk.exe"
        618⤵
        Identifies Wine through registry keys
        
        PID:3720
        
        C:\Windows\SysWOW64\iwlaqwn.exe
        
        C:\Windows\system32\iwlaqwn.exe 3172 "C:\Windows\SysWOW64\vxqxhop.exe"
        619⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\vmgdzws.exe
        
        C:\Windows\system32\vmgdzws.exe 3176 "C:\Windows\SysWOW64\iwlaqwn.exe"
        620⤵
        Identifies Wine through registry keys
        
        PID:4184
        
        C:\Windows\SysWOW64\aliyhey.exe
        
        C:\Windows\system32\aliyhey.exe 3180 "C:\Windows\SysWOW64\vmgdzws.exe"
        621⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\krbvfld.exe
        
        C:\Windows\system32\krbvfld.exe 3184 "C:\Windows\SysWOW64\aliyhey.exe"
        622⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\xetllhk.exe
        
        C:\Windows\system32\xetllhk.exe 3192 "C:\Windows\SysWOW64\krbvfld.exe"
        623⤵
        Identifies Wine through registry keys
        
        PID:4540
        
        C:\Windows\SysWOW64\kgzawuo.exe
        
        C:\Windows\system32\kgzawuo.exe 3196 "C:\Windows\SysWOW64\xetllhk.exe"
        624⤵
        Identifies Wine through registry keys
        
        PID:4864
        
        C:\Windows\SysWOW64\xetdfcu.exe
        
        C:\Windows\system32\xetdfcu.exe 3208 "C:\Windows\SysWOW64\kgzawuo.exe"
        625⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\jvwgocr.exe
        
        C:\Windows\system32\jvwgocr.exe 3188 "C:\Windows\SysWOW64\xetdfcu.exe"
        626⤵
        Identifies Wine through registry keys
        
        PID:5052
        
        C:\Windows\SysWOW64\tymqbfg.exe
        
        C:\Windows\system32\tymqbfg.exe 3164 "C:\Windows\SysWOW64\jvwgocr.exe"
        627⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\gasyusk.exe
        
        C:\Windows\system32\gasyusk.exe 3204 "C:\Windows\SysWOW64\tymqbfg.exe"
        628⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\tymadap.exe
        
        C:\Windows\system32\tymadap.exe 3212 "C:\Windows\SysWOW64\gasyusk.exe"
        629⤵
        Drops file in System32 directory
        
        PID:4232
        
        C:\Windows\SysWOW64\gppdman.exe
        
        C:\Windows\system32\gppdman.exe 3216 "C:\Windows\SysWOW64\tymadap.exe"
        630⤵
        Identifies Wine through registry keys
        
        PID:4700
        
        C:\Windows\SysWOW64\tfkguit.exe
        
        C:\Windows\system32\tfkguit.exe 3220 "C:\Windows\SysWOW64\gppdman.exe"
        631⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\ctldkqg.exe
        
        C:\Windows\system32\ctldkqg.exe 3224 "C:\Windows\SysWOW64\tfkguit.exe"
        632⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\psfgtql.exe
        
        C:\Windows\system32\psfgtql.exe 3228 "C:\Windows\SysWOW64\ctldkqg.exe"
        633⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\ciijbyj.exe
        
        C:\Windows\system32\ciijbyj.exe 3232 "C:\Windows\SysWOW64\psfgtql.exe"
        634⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\pzdlsgo.exe
        
        C:\Windows\system32\pzdlsgo.exe 3236 "C:\Windows\SysWOW64\ciijbyj.exe"
        635⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\cxyobgu.exe
        
        C:\Windows\system32\cxyobgu.exe 3240 "C:\Windows\SysWOW64\pzdlsgo.exe"
        636⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\mlzdroh.exe
        
        C:\Windows\system32\mlzdroh.exe 3244 "C:\Windows\SysWOW64\cxyobgu.exe"
        637⤵
        Drops file in System32 directory
        
        PID:4536
        
        C:\Windows\SysWOW64\zctgzwe.exe
        
        C:\Windows\system32\zctgzwe.exe 3256 "C:\Windows\SysWOW64\mlzdroh.exe"
        638⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\mswjiek.exe
        
        C:\Windows\system32\mswjiek.exe 3248 "C:\Windows\SysWOW64\zctgzwe.exe"
        639⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\yrrlqeq.exe
        
        C:\Windows\system32\yrrlqeq.exe 3252 "C:\Windows\SysWOW64\mswjiek.exe"
        640⤵
        Drops file in System32 directory
        
        PID:4920
        
        C:\Windows\SysWOW64\lhmohmn.exe
        
        C:\Windows\system32\lhmohmn.exe 3260 "C:\Windows\SysWOW64\yrrlqeq.exe"
        641⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\vvmlxua.exe
        
        C:\Windows\system32\vvmlxua.exe 3264 "C:\Windows\SysWOW64\lhmohmn.exe"
        642⤵
        Identifies Wine through registry keys
        
        PID:4244
        
        C:\Windows\SysWOW64\impogug.exe
        
        C:\Windows\system32\impogug.exe 3268 "C:\Windows\SysWOW64\vvmlxua.exe"
        643⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\vkkjocl.exe
        
        C:\Windows\system32\vkkjocl.exe 3272 "C:\Windows\SysWOW64\impogug.exe"
        644⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\ibflxkj.exe
        
        C:\Windows\system32\ibflxkj.exe 3280 "C:\Windows\SysWOW64\vkkjocl.exe"
        645⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\vziogko.exe
        
        C:\Windows\system32\vziogko.exe 3276 "C:\Windows\SysWOW64\ibflxkj.exe"
        646⤵
        System Location Discovery: System Language Discovery
        
        PID:5040
        
        C:\Windows\SysWOW64\efamesc.exe
        
        C:\Windows\system32\efamesc.exe 3284 "C:\Windows\SysWOW64\vziogko.exe"
        647⤵
        Identifies Wine through registry keys
        System Location Discovery: System Language Discovery
        
        PID:5020
        
        C:\Windows\SysWOW64\redomah.exe
        
        C:\Windows\system32\redomah.exe 3288 "C:\Windows\SysWOW64\efamesc.exe"
        648⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\erneseg.exe
        
        C:\Windows\system32\erneseg.exe 3296 "C:\Windows\SysWOW64\redomah.exe"
        649⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\ofnbidt.exe
        
        C:\Windows\system32\ofnbidt.exe 3292 "C:\Windows\SysWOW64\erneseg.exe"
        650⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\bvqermr.exe
        
        C:\Windows\system32\bvqermr.exe 3304 "C:\Windows\SysWOW64\ofnbidt.exe"
        651⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\omlhhuw.exe
        
        C:\Windows\system32\omlhhuw.exe 3308 "C:\Windows\SysWOW64\bvqermr.exe"
        652⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\bkgjquc.exe
        
        C:\Windows\system32\bkgjquc.exe 3200 "C:\Windows\SysWOW64\omlhhuw.exe"
        653⤵
        Identifies Wine through registry keys
        
        PID:4276
        
        C:\Windows\SysWOW64\obieych.exe
        
        C:\Windows\system32\obieych.exe 3312 "C:\Windows\SysWOW64\bkgjquc.exe"
        654⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\xpbbojm.exe
        
        C:\Windows\system32\xpbbojm.exe 3324 "C:\Windows\SysWOW64\obieych.exe"
        655⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\kgeexss.exe
        
        C:\Windows\system32\kgeexss.exe 3316 "C:\Windows\SysWOW64\xpbbojm.exe"
        656⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\xezhgsx.exe
        
        C:\Windows\system32\xezhgsx.exe 3328 "C:\Windows\SysWOW64\kgeexss.exe"
        657⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\kuukoav.exe
        
        C:\Windows\system32\kuukoav.exe 3320 "C:\Windows\SysWOW64\xezhgsx.exe"
        658⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\xtwmfib.exe
        
        C:\Windows\system32\xtwmfib.exe 3332 "C:\Windows\SysWOW64\kuukoav.exe"
        659⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\hzxcvio.exe
        
        C:\Windows\system32\hzxcvio.exe 3300 "C:\Windows\SysWOW64\xtwmfib.exe"
        660⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\uyseeqt.exe
        
        C:\Windows\system32\uyseeqt.exe 3344 "C:\Windows\SysWOW64\hzxcvio.exe"
        661⤵
        Identifies Wine through registry keys
        
        PID:5116
        
        C:\Windows\SysWOW64\gonhmyr.exe
        
        C:\Windows\system32\gonhmyr.exe 3340 "C:\Windows\SysWOW64\uyseeqt.exe"
        662⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\tnpkvyw.exe
        
        C:\Windows\system32\tnpkvyw.exe 3360 "C:\Windows\SysWOW64\gonhmyr.exe"
        663⤵
        Drops file in System32 directory
        
        PID:4496
        
        C:\Windows\SysWOW64\gdkmdgc.exe
        
        C:\Windows\system32\gdkmdgc.exe 3348 "C:\Windows\SysWOW64\tnpkvyw.exe"
        664⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\qrlkbop.exe
        
        C:\Windows\system32\qrlkbop.exe 3352 "C:\Windows\SysWOW64\gdkmdgc.exe"
        665⤵
        Drops file in System32 directory
        
        PID:4624
        
        C:\Windows\SysWOW64\digmkwn.exe
        
        C:\Windows\system32\digmkwn.exe 3336 "C:\Windows\SysWOW64\qrlkbop.exe"
        666⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\qgiptws.exe
        
        C:\Windows\system32\qgiptws.exe 3368 "C:\Windows\SysWOW64\digmkwn.exe"
        667⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\dxdsbey.exe
        
        C:\Windows\system32\dxdsbey.exe 3364 "C:\Windows\SysWOW64\qgiptws.exe"
        668⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\qnyukmd.exe
        
        C:\Windows\system32\qnyukmd.exe 3372 "C:\Windows\SysWOW64\dxdsbey.exe"
        669⤵
        Identifies Wine through registry keys
        
        PID:3856
        
        C:\Windows\SysWOW64\rbzkimi.exe
        
        C:\Windows\system32\rbzkimi.exe 3356 "C:\Windows\SysWOW64\qnyukmd.exe"
        670⤵
        Drops file in System32 directory
        
        PID:4584
        
        C:\Windows\SysWOW64\eaunquo.exe
        
        C:\Windows\system32\eaunquo.exe 3380 "C:\Windows\SysWOW64\rbzkimi.exe"
        671⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\rqwpzct.exe
        
        C:\Windows\system32\rqwpzct.exe 3376 "C:\Windows\SysWOW64\eaunquo.exe"
        672⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\ehrsicz.exe
        
        C:\Windows\system32\ehrsicz.exe 3388 "C:\Windows\SysWOW64\rqwpzct.exe"
        673⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\rfmvqkw.exe
        
        C:\Windows\system32\rfmvqkw.exe 3384 "C:\Windows\SysWOW64\ehrsicz.exe"
        674⤵
        Identifies Wine through registry keys
        
        PID:4216
        
        C:\Windows\SysWOW64\bijfdol.exe
        
        C:\Windows\system32\bijfdol.exe 3396 "C:\Windows\SysWOW64\rfmvqkw.exe"
        675⤵
        System Location Discovery: System Language Discovery
        
        PID:4348
        
        C:\Windows\SysWOW64\nkpnxap.exe
        
        C:\Windows\system32\nkpnxap.exe 3392 "C:\Windows\SysWOW64\bijfdol.exe"
        676⤵
        System Location Discovery: System Language Discovery
        
        PID:4444
        
        C:\Windows\SysWOW64\bxzkdwo.exe
        
        C:\Windows\system32\bxzkdwo.exe 3400 "C:\Windows\SysWOW64\nkpnxap.exe"
        677⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\nzfsois.exe
        
        C:\Windows\system32\nzfsois.exe 3404 "C:\Windows\SysWOW64\bxzkdwo.exe"
        678⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\apivxqy.exe
        
        C:\Windows\system32\apivxqy.exe 3416 "C:\Windows\SysWOW64\nzfsois.exe"
        679⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:4884
        
        C:\Windows\SysWOW64\kdasnql.exe
        
        C:\Windows\system32\kdasnql.exe 3412 "C:\Windows\SysWOW64\apivxqy.exe"
        680⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\xudvvyi.exe
        
        C:\Windows\system32\xudvvyi.exe 3420 "C:\Windows\SysWOW64\kdasnql.exe"
        681⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\ksyxego.exe
        
        C:\Windows\system32\ksyxego.exe 3428 "C:\Windows\SysWOW64\xudvvyi.exe"
        682⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\xjtavgu.exe
        
        C:\Windows\system32\xjtavgu.exe 3432 "C:\Windows\SysWOW64\ksyxego.exe"
        683⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\jhwddpz.exe
        
        C:\Windows\system32\jhwddpz.exe 3424 "C:\Windows\SysWOW64\xjtavgu.exe"
        684⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\tnwstwe.exe
        
        C:\Windows\system32\tnwstwe.exe 3436 "C:\Windows\SysWOW64\jhwddpz.exe"
        685⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\gmrvcwk.exe
        
        C:\Windows\system32\gmrvcwk.exe 3440 "C:\Windows\SysWOW64\tnwstwe.exe"
        686⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\tcmykep.exe
        
        C:\Windows\system32\tcmykep.exe 3444 "C:\Windows\SysWOW64\gmrvcwk.exe"
        687⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\gbpatnv.exe
        
        C:\Windows\system32\gbpatnv.exe 3408 "C:\Windows\SysWOW64\tcmykep.exe"
        688⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\trkdcvs.exe
        
        C:\Windows\system32\trkdcvs.exe 3456 "C:\Windows\SysWOW64\gbpatnv.exe"
        689⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\cgkaaug.exe
        
        C:\Windows\system32\cgkaaug.exe 3452 "C:\Windows\SysWOW64\trkdcvs.exe"
        690⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\pwfdicl.exe
        
        C:\Windows\system32\pwfdicl.exe 3472 "C:\Windows\SysWOW64\cgkaaug.exe"
        691⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\cvayrkr.exe
        
        C:\Windows\system32\cvayrkr.exe 3476 "C:\Windows\SysWOW64\pwfdicl.exe"
        692⤵
        Identifies Wine through registry keys
        
        PID:4696
        
        C:\Windows\SysWOW64\pldazlo.exe
        
        C:\Windows\system32\pldazlo.exe 3460 "C:\Windows\SysWOW64\cvayrkr.exe"
        693⤵
        System Location Discovery: System Language Discovery
        
        PID:5008
        
        C:\Windows\SysWOW64\ccxditu.exe
        
        C:\Windows\system32\ccxditu.exe 3464 "C:\Windows\SysWOW64\pldazlo.exe"
        694⤵
        Drops file in System32 directory
        
        PID:4264
        
        C:\Windows\SysWOW64\mqyagah.exe
        
        C:\Windows\system32\mqyagah.exe 3468 "C:\Windows\SysWOW64\ccxditu.exe"
        695⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\zotdpam.exe
        
        C:\Windows\system32\zotdpam.exe 3480 "C:\Windows\SysWOW64\mqyagah.exe"
        696⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\mfwgxjk.exe
        
        C:\Windows\system32\mfwgxjk.exe 3492 "C:\Windows\SysWOW64\zotdpam.exe"
        697⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\yvqjgrq.exe
        
        C:\Windows\system32\yvqjgrq.exe 3484 "C:\Windows\SysWOW64\mfwgxjk.exe"
        698⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\lullprv.exe
        
        C:\Windows\system32\lullprv.exe 3496 "C:\Windows\SysWOW64\yvqjgrq.exe"
        699⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\vimbfya.exe
        
        C:\Windows\system32\vimbfya.exe 3448 "C:\Windows\SysWOW64\lullprv.exe"
        700⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\iypdvgg.exe
        
        C:\Windows\system32\iypdvgg.exe 3512 "C:\Windows\SysWOW64\vimbfya.exe"
        701⤵
        System Location Discovery: System Language Discovery
        
        PID:4732
        
        C:\Windows\SysWOW64\vpkgepl.exe
        
        C:\Windows\system32\vpkgepl.exe 3504 "C:\Windows\SysWOW64\iypdvgg.exe"
        702⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\inejmpr.exe
        
        C:\Windows\system32\inejmpr.exe 3508 "C:\Windows\SysWOW64\vpkgepl.exe"
        703⤵
        
        PID:668
        
        C:\Windows\SysWOW64\vehlvxo.exe
        
        C:\Windows\system32\vehlvxo.exe 3500 "C:\Windows\SysWOW64\inejmpr.exe"
        704⤵
        System Location Discovery: System Language Discovery
        
        PID:4856
        
        C:\Windows\SysWOW64\foxwiad.exe
        
        C:\Windows\system32\foxwiad.exe 3516 "C:\Windows\SysWOW64\vehlvxo.exe"
        705⤵
        Drops file in System32 directory
        
        PID:4552
        
        C:\Windows\SysWOW64\ridlufh.exe
        
        C:\Windows\system32\ridlufh.exe 3520 "C:\Windows\SysWOW64\foxwiad.exe"
        706⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\ehxoknn.exe
        
        C:\Windows\system32\ehxoknn.exe 3524 "C:\Windows\SysWOW64\ridlufh.exe"
        707⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\rxsrtvk.exe
        
        C:\Windows\system32\rxsrtvk.exe 3528 "C:\Windows\SysWOW64\ehxoknn.exe"
        708⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\ewvlbvq.exe
        
        C:\Windows\system32\ewvlbvq.exe 3544 "C:\Windows\SysWOW64\rxsrtvk.exe"
        709⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\ocwjscd.exe
        
        C:\Windows\system32\ocwjscd.exe 3532 "C:\Windows\SysWOW64\ewvlbvq.exe"
        710⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\baqmali.exe
        
        C:\Windows\system32\baqmali.exe 3540 "C:\Windows\SysWOW64\ocwjscd.exe"
        711⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\nrlojtg.exe
        
        C:\Windows\system32\nrlojtg.exe 3488 "C:\Windows\SysWOW64\baqmali.exe"
        712⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\xbbzeou.exe
        
        C:\Windows\system32\xbbzeou.exe 3548 "C:\Windows\SysWOW64\nrlojtg.exe"
        713⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4640
        
        C:\Windows\SysWOW64\ngjuibr.exe
        
        C:\Windows\system32\ngjuibr.exe 3536 "C:\Windows\SysWOW64\xbbzeou.exe"
        714⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\xujjyje.exe
        
        C:\Windows\system32\xujjyje.exe 3560 "C:\Windows\SysWOW64\ngjuibr.exe"
        715⤵
        System Location Discovery: System Language Discovery
        
        PID:4140
        
        C:\Windows\SysWOW64\kkemhjc.exe
        
        C:\Windows\system32\kkemhjc.exe 3556 "C:\Windows\SysWOW64\xujjyje.exe"
        716⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\xjzoprh.exe
        
        C:\Windows\system32\xjzoprh.exe 3564 "C:\Windows\SysWOW64\kkemhjc.exe"
        717⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\kzcryzn.exe
        
        C:\Windows\system32\kzcryzn.exe 3568 "C:\Windows\SysWOW64\xjzoprh.exe"
        718⤵
        
        PID:4848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\nhlduqy.exe

Filesize
519KB

MD5
ebb8f6a9404068518cf8e14da9df95c5

SHA1
06851421db48a190c656eaf65d6919cb242572cc

SHA256
cb54b281d83fd949fca3317e5d7b9fa941ebb6cc183bea69c7334bd0c0b92461

SHA512
6538129c0b64c6d738f3b51eee41d7d6120811106fba35efdbe72b39c08339ee23af657a622608e914a0e156186fadde25fbd3d3a63c24ccc343d14402a56f59

Download Submit
memory/328-335-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/448-461-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/600-517-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/684-412-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/868-426-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/876-405-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/888-188-0x0000000004860000-0x0000000004A37000-memory.dmp

Filesize
1.8MB

Download
memory/888-191-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/888-187-0x0000000004860000-0x0000000004A37000-memory.dmp

Filesize
1.8MB

Download
memory/1064-274-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/1068-538-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/1080-293-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/1100-475-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/1128-391-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/1144-93-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/1144-69-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/1148-419-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/1204-468-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/1236-68-0x0000000004890000-0x0000000004A67000-memory.dmp

Filesize
1.8MB

Download
memory/1236-67-0x0000000004890000-0x0000000004A67000-memory.dmp

Filesize
1.8MB

Download
memory/1236-52-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/1236-54-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/1236-56-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/1236-66-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/1508-174-0x00000000048D0000-0x0000000004AA7000-memory.dmp

Filesize
1.8MB

Download
memory/1508-177-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/1564-434-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/1604-265-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/1624-510-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/1676-300-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/1716-109-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/1716-94-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/1716-106-0x00000000049D0000-0x0000000004BA7000-memory.dmp

Filesize
1.8MB

Download
memory/1736-120-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/1736-108-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/1756-440-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/1764-545-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/1792-258-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/1856-161-0x00000000048A0000-0x0000000004A77000-memory.dmp

Filesize
1.8MB

Download
memory/1856-164-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/1856-160-0x00000000048A0000-0x0000000004A77000-memory.dmp

Filesize
1.8MB

Download
memory/1856-149-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/1936-524-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/1940-316-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/1984-307-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/1988-81-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/1988-96-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2020-328-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2080-244-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2080-243-0x00000000049C0000-0x0000000004B97000-memory.dmp

Filesize
1.8MB

Download
memory/2080-242-0x00000000049C0000-0x0000000004B97000-memory.dmp

Filesize
1.8MB

Download
memory/2108-204-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2108-217-0x0000000004920000-0x0000000004AF7000-memory.dmp

Filesize
1.8MB

Download
memory/2108-216-0x0000000004920000-0x0000000004AF7000-memory.dmp

Filesize
1.8MB

Download
memory/2108-220-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2112-400-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2152-342-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2172-286-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2176-566-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2188-279-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2212-531-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2280-4-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2280-18-0x00000000047C0000-0x0000000004997000-memory.dmp

Filesize
1.8MB

Download
memory/2280-7-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2280-11-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2280-20-0x00000000047C0000-0x0000000004997000-memory.dmp

Filesize
1.8MB

Download
memory/2280-3-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2280-0-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2280-6-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2280-2-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2280-1-0x0000000000401000-0x000000000042A000-memory.dmp

Filesize
164KB

Download
memory/2280-5-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2352-377-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2356-321-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2448-385-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2468-552-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2536-206-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2536-202-0x0000000004870000-0x0000000004A47000-memory.dmp

Filesize
1.8MB

Download
memory/2536-201-0x0000000004870000-0x0000000004A47000-memory.dmp

Filesize
1.8MB

Download
memory/2564-147-0x0000000004840000-0x0000000004A17000-memory.dmp

Filesize
1.8MB

Download
memory/2564-146-0x0000000004840000-0x0000000004A17000-memory.dmp

Filesize
1.8MB

Download
memory/2564-150-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2576-503-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2608-447-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2668-42-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2668-50-0x00000000047F0000-0x00000000049C7000-memory.dmp

Filesize
1.8MB

Download
memory/2668-45-0x00000000047F0000-0x00000000049C7000-memory.dmp

Filesize
1.8MB

Download
memory/2668-37-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2668-38-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2756-560-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2768-489-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2776-252-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2784-21-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2784-23-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2784-35-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2784-34-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2840-133-0x00000000047D0000-0x00000000049A7000-memory.dmp

Filesize
1.8MB

Download
memory/2840-121-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2840-134-0x00000000047D0000-0x00000000049A7000-memory.dmp

Filesize
1.8MB

Download
memory/2840-136-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2856-454-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2908-498-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2924-351-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2936-231-0x00000000048E0000-0x0000000004AB7000-memory.dmp

Filesize
1.8MB

Download
memory/2936-230-0x00000000048E0000-0x0000000004AB7000-memory.dmp

Filesize
1.8MB

Download
memory/2936-233-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2944-122-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/2952-372-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/3000-482-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/3004-357-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download
memory/3008-364-0x0000000000400000-0x00000000005D7000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads