metasploit | d9a4c7563632f29fa26548660bd4131faf2cfe5a7fc58564883680018dafee6d

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-09-2024 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f051ab4e7b5646a97caafe260e99df7b_JaffaCakes118.exe
Size

527KB
MD5

f051ab4e7b5646a97caafe260e99df7b
SHA1

0f2f7661cfccb9e9ef030b4c7cbcae591c277081
SHA256

d9a4c7563632f29fa26548660bd4131faf2cfe5a7fc58564883680018dafee6d
SHA512

05140c4e52c1d0ca249d4e62daef86acea6eb0591b7bb9ca05ede05c99d3f9597ad82123bfab1c85d402e7e107df2483151db03f65a00b86878267ced867ba45
SSDEEP

12288:VBCrp/biz1OZUvtrZk3lKcKn265pi0F4zv3:VBCrpjiz4OZ+gnp2SWv3

Score

10^/10

metasploit backdoor discovery evasion trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 64 IoCs

pid	Process
1496	qzwntof.exe
1144	qjtwsir.exe
2416	smuogll.exe
1628	dslzijt.exe
3016	zenpzuz.exe
1568	jzexsrv.exe
748	ywnhheo.exe
1480	cifnljf.exe
2844	ijyiovs.exe
2532	udmitug.exe
2704	yxefxzg.exe
2364	nnnyeez.exe
964	xtqtigu.exe
1792	qshgeql.exe
1552	kjgtbak.exe
2616	wdnthzy.exe
2216	eayrsfk.exe
2936	frnzkwi.exe
2960	sefoqah.exe
2032	pjagwiz.exe
2332	pumzlue.exe
1860	onnrfgn.exe
1816	wvjjzwx.exe
2480	vrvpwng.exe
2752	druplbk.exe
2848	awphjju.exe
1772	rlnmarf.exe
2020	exumoru.exe
2136	oirxbua.exe
2884	dupcfcm.exe
316	typxjhr.exe
1748	cbnayxh.exe
2280	kyxfhqk.exe
2256	bmxcmeb.exe
2592	grrkfgg.exe
2528	vzddgkt.exe
2300	aqixcyf.exe
2544	khvnoko.exe
968	udoywex.exe
1988	dgmsdun.exe
1576	ofqywtu.exe
2380	gfbvvyy.exe
2780	qeftfxg.exe
2904	kohblzt.exe
3000	pbaiejy.exe
2376	ebmbffm.exe
892	lutguhu.exe
2476	gpywuac.exe
2316	nwmogpm.exe
2708	pkorjqa.exe
1248	mlheftm.exe
2832	yomtfmu.exe
3004	dwqgtag.exe
2648	yzvwtuo.exe
3044	fgjonjq.exe
1032	xkfzpta.exe
1612	hjjwzsi.exe
1776	tdqefrw.exe
1656	bllwzgf.exe
2620	qtgpakt.exe
2764	awvznoz.exe
2900	piterwl.exe
568	zhxcjnt.exe
1472	lybxmii.exe

Identifies Wine through registry keys 2 TTPs 64 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	xwfmapq.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	ruaccgs.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	ghucmcp.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	lakcjpr.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	dzlcvin.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	sarrpjq.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	fnimxrs.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	sryenbw.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	dgmsdun.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	czljfej.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	wdnthzy.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	bxinygg.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	eyrxzoj.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	bblorpg.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	pkorjqa.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	icycblp.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	wdtbkwe.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	rlnblza.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	trywamz.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	dsairfl.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	balkgrc.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	achsevy.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	qdltvep.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	wsugwrv.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	hsakphi.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	bweodus.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	jiqidei.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	kpmbkpc.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	fbulcji.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	hefrygo.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	ufcjxhp.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	oafjndi.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	ifhceaf.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	hqynhom.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	gwgtsnd.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	uukwfgv.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	oxwmkyd.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	lcrkysq.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	alyhaoz.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	ywnhheo.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	cbnayxh.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	hwtaeib.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	npqcyrz.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	sksyvkn.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	cifnljf.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	kllmbdl.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	jurdniy.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	ebboonc.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	nemsbdz.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	rsifchi.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	nvjykds.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	wyyidzi.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	rxybxzp.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	sombing.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	xpqnbgg.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	drkvqem.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	zipimkx.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	smuogll.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	awphjju.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	bnafxea.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	gcqowwn.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	zpujsjf.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	zwijowt.exe
Key opened	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Wine	zzjsihr.exe

Loads dropped DLL 64 IoCs

pid	Process
2808	f051ab4e7b5646a97caafe260e99df7b_JaffaCakes118.exe
2808	f051ab4e7b5646a97caafe260e99df7b_JaffaCakes118.exe
1496	qzwntof.exe
1496	qzwntof.exe
1144	qjtwsir.exe
1144	qjtwsir.exe
2416	smuogll.exe
2416	smuogll.exe
1628	dslzijt.exe
1628	dslzijt.exe
3016	zenpzuz.exe
3016	zenpzuz.exe
1568	jzexsrv.exe
1568	jzexsrv.exe
748	ywnhheo.exe
748	ywnhheo.exe
2228	odunric.exe
2228	odunric.exe
2844	ijyiovs.exe
2844	ijyiovs.exe
2532	udmitug.exe
2532	udmitug.exe
2704	yxefxzg.exe
2704	yxefxzg.exe
2364	nnnyeez.exe
2364	nnnyeez.exe
964	xtqtigu.exe
964	xtqtigu.exe
1792	qshgeql.exe
1792	qshgeql.exe
1552	kjgtbak.exe
1552	kjgtbak.exe
2616	wdnthzy.exe
2616	wdnthzy.exe
2216	eayrsfk.exe
2216	eayrsfk.exe
2936	frnzkwi.exe
2936	frnzkwi.exe
2960	sefoqah.exe
2960	sefoqah.exe
2032	pjagwiz.exe
2032	pjagwiz.exe
2332	pumzlue.exe
2332	pumzlue.exe
1860	onnrfgn.exe
1860	onnrfgn.exe
1816	wvjjzwx.exe
1816	wvjjzwx.exe
2480	vrvpwng.exe
2480	vrvpwng.exe
2752	druplbk.exe
2752	druplbk.exe
2848	awphjju.exe
2848	awphjju.exe
1772	rlnmarf.exe
1772	rlnmarf.exe
2020	exumoru.exe
2020	exumoru.exe
2136	oirxbua.exe
2136	oirxbua.exe
2884	dupcfcm.exe
2884	dupcfcm.exe
316	typxjhr.exe
316	typxjhr.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\exumoru.exe	rlnmarf.exe
File created	C:\Windows\SysWOW64\mkiuvtz.exe	fgyhmiw.exe
File opened for modification	C:\Windows\SysWOW64\aykillu.exe	qzylbmm.exe
File created	C:\Windows\SysWOW64\axhnmgz.exe	tliixmq.exe
File created	C:\Windows\SysWOW64\vaanzii.exe	icfkizd.exe
File created	C:\Windows\SysWOW64\ppgllnk.exe	fqufaod.exe
File created	C:\Windows\SysWOW64\budkpvg.exe	qzcrhbf.exe
File created	C:\Windows\SysWOW64\hjjwzsi.exe	xkfzpta.exe
File created	C:\Windows\SysWOW64\ysljmzu.exe	owkyfeu.exe
File opened for modification	C:\Windows\SysWOW64\fmksrvi.exe	vuunmxp.exe
File created	C:\Windows\SysWOW64\quacazc.exe	lakcjpr.exe
File created	C:\Windows\SysWOW64\aqtmquk.exe	quacazc.exe
File opened for modification	C:\Windows\SysWOW64\yilcnfm.exe	nmsjfll.exe
File opened for modification	C:\Windows\SysWOW64\oxhygry.exe	eyvbosq.exe
File created	C:\Windows\SysWOW64\muvkzkl.exe	byvasqk.exe
File created	C:\Windows\SysWOW64\wlrmvjb.exe	rrjexzq.exe
File created	C:\Windows\SysWOW64\lwprzsn.exe	gdhrahd.exe
File opened for modification	C:\Windows\SysWOW64\tsdvvyf.exe	jlqxkzy.exe
File created	C:\Windows\SysWOW64\wvkfgzt.exe	mzruzfs.exe
File created	C:\Windows\SysWOW64\lezwlaj.exe	ekbrwhb.exe
File created	C:\Windows\SysWOW64\qnnxkca.exe	goaazet.exe
File created	C:\Windows\SysWOW64\mkxulmd.exe	chikqjx.exe
File opened for modification	C:\Windows\SysWOW64\dsairfl.exe	wcfixic.exe
File created	C:\Windows\SysWOW64\iloadtg.exe	brivorx.exe
File opened for modification	C:\Windows\SysWOW64\boyxanw.exe	oxdurnq.exe
File opened for modification	C:\Windows\SysWOW64\fbulcji.exe	akpqgdw.exe
File opened for modification	C:\Windows\SysWOW64\zhxcjnt.exe	piterwl.exe
File opened for modification	C:\Windows\SysWOW64\ciralua.exe	uxkvobs.exe
File created	C:\Windows\SysWOW64\vtkexzu.exe	luyhfam.exe
File opened for modification	C:\Windows\SysWOW64\bnafxea.exe	wihyeco.exe
File opened for modification	C:\Windows\SysWOW64\dhzbyra.exe	tfjrcom.exe
File opened for modification	C:\Windows\SysWOW64\amcnvbo.exe	wsugwrv.exe
File created	C:\Windows\SysWOW64\aaqunaf.exe	sartzmb.exe
File created	C:\Windows\SysWOW64\zwijowt.exe	sljezcl.exe
File created	C:\Windows\SysWOW64\akpqgdw.exe	qdltvep.exe
File opened for modification	C:\Windows\SysWOW64\wtaikjs.exe	muvkzkl.exe
File opened for modification	C:\Windows\SysWOW64\iqdtana.exe	bweodus.exe
File created	C:\Windows\SysWOW64\oafjndi.exe	gwvwekx.exe
File opened for modification	C:\Windows\SysWOW64\flilvwy.exe	ydvtjyo.exe
File created	C:\Windows\SysWOW64\ifhceaf.exe	abxpmhu.exe
File created	C:\Windows\SysWOW64\wgzxnto.exe	jheueli.exe
File opened for modification	C:\Windows\SysWOW64\dzlcvin.exe	wompyhf.exe
File opened for modification	C:\Windows\SysWOW64\lhjlwfo.exe	jptnrpu.exe
File created	C:\Windows\SysWOW64\urolkxu.exe	ppgllnk.exe
File opened for modification	C:\Windows\SysWOW64\siwmgkp.exe	saiulvg.exe
File opened for modification	C:\Windows\SysWOW64\bnyybif.exe	urolkxu.exe
File created	C:\Windows\SysWOW64\cfhcwxd.exe	xezhgsx.exe
File created	C:\Windows\SysWOW64\rgqkalp.exe	hwtaeib.exe
File opened for modification	C:\Windows\SysWOW64\budkpvg.exe	qzcrhbf.exe
File created	C:\Windows\SysWOW64\bblorpg.exe	tupwxax.exe
File opened for modification	C:\Windows\SysWOW64\jptnrpu.exe	evlgsfc.exe
File created	C:\Windows\SysWOW64\alsntky.exe	ppzceqx.exe
File opened for modification	C:\Windows\SysWOW64\nwypzje.exe	cmjjmsc.exe
File created	C:\Windows\SysWOW64\xrvgjjq.exe	sbytnve.exe
File created	C:\Windows\SysWOW64\xpqnbgg.exe	nnbcoda.exe
File created	C:\Windows\SysWOW64\rddpbln.exe	kkekejf.exe
File created	C:\Windows\SysWOW64\ompdoye.exe	eroshed.exe
File opened for modification	C:\Windows\SysWOW64\gtgfmbr.exe	ylsnsmh.exe
File created	C:\Windows\SysWOW64\abxpmhu.exe	ttkwast.exe
File created	C:\Windows\SysWOW64\zzmobck.exe	paaqidk.exe
File opened for modification	C:\Windows\SysWOW64\cfhcwxd.exe	xezhgsx.exe
File created	C:\Windows\SysWOW64\lmuwjmf.exe	aufyevd.exe
File created	C:\Windows\SysWOW64\xfwgibt.exe	mnhbdlr.exe
File created	C:\Windows\SysWOW64\srysuem.exe	nemsbdz.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ywnhheo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wdnthzy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	psujnux.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ofsdmgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ayjljcb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zsiuhjt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wsugwrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kgplztu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	siwmgkp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zmlldbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	izkzmlb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	byvasqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jzexsrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vuunmxp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ompdoye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddtbxnq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oovpsby.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	goaazet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fkrjkik.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kohblzt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zhxcjnt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mpirniy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xxzjfur.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crqhdgh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	azuatdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	quacazc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ftwtyfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eyrxzoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	oxhygry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	evrjomr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qzcrhbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	udmitug.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vzddgkt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aqixcyf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nvtfhve.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	whpuaqy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sryenbw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppdjkfh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	masudoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xfvqfrd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sljezcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gwvwekx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ydvtjyo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qeodbrg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wompyhf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pkoqvkv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svxpvmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qmujiqa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jiqidei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nwtwvez.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hqynhom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kiouoel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jheueli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wgzxnto.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dcpyzpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dzlcvin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cfhcwxd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rsdyvsq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	alyhaoz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yxefxzg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yjkdjqu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gcqowwn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	neniyhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fftarvh.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 1496	2808	f051ab4e7b5646a97caafe260e99df7b_JaffaCakes118.exe	30
PID 2808 wrote to memory of 1496	2808	f051ab4e7b5646a97caafe260e99df7b_JaffaCakes118.exe	30
PID 2808 wrote to memory of 1496	2808	f051ab4e7b5646a97caafe260e99df7b_JaffaCakes118.exe	30
PID 2808 wrote to memory of 1496	2808	f051ab4e7b5646a97caafe260e99df7b_JaffaCakes118.exe	30
PID 1496 wrote to memory of 1144	1496	qzwntof.exe	31
PID 1496 wrote to memory of 1144	1496	qzwntof.exe	31
PID 1496 wrote to memory of 1144	1496	qzwntof.exe	31
PID 1496 wrote to memory of 1144	1496	qzwntof.exe	31
PID 1144 wrote to memory of 2416	1144	qjtwsir.exe	32
PID 1144 wrote to memory of 2416	1144	qjtwsir.exe	32
PID 1144 wrote to memory of 2416	1144	qjtwsir.exe	32
PID 1144 wrote to memory of 2416	1144	qjtwsir.exe	32
PID 2416 wrote to memory of 1628	2416	smuogll.exe	33
PID 2416 wrote to memory of 1628	2416	smuogll.exe	33
PID 2416 wrote to memory of 1628	2416	smuogll.exe	33
PID 2416 wrote to memory of 1628	2416	smuogll.exe	33
PID 1628 wrote to memory of 3016	1628	dslzijt.exe	34
PID 1628 wrote to memory of 3016	1628	dslzijt.exe	34
PID 1628 wrote to memory of 3016	1628	dslzijt.exe	34
PID 1628 wrote to memory of 3016	1628	dslzijt.exe	34
PID 3016 wrote to memory of 1568	3016	zenpzuz.exe	35
PID 3016 wrote to memory of 1568	3016	zenpzuz.exe	35
PID 3016 wrote to memory of 1568	3016	zenpzuz.exe	35
PID 3016 wrote to memory of 1568	3016	zenpzuz.exe	35
PID 1568 wrote to memory of 748	1568	jzexsrv.exe	36
PID 1568 wrote to memory of 748	1568	jzexsrv.exe	36
PID 1568 wrote to memory of 748	1568	jzexsrv.exe	36
PID 1568 wrote to memory of 748	1568	jzexsrv.exe	36
PID 748 wrote to memory of 1480	748	ywnhheo.exe	37
PID 748 wrote to memory of 1480	748	ywnhheo.exe	37
PID 748 wrote to memory of 1480	748	ywnhheo.exe	37
PID 748 wrote to memory of 1480	748	ywnhheo.exe	37
PID 2228 wrote to memory of 2844	2228	odunric.exe	39
PID 2228 wrote to memory of 2844	2228	odunric.exe	39
PID 2228 wrote to memory of 2844	2228	odunric.exe	39
PID 2228 wrote to memory of 2844	2228	odunric.exe	39
PID 2844 wrote to memory of 2532	2844	ijyiovs.exe	40
PID 2844 wrote to memory of 2532	2844	ijyiovs.exe	40
PID 2844 wrote to memory of 2532	2844	ijyiovs.exe	40
PID 2844 wrote to memory of 2532	2844	ijyiovs.exe	40
PID 2532 wrote to memory of 2704	2532	udmitug.exe	41
PID 2532 wrote to memory of 2704	2532	udmitug.exe	41
PID 2532 wrote to memory of 2704	2532	udmitug.exe	41
PID 2532 wrote to memory of 2704	2532	udmitug.exe	41
PID 2704 wrote to memory of 2364	2704	yxefxzg.exe	42
PID 2704 wrote to memory of 2364	2704	yxefxzg.exe	42
PID 2704 wrote to memory of 2364	2704	yxefxzg.exe	42
PID 2704 wrote to memory of 2364	2704	yxefxzg.exe	42
PID 2364 wrote to memory of 964	2364	nnnyeez.exe	43
PID 2364 wrote to memory of 964	2364	nnnyeez.exe	43
PID 2364 wrote to memory of 964	2364	nnnyeez.exe	43
PID 2364 wrote to memory of 964	2364	nnnyeez.exe	43
PID 964 wrote to memory of 1792	964	xtqtigu.exe	44
PID 964 wrote to memory of 1792	964	xtqtigu.exe	44
PID 964 wrote to memory of 1792	964	xtqtigu.exe	44
PID 964 wrote to memory of 1792	964	xtqtigu.exe	44
PID 1792 wrote to memory of 1552	1792	qshgeql.exe	45
PID 1792 wrote to memory of 1552	1792	qshgeql.exe	45
PID 1792 wrote to memory of 1552	1792	qshgeql.exe	45
PID 1792 wrote to memory of 1552	1792	qshgeql.exe	45
PID 1552 wrote to memory of 2616	1552	kjgtbak.exe	46
PID 1552 wrote to memory of 2616	1552	kjgtbak.exe	46
PID 1552 wrote to memory of 2616	1552	kjgtbak.exe	46
PID 1552 wrote to memory of 2616	1552	kjgtbak.exe	46

C:\Users\Admin\AppData\Local\Temp\f051ab4e7b5646a97caafe260e99df7b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f051ab4e7b5646a97caafe260e99df7b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\SysWOW64\qzwntof.exe
  C:\Windows\system32\qzwntof.exe 620 "C:\Users\Admin\AppData\Local\Temp\f051ab4e7b5646a97caafe260e99df7b_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Windows\SysWOW64\qjtwsir.exe
    C:\Windows\system32\qjtwsir.exe 616 "C:\Windows\SysWOW64\qzwntof.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1144
  - - C:\Windows\SysWOW64\smuogll.exe
      C:\Windows\system32\smuogll.exe 612 "C:\Windows\SysWOW64\qjtwsir.exe"
      4⤵
      Executes dropped EXE
      Identifies Wine through registry keys
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2416
    - - C:\Windows\SysWOW64\dslzijt.exe
        
        C:\Windows\system32\dslzijt.exe 628 "C:\Windows\SysWOW64\smuogll.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1628
      - C:\Windows\SysWOW64\zenpzuz.exe
        
        C:\Windows\system32\zenpzuz.exe 632 "C:\Windows\SysWOW64\dslzijt.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\jzexsrv.exe
        
        C:\Windows\system32\jzexsrv.exe 640 "C:\Windows\SysWOW64\zenpzuz.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\ywnhheo.exe
        
        C:\Windows\system32\ywnhheo.exe 664 "C:\Windows\SysWOW64\jzexsrv.exe"
        8⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:748
        
        C:\Windows\SysWOW64\cifnljf.exe
        
        C:\Windows\system32\cifnljf.exe 656 "C:\Windows\SysWOW64\ywnhheo.exe"
        9⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        
        PID:1480
        
        C:\Windows\SysWOW64\odunric.exe
        
        C:\Windows\system32\odunric.exe 648 "C:\Windows\SysWOW64\cifnljf.exe"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\ijyiovs.exe
        
        C:\Windows\system32\ijyiovs.exe 676 "C:\Windows\SysWOW64\odunric.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SysWOW64\udmitug.exe
        
        C:\Windows\system32\udmitug.exe 696 "C:\Windows\SysWOW64\ijyiovs.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\yxefxzg.exe
        
        C:\Windows\system32\yxefxzg.exe 660 "C:\Windows\SysWOW64\udmitug.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\SysWOW64\nnnyeez.exe
        
        C:\Windows\system32\nnnyeez.exe 644 "C:\Windows\SysWOW64\yxefxzg.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\SysWOW64\xtqtigu.exe
        
        C:\Windows\system32\xtqtigu.exe 716 "C:\Windows\SysWOW64\nnnyeez.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Windows\SysWOW64\qshgeql.exe
        
        C:\Windows\system32\qshgeql.exe 652 "C:\Windows\SysWOW64\xtqtigu.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\SysWOW64\kjgtbak.exe
        
        C:\Windows\system32\kjgtbak.exe 752 "C:\Windows\SysWOW64\qshgeql.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\wdnthzy.exe
        
        C:\Windows\system32\wdnthzy.exe 672 "C:\Windows\SysWOW64\kjgtbak.exe"
        18⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2616
        
        C:\Windows\SysWOW64\eayrsfk.exe
        
        C:\Windows\system32\eayrsfk.exe 624 "C:\Windows\SysWOW64\wdnthzy.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2216
        
        C:\Windows\SysWOW64\frnzkwi.exe
        
        C:\Windows\system32\frnzkwi.exe 684 "C:\Windows\SysWOW64\eayrsfk.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2936
        
        C:\Windows\SysWOW64\sefoqah.exe
        
        C:\Windows\system32\sefoqah.exe 768 "C:\Windows\SysWOW64\frnzkwi.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2960
        
        C:\Windows\SysWOW64\pjagwiz.exe
        
        C:\Windows\system32\pjagwiz.exe 688 "C:\Windows\SysWOW64\sefoqah.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2032
        
        C:\Windows\SysWOW64\pumzlue.exe
        
        C:\Windows\system32\pumzlue.exe 712 "C:\Windows\SysWOW64\pjagwiz.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2332
        
        C:\Windows\SysWOW64\onnrfgn.exe
        
        C:\Windows\system32\onnrfgn.exe 764 "C:\Windows\SysWOW64\pumzlue.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1860
        
        C:\Windows\SysWOW64\wvjjzwx.exe
        
        C:\Windows\system32\wvjjzwx.exe 772 "C:\Windows\SysWOW64\onnrfgn.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1816
        
        C:\Windows\SysWOW64\vrvpwng.exe
        
        C:\Windows\system32\vrvpwng.exe 796 "C:\Windows\SysWOW64\wvjjzwx.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2480
        
        C:\Windows\SysWOW64\druplbk.exe
        
        C:\Windows\system32\druplbk.exe 668 "C:\Windows\SysWOW64\vrvpwng.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2752
        
        C:\Windows\SysWOW64\awphjju.exe
        
        C:\Windows\system32\awphjju.exe 792 "C:\Windows\SysWOW64\druplbk.exe"
        28⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Loads dropped DLL
        
        PID:2848
        
        C:\Windows\SysWOW64\rlnmarf.exe
        
        C:\Windows\system32\rlnmarf.exe 800 "C:\Windows\SysWOW64\awphjju.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1772
        
        C:\Windows\SysWOW64\exumoru.exe
        
        C:\Windows\system32\exumoru.exe 704 "C:\Windows\SysWOW64\rlnmarf.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2020
        
        C:\Windows\SysWOW64\oirxbua.exe
        
        C:\Windows\system32\oirxbua.exe 692 "C:\Windows\SysWOW64\exumoru.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2136
        
        C:\Windows\SysWOW64\dupcfcm.exe
        
        C:\Windows\system32\dupcfcm.exe 700 "C:\Windows\SysWOW64\oirxbua.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2884
        
        C:\Windows\SysWOW64\typxjhr.exe
        
        C:\Windows\system32\typxjhr.exe 808 "C:\Windows\SysWOW64\dupcfcm.exe"
        33⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:316
        
        C:\Windows\SysWOW64\cbnayxh.exe
        
        C:\Windows\system32\cbnayxh.exe 708 "C:\Windows\SysWOW64\typxjhr.exe"
        34⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        
        PID:1748
        
        C:\Windows\SysWOW64\kyxfhqk.exe
        
        C:\Windows\system32\kyxfhqk.exe 824 "C:\Windows\SysWOW64\cbnayxh.exe"
        35⤵
        Executes dropped EXE
        
        PID:2280
        
        C:\Windows\SysWOW64\bmxcmeb.exe
        
        C:\Windows\system32\bmxcmeb.exe 728 "C:\Windows\SysWOW64\kyxfhqk.exe"
        36⤵
        Executes dropped EXE
        
        PID:2256
        
        C:\Windows\SysWOW64\grrkfgg.exe
        
        C:\Windows\system32\grrkfgg.exe 832 "C:\Windows\SysWOW64\bmxcmeb.exe"
        37⤵
        Executes dropped EXE
        
        PID:2592
        
        C:\Windows\SysWOW64\vzddgkt.exe
        
        C:\Windows\system32\vzddgkt.exe 760 "C:\Windows\SysWOW64\grrkfgg.exe"
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Windows\SysWOW64\aqixcyf.exe
        
        C:\Windows\system32\aqixcyf.exe 840 "C:\Windows\SysWOW64\vzddgkt.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Windows\SysWOW64\khvnoko.exe
        
        C:\Windows\system32\khvnoko.exe 848 "C:\Windows\SysWOW64\aqixcyf.exe"
        40⤵
        Executes dropped EXE
        
        PID:2544
        
        C:\Windows\SysWOW64\udoywex.exe
        
        C:\Windows\system32\udoywex.exe 836 "C:\Windows\SysWOW64\khvnoko.exe"
        41⤵
        Executes dropped EXE
        
        PID:968
        
        C:\Windows\SysWOW64\dgmsdun.exe
        
        C:\Windows\system32\dgmsdun.exe 736 "C:\Windows\SysWOW64\udoywex.exe"
        42⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        
        PID:1988
        
        C:\Windows\SysWOW64\ofqywtu.exe
        
        C:\Windows\system32\ofqywtu.exe 860 "C:\Windows\SysWOW64\dgmsdun.exe"
        43⤵
        Executes dropped EXE
        
        PID:1576
        
        C:\Windows\SysWOW64\gfbvvyy.exe
        
        C:\Windows\system32\gfbvvyy.exe 740 "C:\Windows\SysWOW64\ofqywtu.exe"
        44⤵
        Executes dropped EXE
        
        PID:2380
        
        C:\Windows\SysWOW64\qeftfxg.exe
        
        C:\Windows\system32\qeftfxg.exe 868 "C:\Windows\SysWOW64\gfbvvyy.exe"
        45⤵
        Executes dropped EXE
        
        PID:2780
        
        C:\Windows\SysWOW64\kohblzt.exe
        
        C:\Windows\system32\kohblzt.exe 776 "C:\Windows\SysWOW64\qeftfxg.exe"
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\pbaiejy.exe
        
        C:\Windows\system32\pbaiejy.exe 872 "C:\Windows\SysWOW64\kohblzt.exe"
        47⤵
        Executes dropped EXE
        
        PID:3000
        
        C:\Windows\SysWOW64\ebmbffm.exe
        
        C:\Windows\system32\ebmbffm.exe 780 "C:\Windows\SysWOW64\pbaiejy.exe"
        48⤵
        Executes dropped EXE
        
        PID:2376
        
        C:\Windows\SysWOW64\lutguhu.exe
        
        C:\Windows\system32\lutguhu.exe 812 "C:\Windows\SysWOW64\ebmbffm.exe"
        49⤵
        Executes dropped EXE
        
        PID:892
        
        C:\Windows\SysWOW64\gpywuac.exe
        
        C:\Windows\system32\gpywuac.exe 604 "C:\Windows\SysWOW64\lutguhu.exe"
        50⤵
        Executes dropped EXE
        
        PID:2476
        
        C:\Windows\SysWOW64\nwmogpm.exe
        
        C:\Windows\system32\nwmogpm.exe 892 "C:\Windows\SysWOW64\gpywuac.exe"
        51⤵
        Executes dropped EXE
        
        PID:2316
        
        C:\Windows\SysWOW64\pkorjqa.exe
        
        C:\Windows\system32\pkorjqa.exe 880 "C:\Windows\SysWOW64\nwmogpm.exe"
        52⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        
        PID:2708
        
        C:\Windows\SysWOW64\mlheftm.exe
        
        C:\Windows\system32\mlheftm.exe 900 "C:\Windows\SysWOW64\pkorjqa.exe"
        53⤵
        Executes dropped EXE
        
        PID:1248
        
        C:\Windows\SysWOW64\yomtfmu.exe
        
        C:\Windows\system32\yomtfmu.exe 888 "C:\Windows\SysWOW64\mlheftm.exe"
        54⤵
        Executes dropped EXE
        
        PID:2832
        
        C:\Windows\SysWOW64\dwqgtag.exe
        
        C:\Windows\system32\dwqgtag.exe 732 "C:\Windows\SysWOW64\yomtfmu.exe"
        55⤵
        Executes dropped EXE
        
        PID:3004
        
        C:\Windows\SysWOW64\yzvwtuo.exe
        
        C:\Windows\system32\yzvwtuo.exe 784 "C:\Windows\SysWOW64\dwqgtag.exe"
        56⤵
        Executes dropped EXE
        
        PID:2648
        
        C:\Windows\SysWOW64\fgjonjq.exe
        
        C:\Windows\system32\fgjonjq.exe 904 "C:\Windows\SysWOW64\yzvwtuo.exe"
        57⤵
        Executes dropped EXE
        
        PID:3044
        
        C:\Windows\SysWOW64\xkfzpta.exe
        
        C:\Windows\system32\xkfzpta.exe 680 "C:\Windows\SysWOW64\fgjonjq.exe"
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1032
        
        C:\Windows\SysWOW64\hjjwzsi.exe
        
        C:\Windows\system32\hjjwzsi.exe 920 "C:\Windows\SysWOW64\xkfzpta.exe"
        59⤵
        Executes dropped EXE
        
        PID:1612
        
        C:\Windows\SysWOW64\tdqefrw.exe
        
        C:\Windows\system32\tdqefrw.exe 788 "C:\Windows\SysWOW64\hjjwzsi.exe"
        60⤵
        Executes dropped EXE
        
        PID:1776
        
        C:\Windows\SysWOW64\bllwzgf.exe
        
        C:\Windows\system32\bllwzgf.exe 928 "C:\Windows\SysWOW64\tdqefrw.exe"
        61⤵
        Executes dropped EXE
        
        PID:1656
        
        C:\Windows\SysWOW64\qtgpakt.exe
        
        C:\Windows\system32\qtgpakt.exe 748 "C:\Windows\SysWOW64\bllwzgf.exe"
        62⤵
        Executes dropped EXE
        
        PID:2620
        
        C:\Windows\SysWOW64\awvznoz.exe
        
        C:\Windows\system32\awvznoz.exe 936 "C:\Windows\SysWOW64\qtgpakt.exe"
        63⤵
        Executes dropped EXE
        
        PID:2764
        
        C:\Windows\SysWOW64\piterwl.exe
        
        C:\Windows\system32\piterwl.exe 804 "C:\Windows\SysWOW64\awvznoz.exe"
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2900
        
        C:\Windows\SysWOW64\zhxcjnt.exe
        
        C:\Windows\system32\zhxcjnt.exe 944 "C:\Windows\SysWOW64\piterwl.exe"
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:568
        
        C:\Windows\SysWOW64\lybxmii.exe
        
        C:\Windows\system32\lybxmii.exe 816 "C:\Windows\SysWOW64\zhxcjnt.exe"
        66⤵
        Executes dropped EXE
        
        PID:1472
        
        C:\Windows\SysWOW64\ylsnsmh.exe
        
        C:\Windows\system32\ylsnsmh.exe 948 "C:\Windows\SysWOW64\lybxmii.exe"
        67⤵
        Drops file in System32 directory
        
        PID:1588
        
        C:\Windows\SysWOW64\gtgfmbr.exe
        
        C:\Windows\system32\gtgfmbr.exe 820 "C:\Windows\SysWOW64\ylsnsmh.exe"
        68⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\nemsbdz.exe
        
        C:\Windows\system32\nemsbdz.exe 964 "C:\Windows\SysWOW64\gtgfmbr.exe"
        69⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:3024
        
        C:\Windows\SysWOW64\srysuem.exe
        
        C:\Windows\system32\srysuem.exe 856 "C:\Windows\SysWOW64\nemsbdz.exe"
        70⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\zvifmyo.exe
        
        C:\Windows\system32\zvifmyo.exe 864 "C:\Windows\SysWOW64\srysuem.exe"
        71⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\kqjxtsp.exe
        
        C:\Windows\system32\kqjxtsp.exe 896 "C:\Windows\SysWOW64\zvifmyo.exe"
        72⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\utyagnv.exe
        
        C:\Windows\system32\utyagnv.exe 976 "C:\Windows\SysWOW64\kqjxtsp.exe"
        73⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\bxinygg.exe
        
        C:\Windows\system32\bxinygg.exe 980 "C:\Windows\SysWOW64\utyagnv.exe"
        74⤵
        Identifies Wine through registry keys
        
        PID:2572
        
        C:\Windows\SysWOW64\mtjffbh.exe
        
        C:\Windows\system32\mtjffbh.exe 984 "C:\Windows\SysWOW64\bxinygg.exe"
        75⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\taxyaqq.exe
        
        C:\Windows\system32\taxyaqq.exe 724 "C:\Windows\SysWOW64\mtjffbh.exe"
        76⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\dzjvkpy.exe
        
        C:\Windows\system32\dzjvkpy.exe 756 "C:\Windows\SysWOW64\taxyaqq.exe"
        77⤵
        
        PID:832
        
        C:\Windows\SysWOW64\ktiahjg.exe
        
        C:\Windows\system32\ktiahjg.exe 996 "C:\Windows\SysWOW64\dzjvkpy.exe"
        78⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\voispdh.exe
        
        C:\Windows\system32\voispdh.exe 1000 "C:\Windows\SysWOW64\ktiahjg.exe"
        79⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\atuainm.exe
        
        C:\Windows\system32\atuainm.exe 1004 "C:\Windows\SysWOW64\voispdh.exe"
        80⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\kagysmt.exe
        
        C:\Windows\system32\kagysmt.exe 744 "C:\Windows\SysWOW64\atuainm.exe"
        81⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\uzkvlkb.exe
        
        C:\Windows\system32\uzkvlkb.exe 828 "C:\Windows\SysWOW64\kagysmt.exe"
        82⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\evlgsfc.exe
        
        C:\Windows\system32\evlgsfc.exe 1016 "C:\Windows\SysWOW64\uzkvlkb.exe"
        83⤵
        Drops file in System32 directory
        
        PID:1000
        
        C:\Windows\SysWOW64\jptnrpu.exe
        
        C:\Windows\system32\jptnrpu.exe 844 "C:\Windows\SysWOW64\evlgsfc.exe"
        84⤵
        Drops file in System32 directory
        
        PID:884
        
        C:\Windows\SysWOW64\lhjlwfo.exe
        
        C:\Windows\system32\lhjlwfo.exe 908 "C:\Windows\SysWOW64\jptnrpu.exe"
        85⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\toelqdx.exe
        
        C:\Windows\system32\toelqdx.exe 1028 "C:\Windows\SysWOW64\lhjlwfo.exe"
        86⤵
        
        PID:824
        
        C:\Windows\SysWOW64\aadqfxo.exe
        
        C:\Windows\system32\aadqfxo.exe 1036 "C:\Windows\SysWOW64\toelqdx.exe"
        87⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\ienvxiq.exe
        
        C:\Windows\system32\ienvxiq.exe 1044 "C:\Windows\SysWOW64\aadqfxo.exe"
        88⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\sdrbhgy.exe
        
        C:\Windows\system32\sdrbhgy.exe 1040 "C:\Windows\SysWOW64\ienvxiq.exe"
        89⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\zhbgyrb.exe
        
        C:\Windows\system32\zhbgyrb.exe 852 "C:\Windows\SysWOW64\sdrbhgy.exe"
        90⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\kdcygmb.exe
        
        C:\Windows\system32\kdcygmb.exe 912 "C:\Windows\SysWOW64\zhbgyrb.exe"
        91⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\owkyfeu.exe
        
        C:\Windows\system32\owkyfeu.exe 916 "C:\Windows\SysWOW64\kdcygmb.exe"
        92⤵
        Drops file in System32 directory
        
        PID:1152
        
        C:\Windows\SysWOW64\ysljmzu.exe
        
        C:\Windows\system32\ysljmzu.exe 1064 "C:\Windows\SysWOW64\owkyfeu.exe"
        93⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\gwvwekx.exe
        
        C:\Windows\system32\gwvwekx.exe 956 "C:\Windows\SysWOW64\ysljmzu.exe"
        94⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\Windows\SysWOW64\oafjndi.exe
        
        C:\Windows\system32\oafjndi.exe 1072 "C:\Windows\SysWOW64\gwvwekx.exe"
        95⤵
        Identifies Wine through registry keys
        
        PID:2292
        
        C:\Windows\SysWOW64\ydvtjyo.exe
        
        C:\Windows\system32\ydvtjyo.exe 1068 "C:\Windows\SysWOW64\oafjndi.exe"
        96⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Windows\SysWOW64\flilvwy.exe
        
        C:\Windows\system32\flilvwy.exe 1076 "C:\Windows\SysWOW64\ydvtjyo.exe"
        97⤵
        
        PID:820
        
        C:\Windows\SysWOW64\psujnux.exe
        
        C:\Windows\system32\psujnux.exe 876 "C:\Windows\SysWOW64\flilvwy.exe"
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:904
        
        C:\Windows\SysWOW64\znnbvpg.exe
        
        C:\Windows\system32\znnbvpg.exe 1088 "C:\Windows\SysWOW64\psujnux.exe"
        99⤵
        
        PID:432
        
        C:\Windows\SysWOW64\hzugsjo.exe
        
        C:\Windows\system32\hzugsjo.exe 1100 "C:\Windows\SysWOW64\znnbvpg.exe"
        100⤵
        
        PID:600
        
        C:\Windows\SysWOW64\rrjexzq.exe
        
        C:\Windows\system32\rrjexzq.exe 1084 "C:\Windows\SysWOW64\hzugsjo.exe"
        101⤵
        Drops file in System32 directory
        
        PID:2124
        
        C:\Windows\SysWOW64\wlrmvjb.exe
        
        C:\Windows\system32\wlrmvjb.exe 968 "C:\Windows\SysWOW64\rrjexzq.exe"
        102⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\gdhrahd.exe
        
        C:\Windows\system32\gdhrahd.exe 1096 "C:\Windows\SysWOW64\wlrmvjb.exe"
        103⤵
        Drops file in System32 directory
        
        PID:1180
        
        C:\Windows\SysWOW64\lwprzsn.exe
        
        C:\Windows\system32\lwprzsn.exe 972 "C:\Windows\SysWOW64\gdhrahd.exe"
        104⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\vvbojqu.exe
        
        C:\Windows\system32\vvbojqu.exe 1108 "C:\Windows\SysWOW64\lwprzsn.exe"
        105⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\foruogw.exe
        
        C:\Windows\system32\foruogw.exe 1104 "C:\Windows\SysWOW64\vvbojqu.exe"
        106⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\qnvrhfe.exe
        
        C:\Windows\system32\qnvrhfe.exe 1116 "C:\Windows\SysWOW64\foruogw.exe"
        107⤵
        
        PID:580
        
        C:\Windows\SysWOW64\zbwpxnj.exe
        
        C:\Windows\system32\zbwpxnj.exe 720 "C:\Windows\SysWOW64\qnvrhfe.exe"
        108⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\kllmbdl.exe
        
        C:\Windows\system32\kllmbdl.exe 988 "C:\Windows\SysWOW64\zbwpxnj.exe"
        109⤵
        Identifies Wine through registry keys
        
        PID:2676
        
        C:\Windows\SysWOW64\uspkucs.exe
        
        C:\Windows\system32\uspkucs.exe 1092 "C:\Windows\SysWOW64\kllmbdl.exe"
        110⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\balkgrc.exe
        
        C:\Windows\system32\balkgrc.exe 1008 "C:\Windows\SysWOW64\uspkucs.exe"
        111⤵
        Identifies Wine through registry keys
        
        PID:2016
        
        C:\Windows\SysWOW64\jljpdlk.exe
        
        C:\Windows\system32\jljpdlk.exe 924 "C:\Windows\SysWOW64\balkgrc.exe"
        112⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\tgkzlfl.exe
        
        C:\Windows\system32\tgkzlfl.exe 932 "C:\Windows\SysWOW64\jljpdlk.exe"
        113⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\drakgiz.exe
        
        C:\Windows\system32\drakgiz.exe 1144 "C:\Windows\SysWOW64\tgkzlfl.exe"
        114⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\nnbcoda.exe
        
        C:\Windows\system32\nnbcoda.exe 1148 "C:\Windows\SysWOW64\drakgiz.exe"
        115⤵
        Drops file in System32 directory
        
        PID:2160
        
        C:\Windows\SysWOW64\xpqnbgg.exe
        
        C:\Windows\system32\xpqnbgg.exe 1152 "C:\Windows\SysWOW64\nnbcoda.exe"
        116⤵
        Identifies Wine through registry keys
        
        PID:2176
        
        C:\Windows\SysWOW64\ftassrr.exe
        
        C:\Windows\system32\ftassrr.exe 1156 "C:\Windows\SysWOW64\xpqnbgg.exe"
        117⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\mboseot.exe
        
        C:\Windows\system32\mboseot.exe 1032 "C:\Windows\SysWOW64\ftassrr.exe"
        118⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\waapxna.exe
        
        C:\Windows\system32\waapxna.exe 1056 "C:\Windows\SysWOW64\mboseot.exe"
        119⤵
        
        PID:916
        
        C:\Windows\SysWOW64\hwtaeib.exe
        
        C:\Windows\system32\hwtaeib.exe 884 "C:\Windows\SysWOW64\waapxna.exe"
        120⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:1968
        
        C:\Windows\SysWOW64\rgqkalp.exe
        
        C:\Windows\system32\rgqkalp.exe 1172 "C:\Windows\SysWOW64\hwtaeib.exe"
        121⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\bguhkkp.exe
        
        C:\Windows\system32\bguhkkp.exe 952 "C:\Windows\SysWOW64\rgqkalp.exe"
        122⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\otmxqfw.exe
        
        C:\Windows\system32\otmxqfw.exe 1176 "C:\Windows\SysWOW64\bguhkkp.exe"
        123⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\ysqdaev.exe
        
        C:\Windows\system32\ysqdaev.exe 1184 "C:\Windows\SysWOW64\otmxqfw.exe"
        124⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\azuatdd.exe
        
        C:\Windows\system32\azuatdd.exe 1188 "C:\Windows\SysWOW64\ysqdaev.exe"
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:1284
        
        C:\Windows\SysWOW64\ivefcwf.exe
        
        C:\Windows\system32\ivefcwf.exe 1080 "C:\Windows\SysWOW64\azuatdd.exe"
        126⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\uxkvobs.exe
        
        C:\Windows\system32\uxkvobs.exe 1196 "C:\Windows\SysWOW64\ivefcwf.exe"
        127⤵
        Drops file in System32 directory
        
        PID:1508
        
        C:\Windows\SysWOW64\ciralua.exe
        
        C:\Windows\system32\ciralua.exe 1208 "C:\Windows\SysWOW64\uxkvobs.exe"
        128⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\meksspb.exe
        
        C:\Windows\system32\meksspb.exe 1212 "C:\Windows\SysWOW64\ciralua.exe"
        129⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\wzldijk.exe
        
        C:\Windows\system32\wzldijk.exe 1060 "C:\Windows\SysWOW64\meksspb.exe"
        130⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\ggpasij.exe
        
        C:\Windows\system32\ggpasij.exe 1204 "C:\Windows\SysWOW64\wzldijk.exe"
        131⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\jurdniy.exe
        
        C:\Windows\system32\jurdniy.exe 1192 "C:\Windows\SysWOW64\ggpasij.exe"
        132⤵
        Identifies Wine through registry keys
        
        PID:2108
        
        C:\Windows\SysWOW64\wsugwrv.exe
        
        C:\Windows\system32\wsugwrv.exe 1220 "C:\Windows\SysWOW64\jurdniy.exe"
        133⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1972
        
        C:\Windows\SysWOW64\amcnvbo.exe
        
        C:\Windows\system32\amcnvbo.exe 1160 "C:\Windows\SysWOW64\wsugwrv.exe"
        134⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\fkhvicn.exe
        
        C:\Windows\system32\fkhvicn.exe 1020 "C:\Windows\SysWOW64\amcnvbo.exe"
        135⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\pmxgvfb.exe
        
        C:\Windows\system32\pmxgvfb.exe 1120 "C:\Windows\SysWOW64\fkhvicn.exe"
        136⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\codvhsf.exe
        
        C:\Windows\system32\codvhsf.exe 1236 "C:\Windows\SysWOW64\pmxgvfb.exe"
        137⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\hmadvlf.exe
        
        C:\Windows\system32\hmadvlf.exe 1240 "C:\Windows\SysWOW64\codvhsf.exe"
        138⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\puvvhio.exe
        
        C:\Windows\system32\puvvhio.exe 940 "C:\Windows\SysWOW64\hmadvlf.exe"
        139⤵
        
        PID:628
        
        C:\Windows\SysWOW64\yfkgclu.exe
        
        C:\Windows\system32\yfkgclu.exe 1200 "C:\Windows\SysWOW64\puvvhio.exe"
        140⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\jalykgv.exe
        
        C:\Windows\system32\jalykgv.exe 1168 "C:\Windows\SysWOW64\yfkgclu.exe"
        141⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\qeodbrg.exe
        
        C:\Windows\system32\qeodbrg.exe 992 "C:\Windows\SysWOW64\jalykgv.exe"
        142⤵
        System Location Discovery: System Language Discovery
        
        PID:760
        
        C:\Windows\SysWOW64\bdablqn.exe
        
        C:\Windows\system32\bdablqn.exe 1268 "C:\Windows\SysWOW64\qeodbrg.exe"
        143⤵
        
        PID:572
        
        C:\Windows\SysWOW64\kgplztu.exe
        
        C:\Windows\system32\kgplztu.exe 1012 "C:\Windows\SysWOW64\bdablqn.exe"
        144⤵
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Windows\SysWOW64\vntrrrb.exe
        
        C:\Windows\system32\vntrrrb.exe 1264 "C:\Windows\SysWOW64\kgplztu.exe"
        145⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\fjubzmc.exe
        
        C:\Windows\system32\fjubzmc.exe 1164 "C:\Windows\SysWOW64\vntrrrb.exe"
        146⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\jckbxwm.exe
        
        C:\Windows\system32\jckbxwm.exe 1276 "C:\Windows\SysWOW64\fjubzmc.exe"
        147⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\unsgcmo.exe
        
        C:\Windows\system32\unsgcmo.exe 1280 "C:\Windows\SysWOW64\jckbxwm.exe"
        148⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\eueenlw.exe
        
        C:\Windows\system32\eueenlw.exe 1124 "C:\Windows\SysWOW64\unsgcmo.exe"
        149⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\ghhgqmc.exe
        
        C:\Windows\system32\ghhgqmc.exe 1136 "C:\Windows\SysWOW64\eueenlw.exe"
        150⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\lxlbeao.exe
        
        C:\Windows\system32\lxlbeao.exe 1292 "C:\Windows\SysWOW64\ghhgqmc.exe"
        151⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\vwpzwyv.exe
        
        C:\Windows\system32\vwpzwyv.exe 1048 "C:\Windows\SysWOW64\lxlbeao.exe"
        152⤵
        
        PID:620
        
        C:\Windows\SysWOW64\ajjhhaa.exe
        
        C:\Windows\system32\ajjhhaa.exe 1228 "C:\Windows\SysWOW64\vwpzwyv.exe"
        153⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\nwtwvez.exe
        
        C:\Windows\system32\nwtwvez.exe 1316 "C:\Windows\SysWOW64\ajjhhaa.exe"
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Windows\SysWOW64\npbpprj.exe
        
        C:\Windows\system32\npbpprj.exe 1300 "C:\Windows\SysWOW64\nwtwvez.exe"
        155⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\xwfmapq.exe
        
        C:\Windows\system32\xwfmapq.exe 1232 "C:\Windows\SysWOW64\npbpprj.exe"
        156⤵
        Identifies Wine through registry keys
        
        PID:2008
        
        C:\Windows\SysWOW64\bqwmyij.exe
        
        C:\Windows\system32\bqwmyij.exe 1312 "C:\Windows\SysWOW64\xwfmapq.exe"
        157⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\mloegcj.exe
        
        C:\Windows\system32\mloegcj.exe 1052 "C:\Windows\SysWOW64\bqwmyij.exe"
        158⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\ttkwast.exe
        
        C:\Windows\system32\ttkwast.exe 1112 "C:\Windows\SysWOW64\mloegcj.exe"
        159⤵
        Drops file in System32 directory
        
        PID:872
        
        C:\Windows\SysWOW64\abxpmhu.exe
        
        C:\Windows\system32\abxpmhu.exe 1328 "C:\Windows\SysWOW64\ttkwast.exe"
        160⤵
        Drops file in System32 directory
        
        PID:2956
        
        C:\Windows\SysWOW64\ifhceaf.exe
        
        C:\Windows\system32\ifhceaf.exe 1332 "C:\Windows\SysWOW64\abxpmhu.exe"
        161⤵
        Identifies Wine through registry keys
        
        PID:2180
        
        C:\Windows\SysWOW64\saiulvg.exe
        
        C:\Windows\system32\saiulvg.exe 1248 "C:\Windows\SysWOW64\ifhceaf.exe"
        162⤵
        Drops file in System32 directory
        
        PID:2820
        
        C:\Windows\SysWOW64\siwmgkp.exe
        
        C:\Windows\system32\siwmgkp.exe 1340 "C:\Windows\SysWOW64\saiulvg.exe"
        163⤵
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\chikqjx.exe
        
        C:\Windows\system32\chikqjx.exe 1244 "C:\Windows\SysWOW64\siwmgkp.exe"
        164⤵
        Drops file in System32 directory
        
        PID:784
        
        C:\Windows\SysWOW64\mkxulmd.exe
        
        C:\Windows\system32\mkxulmd.exe 1348 "C:\Windows\SysWOW64\chikqjx.exe"
        165⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\zfpkric.exe
        
        C:\Windows\system32\zfpkric.exe 1352 "C:\Windows\SysWOW64\mkxulmd.exe"
        166⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\jheueli.exe
        
        C:\Windows\system32\jheueli.exe 1356 "C:\Windows\SysWOW64\zfpkric.exe"
        167⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:392
        
        C:\Windows\SysWOW64\wgzxnto.exe
        
        C:\Windows\system32\wgzxnto.exe 1260 "C:\Windows\SysWOW64\jheueli.exe"
        168⤵
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Windows\SysWOW64\gfluxsv.exe
        
        C:\Windows\system32\gfluxsv.exe 1364 "C:\Windows\SysWOW64\wgzxnto.exe"
        169⤵
        
        PID:948
        
        C:\Windows\SysWOW64\njnipdy.exe
        
        C:\Windows\system32\njnipdy.exe 960 "C:\Windows\SysWOW64\gfluxsv.exe"
        170⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\vuunmxp.exe
        
        C:\Windows\system32\vuunmxp.exe 1128 "C:\Windows\SysWOW64\njnipdy.exe"
        171⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:576
        
        C:\Windows\SysWOW64\fmksrvi.exe
        
        C:\Windows\system32\fmksrvi.exe 1252 "C:\Windows\SysWOW64\vuunmxp.exe"
        172⤵
        
        PID:264
        
        C:\Windows\SysWOW64\ppzceqx.exe
        
        C:\Windows\system32\ppzceqx.exe 1132 "C:\Windows\SysWOW64\fmksrvi.exe"
        173⤵
        Drops file in System32 directory
        
        PID:2340
        
        C:\Windows\SysWOW64\alsntky.exe
        
        C:\Windows\system32\alsntky.exe 1288 "C:\Windows\SysWOW64\ppzceqx.exe"
        174⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\kkekejf.exe
        
        C:\Windows\system32\kkekejf.exe 1400 "C:\Windows\SysWOW64\alsntky.exe"
        175⤵
        Drops file in System32 directory
        
        PID:2600
        
        C:\Windows\SysWOW64\rddpbln.exe
        
        C:\Windows\system32\rddpbln.exe 1308 "C:\Windows\SysWOW64\kkekejf.exe"
        176⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\bcpnlkv.exe
        
        C:\Windows\system32\bcpnlkv.exe 1296 "C:\Windows\SysWOW64\rddpbln.exe"
        177⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\lyiftew.exe
        
        C:\Windows\system32\lyiftew.exe 1396 "C:\Windows\SysWOW64\bcpnlkv.exe"
        178⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\sjokqye.exe
        
        C:\Windows\system32\sjokqye.exe 1360 "C:\Windows\SysWOW64\lyiftew.exe"
        179⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\xwasjar.exe
        
        C:\Windows\system32\xwasjar.exe 1372 "C:\Windows\SysWOW64\sjokqye.exe"
        180⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\iopyoql.exe
        
        C:\Windows\system32\iopyoql.exe 1412 "C:\Windows\SysWOW64\xwasjar.exe"
        181⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\pvlqanu.exe
        
        C:\Windows\system32\pvlqanu.exe 1180 "C:\Windows\SysWOW64\iopyoql.exe"
        182⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\zyaavqi.exe
        
        C:\Windows\system32\zyaavqi.exe 1420 "C:\Windows\SysWOW64\pvlqanu.exe"
        183⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\hgwsigk.exe
        
        C:\Windows\system32\hgwsigk.exe 1216 "C:\Windows\SysWOW64\zyaavqi.exe"
        184⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\rbplxat.exe
        
        C:\Windows\system32\rbplxat.exe 1428 "C:\Windows\SysWOW64\hgwsigk.exe"
        185⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\yjkdjqu.exe
        
        C:\Windows\system32\yjkdjqu.exe 1388 "C:\Windows\SysWOW64\rbplxat.exe"
        186⤵
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Windows\SysWOW64\jflnzkd.exe
        
        C:\Windows\system32\jflnzkd.exe 1256 "C:\Windows\SysWOW64\yjkdjqu.exe"
        187⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\nviinyp.exe
        
        C:\Windows\system32\nviinyp.exe 1336 "C:\Windows\SysWOW64\jflnzkd.exe"
        188⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\yqibdtp.exe
        
        C:\Windows\system32\yqibdtp.exe 1444 "C:\Windows\SysWOW64\nviinyp.exe"
        189⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\fvtgmes.exe
        
        C:\Windows\system32\fvtgmes.exe 1376 "C:\Windows\SysWOW64\yqibdtp.exe"
        190⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\pfiqhhy.exe
        
        C:\Windows\system32\pfiqhhy.exe 1384 "C:\Windows\SysWOW64\fvtgmes.exe"
        191⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\zemosgg.exe
        
        C:\Windows\system32\zemosgg.exe 1468 "C:\Windows\SysWOW64\pfiqhhy.exe"
        192⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\evrjomr.exe
        
        C:\Windows\system32\evrjomr.exe 1472 "C:\Windows\SysWOW64\zemosgg.exe"
        193⤵
        System Location Discovery: System Language Discovery
        
        PID:2556
        
        C:\Windows\SysWOW64\pnhotkt.exe
        
        C:\Windows\system32\pnhotkt.exe 1224 "C:\Windows\SysWOW64\evrjomr.exe"
        194⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\zmlldbb.exe
        
        C:\Windows\system32\zmlldbb.exe 1460 "C:\Windows\SysWOW64\pnhotkt.exe"
        195⤵
        System Location Discovery: System Language Discovery
        
        PID:1016
        
        C:\Windows\SysWOW64\dcpyzpm.exe
        
        C:\Windows\system32\dcpyzpm.exe 1304 "C:\Windows\SysWOW64\zmlldbb.exe"
        196⤵
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Windows\SysWOW64\obuwrnm.exe
        
        C:\Windows\system32\obuwrnm.exe 1488 "C:\Windows\SysWOW64\dcpyzpm.exe"
        197⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\yagbcmt.exe
        
        C:\Windows\system32\yagbcmt.exe 1476 "C:\Windows\SysWOW64\obuwrnm.exe"
        198⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\izkzmlb.exe
        
        C:\Windows\system32\izkzmlb.exe 1284 "C:\Windows\SysWOW64\yagbcmt.exe"
        199⤵
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\nmdgfvg.exe
        
        C:\Windows\system32\nmdgfvg.exe 1272 "C:\Windows\SysWOW64\izkzmlb.exe"
        200⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\xxtrbqm.exe
        
        C:\Windows\system32\xxtrbqm.exe 1140 "C:\Windows\SysWOW64\nmdgfvg.exe"
        201⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\hstbikv.exe
        
        C:\Windows\system32\hstbikv.exe 1324 "C:\Windows\SysWOW64\xxtrbqm.exe"
        202⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\roumqfv.exe
        
        C:\Windows\system32\roumqfv.exe 1496 "C:\Windows\SysWOW64\hstbikv.exe"
        203⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\tuvjomj.exe
        
        C:\Windows\system32\tuvjomj.exe 1512 "C:\Windows\SysWOW64\roumqfv.exe"
        204⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\eqouwhj.exe
        
        C:\Windows\system32\eqouwhj.exe 1504 "C:\Windows\SysWOW64\tuvjomj.exe"
        205⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\luyhfam.exe
        
        C:\Windows\system32\luyhfam.exe 1344 "C:\Windows\SysWOW64\eqouwhj.exe"
        206⤵
        Drops file in System32 directory
        
        PID:2824
        
        C:\Windows\SysWOW64\vtkexzu.exe
        
        C:\Windows\system32\vtkexzu.exe 1516 "C:\Windows\SysWOW64\luyhfam.exe"
        207⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\cmjjmsc.exe
        
        C:\Windows\system32\cmjjmsc.exe 1368 "C:\Windows\SysWOW64\vtkexzu.exe"
        208⤵
        Drops file in System32 directory
        
        PID:2024
        
        C:\Windows\SysWOW64\nwypzje.exe
        
        C:\Windows\system32\nwypzje.exe 1464 "C:\Windows\SysWOW64\cmjjmsc.exe"
        209⤵
        
        PID:956
        
        C:\Windows\SysWOW64\smvknpp.exe
        
        C:\Windows\system32\smvknpp.exe 1432 "C:\Windows\SysWOW64\nwypzje.exe"
        210⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cuhhgnx.exe
        
        C:\Windows\system32\cuhhgnx.exe 1532 "C:\Windows\SysWOW64\smvknpp.exe"
        211⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\mpirniy.exe
        
        C:\Windows\system32\mpirniy.exe 1392 "C:\Windows\SysWOW64\cuhhgnx.exe"
        212⤵
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Windows\SysWOW64\wompyhf.exe
        
        C:\Windows\system32\wompyhf.exe 1440 "C:\Windows\SysWOW64\mpirniy.exe"
        213⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1756
        
        C:\Windows\SysWOW64\dzlcvin.exe
        
        C:\Windows\system32\dzlcvin.exe 1448 "C:\Windows\SysWOW64\wompyhf.exe"
        214⤵
        Identifies Wine through registry keys
        System Location Discovery: System Language Discovery
        
        PID:664
        
        C:\Windows\SysWOW64\lakcjpr.exe
        
        C:\Windows\system32\lakcjpr.exe 1404 "C:\Windows\SysWOW64\dzlcvin.exe"
        215⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:2460
        
        C:\Windows\SysWOW64\quacazc.exe
        
        C:\Windows\system32\quacazc.exe 1380 "C:\Windows\SysWOW64\lakcjpr.exe"
        216⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Windows\SysWOW64\aqtmquk.exe
        
        C:\Windows\system32\aqtmquk.exe 1556 "C:\Windows\SysWOW64\quacazc.exe"
        217⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\fgyhmiw.exe
        
        C:\Windows\system32\fgyhmiw.exe 1480 "C:\Windows\SysWOW64\aqtmquk.exe"
        218⤵
        Drops file in System32 directory
        
        PID:2092
        
        C:\Windows\SysWOW64\mkiuvtz.exe
        
        C:\Windows\system32\mkiuvtz.exe 1416 "C:\Windows\SysWOW64\fgyhmiw.exe"
        219⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\ugsanmb.exe
        
        C:\Windows\system32\ugsanmb.exe 1408 "C:\Windows\SysWOW64\mkiuvtz.exe"
        220⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\erhkahq.exe
        
        C:\Windows\system32\erhkahq.exe 1572 "C:\Windows\SysWOW64\ugsanmb.exe"
        221⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\omichkr.exe
        
        C:\Windows\system32\omichkr.exe 1564 "C:\Windows\SysWOW64\erhkahq.exe"
        222⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\ymmaaby.exe
        
        C:\Windows\system32\ymmaaby.exe 1552 "C:\Windows\SysWOW64\omichkr.exe"
        223⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\jlqxkzy.exe
        
        C:\Windows\system32\jlqxkzy.exe 1424 "C:\Windows\SysWOW64\ymmaaby.exe"
        224⤵
        Drops file in System32 directory
        
        PID:1876
        
        C:\Windows\SysWOW64\tsdvvyf.exe
        
        C:\Windows\system32\tsdvvyf.exe 1588 "C:\Windows\SysWOW64\jlqxkzy.exe"
        225⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\dndfktg.exe
        
        C:\Windows\system32\dndfktg.exe 1320 "C:\Windows\SysWOW64\tsdvvyf.exe"
        226⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\nmikvrn.exe
        
        C:\Windows\system32\nmikvrn.exe 1456 "C:\Windows\SysWOW64\dndfktg.exe"
        227⤵
        
        PID:928
        
        C:\Windows\SysWOW64\xlmifqv.exe
        
        C:\Windows\system32\xlmifqv.exe 1520 "C:\Windows\SysWOW64\nmikvrn.exe"
        228⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\fxsncsd.exe
        
        C:\Windows\system32\fxsncsd.exe 1484 "C:\Windows\SysWOW64\xlmifqv.exe"
        229⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\mmgfwhn.exe
        
        C:\Windows\system32\mmgfwhn.exe 1508 "C:\Windows\SysWOW64\fxsncsd.exe"
        230⤵
        
        PID:304
        
        C:\Windows\SysWOW64\wihyeco.exe
        
        C:\Windows\system32\wihyeco.exe 1612 "C:\Windows\SysWOW64\mmgfwhn.exe"
        231⤵
        Drops file in System32 directory
        
        PID:1984
        
        C:\Windows\SysWOW64\bnafxea.exe
        
        C:\Windows\system32\bnafxea.exe 1616 "C:\Windows\SysWOW64\wihyeco.exe"
        232⤵
        Identifies Wine through registry keys
        
        PID:2828
        
        C:\Windows\SysWOW64\jrklhxd.exe
        
        C:\Windows\system32\jrklhxd.exe 1620 "C:\Windows\SysWOW64\bnafxea.exe"
        233⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\qzylbmm.exe
        
        C:\Windows\system32\qzylbmm.exe 1500 "C:\Windows\SysWOW64\jrklhxd.exe"
        234⤵
        Drops file in System32 directory
        
        PID:2880
        
        C:\Windows\SysWOW64\aykillu.exe
        
        C:\Windows\system32\aykillu.exe 1492 "C:\Windows\SysWOW64\qzylbmm.exe"
        235⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\ifxafaw.exe
        
        C:\Windows\system32\ifxafaw.exe 1524 "C:\Windows\SysWOW64\aykillu.exe"
        236⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\sbytnve.exe
        
        C:\Windows\system32\sbytnve.exe 1452 "C:\Windows\SysWOW64\ifxafaw.exe"
        237⤵
        Drops file in System32 directory
        
        PID:3064
        
        C:\Windows\SysWOW64\xrvgjjq.exe
        
        C:\Windows\system32\xrvgjjq.exe 1652 "C:\Windows\SysWOW64\sbytnve.exe"
        238⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\hyhdtip.exe
        
        C:\Windows\system32\hyhdtip.exe 1640 "C:\Windows\SysWOW64\xrvgjjq.exe"
        239⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\ovrqlta.exe
        
        C:\Windows\system32\ovrqlta.exe 1648 "C:\Windows\SysWOW64\hyhdtip.exe"
        240⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\wcfixic.exe
        
        C:\Windows\system32\wcfixic.exe 1568 "C:\Windows\SysWOW64\ovrqlta.exe"
        241⤵
        Drops file in System32 directory
        
        PID:2372
        
        C:\Windows\SysWOW64\dsairfl.exe
        
        C:\Windows\system32\dsairfl.exe 1536 "C:\Windows\SysWOW64\wcfixic.exe"
        242⤵
        Identifies Wine through registry keys
        
        PID:1320
        
        C:\Windows\SysWOW64\gcqowwn.exe
        
        C:\Windows\system32\gcqowwn.exe 1664 "C:\Windows\SysWOW64\dsairfl.exe"
        243⤵
        Identifies Wine through registry keys
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Windows\SysWOW64\nkdgqlx.exe
        
        C:\Windows\system32\nkdgqlx.exe 1576 "C:\Windows\SysWOW64\gcqowwn.exe"
        244⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\vontawz.exe
        
        C:\Windows\system32\vontawz.exe 1672 "C:\Windows\SysWOW64\nkdgqlx.exe"
        245⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\zivtzos.exe
        
        C:\Windows\system32\zivtzos.exe 1668 "C:\Windows\SysWOW64\vontawz.exe"
        246⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\kalzdfm.exe
        
        C:\Windows\system32\kalzdfm.exe 1676 "C:\Windows\SysWOW64\zivtzos.exe"
        247⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\rlseayc.exe
        
        C:\Windows\system32\rlseayc.exe 1608 "C:\Windows\SysWOW64\kalzdfm.exe"
        248⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\zpujsjf.exe
        
        C:\Windows\system32\zpujsjf.exe 1548 "C:\Windows\SysWOW64\rlseayc.exe"
        249⤵
        Identifies Wine through registry keys
        
        PID:2964
        
        C:\Windows\SysWOW64\jartfnl.exe
        
        C:\Windows\system32\jartfnl.exe 1688 "C:\Windows\SysWOW64\zpujsjf.exe"
        250⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\tzvrpls.exe
        
        C:\Windows\system32\tzvrpls.exe 1692 "C:\Windows\SysWOW64\jartfnl.exe"
        251⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\dvwjfgt.exe
        
        C:\Windows\system32\dvwjfgt.exe 1596 "C:\Windows\SysWOW64\tzvrpls.exe"
        252⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\kckbrvd.exe
        
        C:\Windows\system32\kckbrvd.exe 1684 "C:\Windows\SysWOW64\dvwjfgt.exe"
        253⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\ppdjkfh.exe
        
        C:\Windows\system32\ppdjkfh.exe 1528 "C:\Windows\SysWOW64\kckbrvd.exe"
        254⤵
        System Location Discovery: System Language Discovery
        
        PID:2296
        
        C:\Windows\SysWOW64\xxzjfur.exe
        
        C:\Windows\system32\xxzjfur.exe 1540 "C:\Windows\SysWOW64\ppdjkfh.exe"
        255⤵
        System Location Discovery: System Language Discovery
        
        PID:2148
        
        C:\Windows\SysWOW64\ebboonc.exe
        
        C:\Windows\system32\ebboonc.exe 1628 "C:\Windows\SysWOW64\xxzjfur.exe"
        256⤵
        Identifies Wine through registry keys
        
        PID:3040
        
        C:\Windows\SysWOW64\mjwpidd.exe
        
        C:\Windows\system32\mjwpidd.exe 1716 "C:\Windows\SysWOW64\ebboonc.exe"
        257⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\tngusoo.exe
        
        C:\Windows\system32\tngusoo.exe 1544 "C:\Windows\SysWOW64\mjwpidd.exe"
        258⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\exwzfeq.exe
        
        C:\Windows\system32\exwzfeq.exe 1580 "C:\Windows\SysWOW64\tngusoo.exe"
        259⤵
        
        PID:876
        
        C:\Windows\SysWOW64\irezvxa.exe
        
        C:\Windows\system32\irezvxa.exe 1724 "C:\Windows\SysWOW64\exwzfeq.exe"
        260⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\tjueinc.exe
        
        C:\Windows\system32\tjueinc.exe 1584 "C:\Windows\SysWOW64\irezvxa.exe"
        261⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\aqpxuce.exe
        
        C:\Windows\system32\aqpxuce.exe 1560 "C:\Windows\SysWOW64\tjueinc.exe"
        262⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\iycxprn.exe
        
        C:\Windows\system32\iycxprn.exe 1744 "C:\Windows\SysWOW64\aqpxuce.exe"
        263⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\nhlsfxt.exe
        
        C:\Windows\system32\nhlsfxt.exe 1592 "C:\Windows\SysWOW64\iycxprn.exe"
        264⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\xkicsaz.exe
        
        C:\Windows\system32\xkicsaz.exe 1600 "C:\Windows\SysWOW64\nhlsfxt.exe"
        265⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\hgbmaui.exe
        
        C:\Windows\system32\hgbmaui.exe 1720 "C:\Windows\SysWOW64\xkicsaz.exe"
        266⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\mzruzfs.exe
        
        C:\Windows\system32\mzruzfs.exe 1760 "C:\Windows\SysWOW64\hgbmaui.exe"
        267⤵
        Drops file in System32 directory
        
        PID:2680
        
        C:\Windows\SysWOW64\wvkfgzt.exe
        
        C:\Windows\system32\wvkfgzt.exe 1436 "C:\Windows\SysWOW64\mzruzfs.exe"
        268⤵
        
        PID:520
        
        C:\Windows\SysWOW64\ezusyse.exe
        
        C:\Windows\system32\ezusyse.exe 1644 "C:\Windows\SysWOW64\wvkfgzt.exe"
        269⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\oygpird.exe
        
        C:\Windows\system32\oygpird.exe 1660 "C:\Windows\SysWOW64\ezusyse.exe"
        270⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\vsfuflu.exe
        
        C:\Windows\system32\vsfuflu.exe 1772 "C:\Windows\SysWOW64\oygpird.exe"
        271⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\fkuakbw.exe
        
        C:\Windows\system32\fkuakbw.exe 1732 "C:\Windows\SysWOW64\vsfuflu.exe"
        272⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\nvtfhve.exe
        
        C:\Windows\system32\nvtfhve.exe 1656 "C:\Windows\SysWOW64\fkuakbw.exe"
        273⤵
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Windows\SysWOW64\udpxtko.exe
        
        C:\Windows\system32\udpxtko.exe 1624 "C:\Windows\SysWOW64\nvtfhve.exe"
        274⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\hqynhom.exe
        
        C:\Windows\system32\hqynhom.exe 1632 "C:\Windows\SysWOW64\udpxtko.exe"
        275⤵
        Identifies Wine through registry keys
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\obxswiv.exe
        
        C:\Windows\system32\obxswiv.exe 1636 "C:\Windows\SysWOW64\hqynhom.exe"
        276⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\wfhfnbf.exe
        
        C:\Windows\system32\wfhfnbf.exe 1788 "C:\Windows\SysWOW64\obxswiv.exe"
        277⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\gaiyvvg.exe
        
        C:\Windows\system32\gaiyvvg.exe 1728 "C:\Windows\SysWOW64\wfhfnbf.exe"
        278⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\ofsdmgj.exe
        
        C:\Windows\system32\ofsdmgj.exe 1736 "C:\Windows\SysWOW64\gaiyvvg.exe"
        279⤵
        System Location Discovery: System Language Discovery
        
        PID:1084
        
        C:\Windows\SysWOW64\vmgdzws.exe
        
        C:\Windows\system32\vmgdzws.exe 1812 "C:\Windows\SysWOW64\ofsdmgj.exe"
        280⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\uymiwqb.exe
        
        C:\Windows\system32\uymiwqb.exe 1696 "C:\Windows\SysWOW64\vmgdzws.exe"
        281⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\fqufaod.exe
        
        C:\Windows\system32\fqufaod.exe 1748 "C:\Windows\SysWOW64\uymiwqb.exe"
        282⤵
        Drops file in System32 directory
        
        PID:280
        
        C:\Windows\SysWOW64\ppgllnk.exe
        
        C:\Windows\system32\ppgllnk.exe 1784 "C:\Windows\SysWOW64\fqufaod.exe"
        283⤵
        Drops file in System32 directory
        
        PID:2120
        
        C:\Windows\SysWOW64\urolkxu.exe
        
        C:\Windows\system32\urolkxu.exe 1680 "C:\Windows\SysWOW64\ppgllnk.exe"
        284⤵
        Drops file in System32 directory
        
        PID:2548
        
        C:\Windows\SysWOW64\bnyybif.exe
        
        C:\Windows\system32\bnyybif.exe 1768 "C:\Windows\SysWOW64\urolkxu.exe"
        285⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\gwgtsnd.exe
        
        C:\Windows\system32\gwgtsnd.exe 1756 "C:\Windows\SysWOW64\bnyybif.exe"
        286⤵
        Identifies Wine through registry keys
        
        PID:1664
        
        C:\Windows\SysWOW64\oecledn.exe
        
        C:\Windows\system32\oecledn.exe 1836 "C:\Windows\SysWOW64\gwgtsnd.exe"
        287⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\vimyvwp.exe
        
        C:\Windows\system32\vimyvwp.exe 1848 "C:\Windows\SysWOW64\oecledn.exe"
        288⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\ayjljcb.exe
        
        C:\Windows\system32\ayjljcb.exe 1800 "C:\Windows\SysWOW64\vimyvwp.exe"
        289⤵
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Windows\SysWOW64\irilyjf.exe
        
        C:\Windows\system32\irilyjf.exe 1740 "C:\Windows\SysWOW64\ayjljcb.exe"
        290⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\pkoqvkv.exe
        
        C:\Windows\system32\pkoqvkv.exe 1852 "C:\Windows\SysWOW64\irilyjf.exe"
        291⤵
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Windows\SysWOW64\xgrdewy.exe
        
        C:\Windows\system32\xgrdewy.exe 1776 "C:\Windows\SysWOW64\pkoqvkv.exe"
        292⤵
        
        PID:924
        
        C:\Windows\SysWOW64\ekbrwhb.exe
        
        C:\Windows\system32\ekbrwhb.exe 1860 "C:\Windows\SysWOW64\xgrdewy.exe"
        293⤵
        Drops file in System32 directory
        
        PID:2504
        
        C:\Windows\SysWOW64\lezwlaj.exe
        
        C:\Windows\system32\lezwlaj.exe 1792 "C:\Windows\SysWOW64\ekbrwhb.exe"
        294⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\vdmtdzq.exe
        
        C:\Windows\system32\vdmtdzq.exe 1712 "C:\Windows\SysWOW64\lezwlaj.exe"
        295⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\gvbzixs.exe
        
        C:\Windows\system32\gvbzixs.exe 1700 "C:\Windows\SysWOW64\vdmtdzq.exe"
        296⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\qbcoyxf.exe
        
        C:\Windows\system32\qbcoyxf.exe 1752 "C:\Windows\SysWOW64\gvbzixs.exe"
        297⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\atrtlnh.exe
        
        C:\Windows\system32\atrtlnh.exe 1704 "C:\Windows\SysWOW64\qbcoyxf.exe"
        298⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\keheyqo.exe
        
        C:\Windows\system32\keheyqo.exe 1884 "C:\Windows\SysWOW64\atrtlnh.exe"
        299⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\sarrpjq.exe
        
        C:\Windows\system32\sarrpjq.exe 1708 "C:\Windows\SysWOW64\keheyqo.exe"
        300⤵
        Identifies Wine through registry keys
        
        PID:1840
        
        C:\Windows\SysWOW64\ztqwedz.exe
        
        C:\Windows\system32\ztqwedz.exe 1764 "C:\Windows\SysWOW64\sarrpjq.exe"
        301⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\mkkznde.exe
        
        C:\Windows\system32\mkkznde.exe 1780 "C:\Windows\SysWOW64\ztqwedz.exe"
        302⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\uoveewp.exe
        
        C:\Windows\system32\uoveewp.exe 1604 "C:\Windows\SysWOW64\mkkznde.exe"
        303⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\enzbpvp.exe
        
        C:\Windows\system32\enzbpvp.exe 1832 "C:\Windows\SysWOW64\uoveewp.exe"
        304⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\oxwmkyd.exe
        
        C:\Windows\system32\oxwmkyd.exe 1912 "C:\Windows\SysWOW64\enzbpvp.exe"
        305⤵
        Identifies Wine through registry keys
        
        PID:2192
        
        C:\Windows\SysWOW64\vcyztjg.exe
        
        C:\Windows\system32\vcyztjg.exe 1804 "C:\Windows\SysWOW64\oxwmkyd.exe"
        306⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\fbkwein.exe
        
        C:\Windows\system32\fbkwein.exe 1876 "C:\Windows\SysWOW64\vcyztjg.exe"
        307⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\niywyxp.exe
        
        C:\Windows\system32\niywyxp.exe 1816 "C:\Windows\SysWOW64\fbkwein.exe"
        308⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\xezhgsx.exe
        
        C:\Windows\system32\xezhgsx.exe 1820 "C:\Windows\SysWOW64\niywyxp.exe"
        309⤵
        Drops file in System32 directory
        
        PID:1360
        
        C:\Windows\SysWOW64\cfhcwxd.exe
        
        C:\Windows\system32\cfhcwxd.exe 1868 "C:\Windows\SysWOW64\xezhgsx.exe"
        310⤵
        System Location Discovery: System Language Discovery
        
        PID:2184
        
        C:\Windows\SysWOW64\hsakphi.exe
        
        C:\Windows\system32\hsakphi.exe 1936 "C:\Windows\SysWOW64\cfhcwxd.exe"
        311⤵
        Identifies Wine through registry keys
        
        PID:2896
        
        C:\Windows\SysWOW64\mfusjjn.exe
        
        C:\Windows\system32\mfusjjn.exe 1864 "C:\Windows\SysWOW64\hsakphi.exe"
        312⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\qzcrhbf.exe
        
        C:\Windows\system32\qzcrhbf.exe 1940 "C:\Windows\SysWOW64\mfusjjn.exe"
        313⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Windows\SysWOW64\budkpvg.exe
        
        C:\Windows\system32\budkpvg.exe 1828 "C:\Windows\SysWOW64\qzcrhbf.exe"
        314⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\icycblp.exe
        
        C:\Windows\system32\icycblp.exe 1808 "C:\Windows\SysWOW64\budkpvg.exe"
        315⤵
        Identifies Wine through registry keys
        
        PID:2684
        
        C:\Windows\SysWOW64\sbczukx.exe
        
        C:\Windows\system32\sbczukx.exe 1824 "C:\Windows\SysWOW64\icycblp.exe"
        316⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\capxeiw.exe
        
        C:\Windows\system32\capxeiw.exe 1900 "C:\Windows\SysWOW64\sbczukx.exe"
        317⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\ijxsugc.exe
        
        C:\Windows\system32\ijxsugc.exe 1908 "C:\Windows\SysWOW64\capxeiw.exe"
        318⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\masudoi.exe
        
        C:\Windows\system32\masudoi.exe 1964 "C:\Windows\SysWOW64\ijxsugc.exe"
        319⤵
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Windows\SysWOW64\ruaccgs.exe
        
        C:\Windows\system32\ruaccgs.exe 1880 "C:\Windows\SysWOW64\masudoi.exe"
        320⤵
        Identifies Wine through registry keys
        
        PID:2244
        
        C:\Windows\SysWOW64\ehrsicz.exe
        
        C:\Windows\system32\ehrsicz.exe 1972 "C:\Windows\SysWOW64\ruaccgs.exe"
        321⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\oovpsby.exe
        
        C:\Windows\system32\oovpsby.exe 1976 "C:\Windows\SysWOW64\ehrsicz.exe"
        322⤵
        System Location Discovery: System Language Discovery
        
        PID:3224
        
        C:\Windows\SysWOW64\vwrpmyi.exe
        
        C:\Windows\system32\vwrpmyi.exe 1980 "C:\Windows\SysWOW64\oovpsby.exe"
        323⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\immkvzo.exe
        
        C:\Windows\system32\immkvzo.exe 1960 "C:\Windows\SysWOW64\vwrpmyi.exe"
        324⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\qqwxesq.exe
        
        C:\Windows\system32\qqwxesq.exe 1844 "C:\Windows\SysWOW64\immkvzo.exe"
        325⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\vgasayc.exe
        
        C:\Windows\system32\vgasayc.exe 1856 "C:\Windows\SysWOW64\qqwxesq.exe"
        326⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\fctdqsd.exe
        
        C:\Windows\system32\fctdqsd.exe 1996 "C:\Windows\SysWOW64\vgasayc.exe"
        327⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\mnaifmt.exe
        
        C:\Windows\system32\mnaifmt.exe 1928 "C:\Windows\SysWOW64\fctdqsd.exe"
        328⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\wmefxls.exe
        
        C:\Windows\system32\wmefxls.exe 1840 "C:\Windows\SysWOW64\mnaifmt.exe"
        329⤵
        
        PID:864
        
        C:\Windows\SysWOW64\eroshed.exe
        
        C:\Windows\system32\eroshed.exe 1896 "C:\Windows\SysWOW64\wmefxls.exe"
        330⤵
        Drops file in System32 directory
        
        PID:3152
        
        C:\Windows\SysWOW64\ompdoye.exe
        
        C:\Windows\system32\ompdoye.exe 2016 "C:\Windows\SysWOW64\eroshed.exe"
        331⤵
        System Location Discovery: System Language Discovery
        
        PID:3316
        
        C:\Windows\SysWOW64\tcmykep.exe
        
        C:\Windows\system32\tcmykep.exe 2012 "C:\Windows\SysWOW64\ompdoye.exe"
        332⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\gbpatnv.exe
        
        C:\Windows\system32\gbpatnv.exe 2028 "C:\Windows\SysWOW64\tcmykep.exe"
        333⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\njcsncw.exe
        
        C:\Windows\system32\njcsncw.exe 1924 "C:\Windows\SysWOW64\gbpatnv.exe"
        334⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\szhnjqi.exe
        
        C:\Windows\system32\szhnjqi.exe 1932 "C:\Windows\SysWOW64\njcsncw.exe"
        335⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\idhinvf.exe
        
        C:\Windows\system32\idhinvf.exe 2044 "C:\Windows\SysWOW64\szhnjqi.exe"
        336⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\pldazlo.exe
        
        C:\Windows\system32\pldazlo.exe 2052 "C:\Windows\SysWOW64\idhinvf.exe"
        337⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\uywitub.exe
        
        C:\Windows\system32\uywitub.exe 1904 "C:\Windows\SysWOW64\pldazlo.exe"
        338⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\ealtgxh.exe
        
        C:\Windows\system32\ealtgxh.exe 1992 "C:\Windows\SysWOW64\uywitub.exe"
        339⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\jnfbzzm.exe
        
        C:\Windows\system32\jnfbzzm.exe 2004 "C:\Windows\SysWOW64\ealtgxh.exe"
        340⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\tmjykyt.exe
        
        C:\Windows\system32\tmjykyt.exe 2056 "C:\Windows\SysWOW64\jnfbzzm.exe"
        341⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\aufyevd.exe
        
        C:\Windows\system32\aufyevd.exe 2060 "C:\Windows\SysWOW64\tmjykyt.exe"
        342⤵
        Drops file in System32 directory
        
        PID:3932
        
        C:\Windows\SysWOW64\lmuwjmf.exe
        
        C:\Windows\system32\lmuwjmf.exe 1948 "C:\Windows\SysWOW64\aufyevd.exe"
        343⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\vlytbke.exe
        
        C:\Windows\system32\vlytbke.exe 1952 "C:\Windows\SysWOW64\lmuwjmf.exe"
        344⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\cwxgqev.exe
        
        C:\Windows\system32\cwxgqev.exe 1968 "C:\Windows\SysWOW64\vlytbke.exe"
        345⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\prowwiu.exe
        
        C:\Windows\system32\prowwiu.exe 2080 "C:\Windows\SysWOW64\cwxgqev.exe"
        346⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\xdnbtcc.exe
        
        C:\Windows\system32\xdnbtcc.exe 2084 "C:\Windows\SysWOW64\prowwiu.exe"
        347⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\hyolawl.exe
        
        C:\Windows\system32\hyolawl.exe 1872 "C:\Windows\SysWOW64\xdnbtcc.exe"
        348⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\rxsrtvk.exe
        
        C:\Windows\system32\rxsrtvk.exe 2096 "C:\Windows\SysWOW64\hyolawl.exe"
        349⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\bweodus.exe
        
        C:\Windows\system32\bweodus.exe 1888 "C:\Windows\SysWOW64\rxsrtvk.exe"
        350⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:652
        
        C:\Windows\SysWOW64\iqdtana.exe
        
        C:\Windows\system32\iqdtana.exe 2104 "C:\Windows\SysWOW64\bweodus.exe"
        351⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\tatrfec.exe
        
        C:\Windows\system32\tatrfec.exe 2032 "C:\Windows\SysWOW64\iqdtana.exe"
        352⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\dhfwqcj.exe
        
        C:\Windows\system32\dhfwqcj.exe 1988 "C:\Windows\SysWOW64\tatrfec.exe"
        353⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\ksdbnws.exe
        
        C:\Windows\system32\ksdbnws.exe 2116 "C:\Windows\SysWOW64\dhfwqcj.exe"
        354⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\sartzmb.exe
        
        C:\Windows\system32\sartzmb.exe 2108 "C:\Windows\SysWOW64\ksdbnws.exe"
        355⤵
        Drops file in System32 directory
        
        PID:3616
        
        C:\Windows\SysWOW64\aaqunaf.exe
        
        C:\Windows\system32\aaqunaf.exe 2000 "C:\Windows\SysWOW64\sartzmb.exe"
        356⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\jdnebdm.exe
        
        C:\Windows\system32\jdnebdm.exe 2124 "C:\Windows\SysWOW64\aaqunaf.exe"
        357⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\jhprsow.exe
        
        C:\Windows\system32\jhprsow.exe 1796 "C:\Windows\SysWOW64\jdnebdm.exe"
        358⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\wysubxu.exe
        
        C:\Windows\system32\wysubxu.exe 2120 "C:\Windows\SysWOW64\jhprsow.exe"
        359⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\ecuzkif.exe
        
        C:\Windows\system32\ecuzkif.exe 1916 "C:\Windows\SysWOW64\wysubxu.exe"
        360⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\nmsjfll.exe
        
        C:\Windows\system32\nmsjfll.exe 1920 "C:\Windows\SysWOW64\ecuzkif.exe"
        361⤵
        Drops file in System32 directory
        
        PID:2328
        
        C:\Windows\SysWOW64\yilcnfm.exe
        
        C:\Windows\system32\yilcnfm.exe 1944 "C:\Windows\SysWOW64\nmsjfll.exe"
        362⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\lcrkysq.exe
        
        C:\Windows\system32\lcrkysq.exe 2144 "C:\Windows\SysWOW64\yilcnfm.exe"
        363⤵
        Identifies Wine through registry keys
        
        PID:3556
        
        C:\Windows\SysWOW64\svxpvmg.exe
        
        C:\Windows\system32\svxpvmg.exe 2088 "C:\Windows\SysWOW64\lcrkysq.exe"
        364⤵
        System Location Discovery: System Language Discovery
        
        PID:3576
        
        C:\Windows\SysWOW64\crqhdgh.exe
        
        C:\Windows\system32\crqhdgh.exe 2092 "C:\Windows\SysWOW64\svxpvmg.exe"
        365⤵
        System Location Discovery: System Language Discovery
        
        PID:3740
        
        C:\Windows\SysWOW64\plwpokl.exe
        
        C:\Windows\system32\plwpokl.exe 1984 "C:\Windows\SysWOW64\crqhdgh.exe"
        366⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\zsiuhjt.exe
        
        C:\Windows\system32\zsiuhjt.exe 2160 "C:\Windows\SysWOW64\plwpokl.exe"
        367⤵
        System Location Discovery: System Language Discovery
        
        PID:3136
        
        C:\Windows\SysWOW64\jrnsria.exe
        
        C:\Windows\system32\jrnsria.exe 1956 "C:\Windows\SysWOW64\zsiuhjt.exe"
        368⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\whpuaqy.exe
        
        C:\Windows\system32\whpuaqy.exe 2176 "C:\Windows\SysWOW64\jrnsria.exe"
        369⤵
        System Location Discovery: System Language Discovery
        
        PID:3488
        
        C:\Windows\SysWOW64\gsffvtm.exe
        
        C:\Windows\system32\gsffvtm.exe 2184 "C:\Windows\SysWOW64\whpuaqy.exe"
        370⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\qrjcfsu.exe
        
        C:\Windows\system32\qrjcfsu.exe 2164 "C:\Windows\SysWOW64\gsffvtm.exe"
        371⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\ghucmcp.exe
        
        C:\Windows\system32\ghucmcp.exe 2172 "C:\Windows\SysWOW64\qrjcfsu.exe"
        372⤵
        Identifies Wine through registry keys
        
        PID:1808
        
        C:\Windows\SysWOW64\npqcyrz.exe
        
        C:\Windows\system32\npqcyrz.exe 2180 "C:\Windows\SysWOW64\ghucmcp.exe"
        373⤵
        Identifies Wine through registry keys
        
        PID:3872
        
        C:\Windows\SysWOW64\achsevy.exe
        
        C:\Windows\system32\achsevy.exe 2200 "C:\Windows\SysWOW64\npqcyrz.exe"
        374⤵
        Identifies Wine through registry keys
        
        PID:4056
        
        C:\Windows\SysWOW64\neniyhc.exe
        
        C:\Windows\system32\neniyhc.exe 2188 "C:\Windows\SysWOW64\achsevy.exe"
        375⤵
        System Location Discovery: System Language Discovery
        
        PID:3156
        
        C:\Windows\SysWOW64\xdrfigk.exe
        
        C:\Windows\system32\xdrfigk.exe 2192 "C:\Windows\SysWOW64\neniyhc.exe"
        376⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\elnxuwt.exe
        
        C:\Windows\system32\elnxuwt.exe 2196 "C:\Windows\SysWOW64\xdrfigk.exe"
        377⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\pkrvnub.exe
        
        C:\Windows\system32\pkrvnub.exe 2068 "C:\Windows\SysWOW64\elnxuwt.exe"
        378⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\wrmvzkk.exe
        
        C:\Windows\system32\wrmvzkk.exe 2072 "C:\Windows\SysWOW64\pkrvnub.exe"
        379⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\jewkfoj.exe
        
        C:\Windows\system32\jewkfoj.exe 2076 "C:\Windows\SysWOW64\wrmvzkk.exe"
        380⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\tliixmq.exe
        
        C:\Windows\system32\tliixmq.exe 2208 "C:\Windows\SysWOW64\jewkfoj.exe"
        381⤵
        Drops file in System32 directory
        
        PID:3172
        
        C:\Windows\SysWOW64\axhnmgz.exe
        
        C:\Windows\system32\axhnmgz.exe 2100 "C:\Windows\SysWOW64\tliixmq.exe"
        382⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\nkqdsky.exe
        
        C:\Windows\system32\nkqdsky.exe 2228 "C:\Windows\SysWOW64\axhnmgz.exe"
        383⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\yjdikjf.exe
        
        C:\Windows\system32\yjdikjf.exe 2224 "C:\Windows\SysWOW64\nkqdsky.exe"
        384⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\iqhfvin.exe
        
        C:\Windows\system32\iqhfvin.exe 2112 "C:\Windows\SysWOW64\yjdikjf.exe"
        385⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\sptdfgm.exe
        
        C:\Windows\system32\sptdfgm.exe 2128 "C:\Windows\SysWOW64\iqhfvin.exe"
        386⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\crinaka.exe
        
        C:\Windows\system32\crinaka.exe 2240 "C:\Windows\SysWOW64\sptdfgm.exe"
        387⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\pqdqjkg.exe
        
        C:\Windows\system32\pqdqjkg.exe 2244 "C:\Windows\SysWOW64\crinaka.exe"
        388⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\wyyidzi.exe
        
        C:\Windows\system32\wyyidzi.exe 2064 "C:\Windows\SysWOW64\pqdqjkg.exe"
        389⤵
        Identifies Wine through registry keys
        
        PID:3184
        
        C:\Windows\SysWOW64\jliyjdo.exe
        
        C:\Windows\system32\jliyjdo.exe 2040 "C:\Windows\SysWOW64\wyyidzi.exe"
        390⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\rsdyvsq.exe
        
        C:\Windows\system32\rsdyvsq.exe 2256 "C:\Windows\SysWOW64\jliyjdo.exe"
        391⤵
        System Location Discovery: System Language Discovery
        
        PID:3564
        
        C:\Windows\SysWOW64\brivorx.exe
        
        C:\Windows\system32\brivorx.exe 2008 "C:\Windows\SysWOW64\rsdyvsq.exe"
        392⤵
        Drops file in System32 directory
        
        PID:3884
        
        C:\Windows\SysWOW64\iloadtg.exe
        
        C:\Windows\system32\iloadtg.exe 2168 "C:\Windows\SysWOW64\brivorx.exe"
        393⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\sksyvkn.exe
        
        C:\Windows\system32\sksyvkn.exe 2020 "C:\Windows\SysWOW64\iloadtg.exe"
        394⤵
        Identifies Wine through registry keys
        
        PID:3080
        
        C:\Windows\SysWOW64\fxkobom.exe
        
        C:\Windows\system32\fxkobom.exe 2252 "C:\Windows\SysWOW64\sksyvkn.exe"
        395⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\uukwfgv.exe
        
        C:\Windows\system32\uukwfgv.exe 2276 "C:\Windows\SysWOW64\fxkobom.exe"
        396⤵
        Identifies Wine through registry keys
        
        PID:3800
        
        C:\Windows\SysWOW64\ftwtyfd.exe
        
        C:\Windows\system32\ftwtyfd.exe 2272 "C:\Windows\SysWOW64\uukwfgv.exe"
        397⤵
        System Location Discovery: System Language Discovery
        
        PID:3548
        
        C:\Windows\SysWOW64\paaqidk.exe
        
        C:\Windows\system32\paaqidk.exe 2152 "C:\Windows\SysWOW64\ftwtyfd.exe"
        398⤵
        Drops file in System32 directory
        
        PID:3388
        
        C:\Windows\SysWOW64\zzmobck.exe
        
        C:\Windows\system32\zzmobck.exe 2288 "C:\Windows\SysWOW64\paaqidk.exe"
        399⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\jyqllbr.exe
        
        C:\Windows\system32\jyqllbr.exe 2292 "C:\Windows\SysWOW64\zzmobck.exe"
        400⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\qgelxyb.exe
        
        C:\Windows\system32\qgelxyb.exe 2296 "C:\Windows\SysWOW64\jyqllbr.exe"
        401⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\vehooyg.exe
        
        C:\Windows\system32\vehooyg.exe 2312 "C:\Windows\SysWOW64\qgelxyb.exe"
        402⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\gahyvth.exe
        
        C:\Windows\system32\gahyvth.exe 2300 "C:\Windows\SysWOW64\vehooyg.exe"
        403⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\nhvriqr.exe
        
        C:\Windows\system32\nhvriqr.exe 2156 "C:\Windows\SysWOW64\gahyvth.exe"
        404⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\xdwjxlr.exe
        
        C:\Windows\system32\xdwjxlr.exe 2236 "C:\Windows\SysWOW64\nhvriqr.exe"
        405⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\hjwynke.exe
        
        C:\Windows\system32\hjwynke.exe 2024 "C:\Windows\SysWOW64\xdwjxlr.exe"
        406⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\uegwtod.exe
        
        C:\Windows\system32\uegwtod.exe 2320 "C:\Windows\SysWOW64\hjwynke.exe"
        407⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\edsulnl.exe
        
        C:\Windows\system32\edsulnl.exe 2324 "C:\Windows\SysWOW64\uegwtod.exe"
        408⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\rxybxzp.exe
        
        C:\Windows\system32\rxybxzp.exe 2316 "C:\Windows\SysWOW64\edsulnl.exe"
        409⤵
        Identifies Wine through registry keys
        
        PID:3372
        
        C:\Windows\SysWOW64\btrueuq.exe
        
        C:\Windows\system32\btrueuq.exe 2212 "C:\Windows\SysWOW64\rxybxzp.exe"
        410⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\ldoesxe.exe
        
        C:\Windows\system32\ldoesxe.exe 2036 "C:\Windows\SysWOW64\btrueuq.exe"
        411⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\wdtbkwe.exe
        
        C:\Windows\system32\wdtbkwe.exe 2336 "C:\Windows\SysWOW64\ldoesxe.exe"
        412⤵
        Identifies Wine through registry keys
        
        PID:3768
        
        C:\Windows\SysWOW64\fnimxrs.exe
        
        C:\Windows\system32\fnimxrs.exe 2344 "C:\Windows\SysWOW64\wdtbkwe.exe"
        413⤵
        Identifies Wine through registry keys
        
        PID:3996
        
        C:\Windows\SysWOW64\qmujiqa.exe
        
        C:\Windows\system32\qmujiqa.exe 2348 "C:\Windows\SysWOW64\fnimxrs.exe"
        414⤵
        System Location Discovery: System Language Discovery
        
        PID:3240
        
        C:\Windows\SysWOW64\alyhaoz.exe
        
        C:\Windows\system32\alyhaoz.exe 2332 "C:\Windows\SysWOW64\qmujiqa.exe"
        415⤵
        Identifies Wine through registry keys
        System Location Discovery: System Language Discovery
        
        PID:3756
        
        C:\Windows\SysWOW64\kkcelnh.exe
        
        C:\Windows\system32\kkcelnh.exe 2136 "C:\Windows\SysWOW64\alyhaoz.exe"
        416⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\sljezcl.exe
        
        C:\Windows\system32\sljezcl.exe 2368 "C:\Windows\SysWOW64\kkcelnh.exe"
        417⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3624
        
        C:\Windows\SysWOW64\zwijowt.exe
        
        C:\Windows\system32\zwijowt.exe 2360 "C:\Windows\SysWOW64\sljezcl.exe"
        418⤵
        Identifies Wine through registry keys
        
        PID:3916
        
        C:\Windows\SysWOW64\jsjcequ.exe
        
        C:\Windows\system32\jsjcequ.exe 2132 "C:\Windows\SysWOW64\zwijowt.exe"
        419⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\uncmllc.exe
        
        C:\Windows\system32\uncmllc.exe 2140 "C:\Windows\SysWOW64\jsjcequ.exe"
        420⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\eyrxzoj.exe
        
        C:\Windows\system32\eyrxzoj.exe 2376 "C:\Windows\SysWOW64\uncmllc.exe"
        421⤵
        Identifies Wine through registry keys
        System Location Discovery: System Language Discovery
        
        PID:3460
        
        C:\Windows\SysWOW64\oxdurnq.exe
        
        C:\Windows\system32\oxdurnq.exe 2352 "C:\Windows\SysWOW64\eyrxzoj.exe"
        422⤵
        Drops file in System32 directory
        
        PID:3592
        
        C:\Windows\SysWOW64\boyxanw.exe
        
        C:\Windows\system32\boyxanw.exe 2388 "C:\Windows\SysWOW64\oxdurnq.exe"
        423⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\kynhnqc.exe
        
        C:\Windows\system32\kynhnqc.exe 2148 "C:\Windows\SysWOW64\boyxanw.exe"
        424⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\vuoaukd.exe
        
        C:\Windows\system32\vuoaukd.exe 2392 "C:\Windows\SysWOW64\kynhnqc.exe"
        425⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\fwecqnj.exe
        
        C:\Windows\system32\fwecqnj.exe 2204 "C:\Windows\SysWOW64\vuoaukd.exe"
        426⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\peqhamr.exe
        
        C:\Windows\system32\peqhamr.exe 2216 "C:\Windows\SysWOW64\fwecqnj.exe"
        427⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\zzjsihr.exe
        
        C:\Windows\system32\zzjsihr.exe 2220 "C:\Windows\SysWOW64\peqhamr.exe"
        428⤵
        Identifies Wine through registry keys
        
        PID:4084
        
        C:\Windows\SysWOW64\mqluypx.exe
        
        C:\Windows\system32\mqluypx.exe 2408 "C:\Windows\SysWOW64\zzjsihr.exe"
        429⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\wppsjof.exe
        
        C:\Windows\system32\wppsjof.exe 2400 "C:\Windows\SysWOW64\mqluypx.exe"
        430⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\eioxyhn.exe
        
        C:\Windows\system32\eioxyhn.exe 2284 "C:\Windows\SysWOW64\wppsjof.exe"
        431⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\ohauqgu.exe
        
        C:\Windows\system32\ohauqgu.exe 2232 "C:\Windows\SysWOW64\eioxyhn.exe"
        432⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\bukswkt.exe
        
        C:\Windows\system32\bukswkt.exe 2372 "C:\Windows\SysWOW64\ohauqgu.exe"
        433⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\icfkizd.exe
        
        C:\Windows\system32\icfkizd.exe 2308 "C:\Windows\SysWOW64\bukswkt.exe"
        434⤵
        Drops file in System32 directory
        
        PID:3792
        
        C:\Windows\SysWOW64\vaanzii.exe
        
        C:\Windows\system32\vaanzii.exe 2432 "C:\Windows\SysWOW64\icfkizd.exe"
        435⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\clzsobq.exe
        
        C:\Windows\system32\clzsobq.exe 2328 "C:\Windows\SysWOW64\vaanzii.exe"
        436⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\pyqiufp.exe
        
        C:\Windows\system32\pyqiufp.exe 2248 "C:\Windows\SysWOW64\clzsobq.exe"
        437⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\xkpnrzg.exe
        
        C:\Windows\system32\xkpnrzg.exe 2340 "C:\Windows\SysWOW64\pyqiufp.exe"
        438⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\kxhlwde.exe
        
        C:\Windows\system32\kxhlwde.exe 2448 "C:\Windows\SysWOW64\xkpnrzg.exe"
        439⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\uhwnkyl.exe
        
        C:\Windows\system32\uhwnkyl.exe 2364 "C:\Windows\SysWOW64\kxhlwde.exe"
        440⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\edxfzsl.exe
        
        C:\Windows\system32\edxfzsl.exe 2260 "C:\Windows\SysWOW64\uhwnkyl.exe"
        441⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\jtuangx.exe
        
        C:\Windows\system32\jtuangx.exe 2280 "C:\Windows\SysWOW64\edxfzsl.exe"
        442⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\tsgygfe.exe
        
        C:\Windows\system32\tsgygfe.exe 2464 "C:\Windows\SysWOW64\jtuangx.exe"
        443⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\drkvqem.exe
        
        C:\Windows\system32\drkvqem.exe 2264 "C:\Windows\SysWOW64\tsgygfe.exe"
        444⤵
        Identifies Wine through registry keys
        
        PID:3232
        
        C:\Windows\SysWOW64\zipimkx.exe
        
        C:\Windows\system32\zipimkx.exe 2396 "C:\Windows\SysWOW64\drkvqem.exe"
        445⤵
        Identifies Wine through registry keys
        
        PID:684
        
        C:\Windows\SysWOW64\mgjlvsv.exe
        
        C:\Windows\system32\mgjlvsv.exe 2476 "C:\Windows\SysWOW64\zipimkx.exe"
        446⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\xfvqfrd.exe
        
        C:\Windows\system32\xfvqfrd.exe 2420 "C:\Windows\SysWOW64\mgjlvsv.exe"
        447⤵
        System Location Discovery: System Language Discovery
        
        PID:912
        
        C:\Windows\SysWOW64\ksfglvb.exe
        
        C:\Windows\system32\ksfglvb.exe 2380 "C:\Windows\SysWOW64\xfvqfrd.exe"
        448⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\uduqgyq.exe
        
        C:\Windows\system32\uduqgyq.exe 2356 "C:\Windows\SysWOW64\ksfglvb.exe"
        449⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\eyvbosq.exe
        
        C:\Windows\system32\eyvbosq.exe 2452 "C:\Windows\SysWOW64\uduqgyq.exe"
        450⤵
        Drops file in System32 directory
        
        PID:4076
        
        C:\Windows\SysWOW64\oxhygry.exe
        
        C:\Windows\system32\oxhygry.exe 2496 "C:\Windows\SysWOW64\eyvbosq.exe"
        451⤵
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Windows\SysWOW64\vjgdvlg.exe
        
        C:\Windows\system32\vjgdvlg.exe 2268 "C:\Windows\SysWOW64\oxhygry.exe"
        452⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\fikjgko.exe
        
        C:\Windows\system32\fikjgko.exe 2508 "C:\Windows\SysWOW64\vjgdvlg.exe"
        453⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\qdltvep.exe
        
        C:\Windows\system32\qdltvep.exe 2504 "C:\Windows\SysWOW64\fikjgko.exe"
        454⤵
        Identifies Wine through registry keys
        Drops file in System32 directory
        
        PID:2776
        
        C:\Windows\SysWOW64\akpqgdw.exe
        
        C:\Windows\system32\akpqgdw.exe 2512 "C:\Windows\SysWOW64\qdltvep.exe"
        455⤵
        Drops file in System32 directory
        
        PID:3132
        
        C:\Windows\SysWOW64\fbulcji.exe
        
        C:\Windows\system32\fbulcji.exe 2384 "C:\Windows\SysWOW64\akpqgdw.exe"
        456⤵
        Identifies Wine through registry keys
        
        PID:3312
        
        C:\Windows\SysWOW64\sombing.exe
        
        C:\Windows\system32\sombing.exe 2524 "C:\Windows\SysWOW64\fbulcji.exe"
        457⤵
        Identifies Wine through registry keys
        
        PID:560
        
        C:\Windows\SysWOW64\cnqysmo.exe
        
        C:\Windows\system32\cnqysmo.exe 2516 "C:\Windows\SysWOW64\sombing.exe"
        458⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\mpfjnpu.exe
        
        C:\Windows\system32\mpfjnpu.exe 2528 "C:\Windows\SysWOW64\cnqysmo.exe"
        459⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\tupwxax.exe
        
        C:\Windows\system32\tupwxax.exe 2552 "C:\Windows\SysWOW64\mpfjnpu.exe"
        460⤵
        Drops file in System32 directory
        
        PID:3284
        
        C:\Windows\SysWOW64\bblorpg.exe
        
        C:\Windows\system32\bblorpg.exe 2540 "C:\Windows\SysWOW64\tupwxax.exe"
        461⤵
        Identifies Wine through registry keys
        
        PID:3876
        
        C:\Windows\SysWOW64\lipmboo.exe
        
        C:\Windows\system32\lipmboo.exe 2436 "C:\Windows\SysWOW64\bblorpg.exe"
        462⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\veqerjp.exe
        
        C:\Windows\system32\veqerjp.exe 2456 "C:\Windows\SysWOW64\lipmboo.exe"
        463⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\fkqthqc.exe
        
        C:\Windows\system32\fkqthqc.exe 2544 "C:\Windows\SysWOW64\veqerjp.exe"
        464⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\prurrpj.exe
        
        C:\Windows\system32\prurrpj.exe 2560 "C:\Windows\SysWOW64\fkqthqc.exe"
        465⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\anvjhjk.exe
        
        C:\Windows\system32\anvjhjk.exe 2468 "C:\Windows\SysWOW64\prurrpj.exe"
        466⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\kiouoel.exe
        
        C:\Windows\system32\kiouoel.exe 2556 "C:\Windows\SysWOW64\anvjhjk.exe"
        467⤵
        System Location Discovery: System Language Discovery
        
        PID:3984
        
        C:\Windows\SysWOW64\rqkubbu.exe
        
        C:\Windows\system32\rqkubbu.exe 2404 "C:\Windows\SysWOW64\kiouoel.exe"
        468⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\zyxmvre.exe
        
        C:\Windows\system32\zyxmvre.exe 2304 "C:\Windows\SysWOW64\rqkubbu.exe"
        469⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\dochrxp.exe
        
        C:\Windows\system32\dochrxp.exe 2564 "C:\Windows\SysWOW64\zyxmvre.exe"
        470⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\nngebvx.exe
        
        C:\Windows\system32\nngebvx.exe 2584 "C:\Windows\SysWOW64\dochrxp.exe"
        471⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\yfvcgmr.exe
        
        C:\Windows\system32\yfvcgmr.exe 2460 "C:\Windows\SysWOW64\nngebvx.exe"
        472⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\czljfej.exe
        
        C:\Windows\system32\czljfej.exe 2588 "C:\Windows\SysWOW64\yfvcgmr.exe"
        473⤵
        Identifies Wine through registry keys
        
        PID:3408
        
        C:\Windows\SysWOW64\hefrygo.exe
        
        C:\Windows\system32\hefrygo.exe 2596 "C:\Windows\SysWOW64\czljfej.exe"
        474⤵
        Identifies Wine through registry keys
        
        PID:3360
        
        C:\Windows\SysWOW64\uzphejn.exe
        
        C:\Windows\system32\uzphejn.exe 2580 "C:\Windows\SysWOW64\hefrygo.exe"
        475⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\zptcaxy.exe
        
        C:\Windows\system32\zptcaxy.exe 2416 "C:\Windows\SysWOW64\uzphejn.exe"
        476⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\gxhuuni.exe
        
        C:\Windows\system32\gxhuuni.exe 2600 "C:\Windows\SysWOW64\zptcaxy.exe"
        477⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\rsifchi.exe
        
        C:\Windows\system32\rsifchi.exe 2592 "C:\Windows\SysWOW64\gxhuuni.exe"
        478⤵
        Identifies Wine through registry keys
        
        PID:3436
        
        C:\Windows\SysWOW64\brukmgq.exe
        
        C:\Windows\system32\brukmgq.exe 2608 "C:\Windows\SysWOW64\rsifchi.exe"
        479⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\lryhffx.exe
        
        C:\Windows\system32\lryhffx.exe 2604 "C:\Windows\SysWOW64\brukmgq.exe"
        480⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\tytzruh.exe
        
        C:\Windows\system32\tytzruh.exe 2624 "C:\Windows\SysWOW64\lryhffx.exe"
        481⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\aghslkj.exe
        
        C:\Windows\system32\aghslkj.exe 2412 "C:\Windows\SysWOW64\tytzruh.exe"
        482⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\lywxqik.exe
        
        C:\Windows\system32\lywxqik.exe 2620 "C:\Windows\SysWOW64\aghslkj.exe"
        483⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\vxivahs.exe
        
        C:\Windows\system32\vxivahs.exe 2424 "C:\Windows\SysWOW64\lywxqik.exe"
        484⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\uqhaxaa.exe
        
        C:\Windows\system32\uqhaxaa.exe 2644 "C:\Windows\SysWOW64\vxivahs.exe"
        485⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\byvasqk.exe
        
        C:\Windows\system32\byvasqk.exe 2472 "C:\Windows\SysWOW64\uqhaxaa.exe"
        486⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3208
        
        C:\Windows\SysWOW64\muvkzkl.exe
        
        C:\Windows\system32\muvkzkl.exe 2648 "C:\Windows\SysWOW64\byvasqk.exe"
        487⤵
        Drops file in System32 directory
        
        PID:1432
        
        C:\Windows\SysWOW64\wtaikjs.exe
        
        C:\Windows\system32\wtaikjs.exe 2428 "C:\Windows\SysWOW64\muvkzkl.exe"
        488⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\goaazet.exe
        
        C:\Windows\system32\goaazet.exe 2440 "C:\Windows\SysWOW64\wtaikjs.exe"
        489⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3980
        
        C:\Windows\SysWOW64\qnnxkca.exe
        
        C:\Windows\system32\qnnxkca.exe 2444 "C:\Windows\SysWOW64\goaazet.exe"
        490⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\amrvubi.exe
        
        C:\Windows\system32\amrvubi.exe 2576 "C:\Windows\SysWOW64\qnnxkca.exe"
        491⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\igparvq.exe
        
        C:\Windows\system32\igparvq.exe 2480 "C:\Windows\SysWOW64\amrvubi.exe"
        492⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\mkjikfd.exe
        
        C:\Windows\system32\mkjikfd.exe 2536 "C:\Windows\SysWOW64\igparvq.exe"
        493⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\zmpywjh.exe
        
        C:\Windows\system32\zmpywjh.exe 2548 "C:\Windows\SysWOW64\mkjikfd.exe"
        494⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\jiqidei.exe
        
        C:\Windows\system32\jiqidei.exe 2632 "C:\Windows\SysWOW64\zmpywjh.exe"
        495⤵
        Identifies Wine through registry keys
        System Location Discovery: System Language Discovery
        
        PID:3128
        
        C:\Windows\SysWOW64\uhufocq.exe
        
        C:\Windows\system32\uhufocq.exe 2488 "C:\Windows\SysWOW64\jiqidei.exe"
        496⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\hgxielv.exe
        
        C:\Windows\system32\hgxielv.exe 2520 "C:\Windows\SysWOW64\uhufocq.exe"
        497⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\orvnted.exe
        
        C:\Windows\system32\orvnted.exe 2500 "C:\Windows\SysWOW64\hgxielv.exe"
        498⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\yjltyuf.exe
        
        C:\Windows\system32\yjltyuf.exe 2696 "C:\Windows\SysWOW64\orvnted.exe"
        499⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\ddtbxnq.exe
        
        C:\Windows\system32\ddtbxnq.exe 2640 "C:\Windows\SysWOW64\yjltyuf.exe"
        500⤵
        System Location Discovery: System Language Discovery
        
        PID:3584
        
        C:\Windows\SysWOW64\nvjykds.exe
        
        C:\Windows\system32\nvjykds.exe 2484 "C:\Windows\SysWOW64\ddtbxnq.exe"
        501⤵
        Identifies Wine through registry keys
        
        PID:3300
        
        C:\Windows\SysWOW64\vdeywsb.exe
        
        C:\Windows\system32\vdeywsb.exe 2492 "C:\Windows\SysWOW64\nvjykds.exe"
        502⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\fftarvh.exe
        
        C:\Windows\system32\fftarvh.exe 2704 "C:\Windows\SysWOW64\vdeywsb.exe"
        503⤵
        System Location Discovery: System Language Discovery
        
        PID:3744
        
        C:\Windows\SysWOW64\mnhbdlr.exe
        
        C:\Windows\system32\mnhbdlr.exe 2636 "C:\Windows\SysWOW64\fftarvh.exe"
        504⤵
        Drops file in System32 directory
        
        PID:3804
        
        C:\Windows\SysWOW64\xfwgibt.exe
        
        C:\Windows\system32\xfwgibt.exe 2532 "C:\Windows\SysWOW64\mnhbdlr.exe"
        505⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\hejebas.exe
        
        C:\Windows\system32\hejebas.exe 2572 "C:\Windows\SysWOW64\xfwgibt.exe"
        506⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\rlnblza.exe
        
        C:\Windows\system32\rlnblza.exe 2664 "C:\Windows\SysWOW64\hejebas.exe"
        507⤵
        Identifies Wine through registry keys
        
        PID:3412
        
        C:\Windows\SysWOW64\ywtgisi.exe
        
        C:\Windows\system32\ywtgisi.exe 2652 "C:\Windows\SysWOW64\rlnblza.exe"
        508⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\ismqqnr.exe
        
        C:\Windows\system32\ismqqnr.exe 2728 "C:\Windows\SysWOW64\ywtgisi.exe"
        509⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\trywamz.exe
        
        C:\Windows\system32\trywamz.exe 2568 "C:\Windows\SysWOW64\ismqqnr.exe"
        510⤵
        Identifies Wine through registry keys
        
        PID:3720
        
        C:\Windows\SysWOW64\azmouja.exe
        
        C:\Windows\system32\azmouja.exe 2676 "C:\Windows\SysWOW64\trywamz.exe"
        511⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\kyylfii.exe
        
        C:\Windows\system32\kyylfii.exe 2740 "C:\Windows\SysWOW64\azmouja.exe"
        512⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\ufcjxhp.exe
        
        C:\Windows\system32\ufcjxhp.exe 2616 "C:\Windows\SysWOW64\kyylfii.exe"
        513⤵
        Identifies Wine through registry keys
        
        PID:3696
        
        C:\Windows\SysWOW64\hsuzdco.exe
        
        C:\Windows\system32\hsuzdco.exe 2628 "C:\Windows\SysWOW64\ufcjxhp.exe"
        514⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\sryenbw.exe
        
        C:\Windows\system32\sryenbw.exe 2672 "C:\Windows\SysWOW64\hsuzdco.exe"
        515⤵
        Identifies Wine through registry keys
        System Location Discovery: System Language Discovery
        
        PID:4036
        
        C:\Windows\SysWOW64\bfytdjj.exe
        
        C:\Windows\system32\bfytdjj.exe 2756 "C:\Windows\SysWOW64\sryenbw.exe"
        516⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\ledrwhi.exe
        
        C:\Windows\system32\ledrwhi.exe 2760 "C:\Windows\SysWOW64\bfytdjj.exe"
        517⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\tfjrcom.exe
        
        C:\Windows\system32\tfjrcom.exe 2612 "C:\Windows\SysWOW64\ledrwhi.exe"
        518⤵
        Drops file in System32 directory
        
        PID:4092
        
        C:\Windows\SysWOW64\dhzbyra.exe
        
        C:\Windows\system32\dhzbyra.exe 2768 "C:\Windows\SysWOW64\tfjrcom.exe"
        519⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\kpmbkpc.exe
        
        C:\Windows\system32\kpmbkpc.exe 2776 "C:\Windows\SysWOW64\dhzbyra.exe"
        520⤵
        Identifies Wine through registry keys
        
        PID:4052
        
        C:\Windows\SysWOW64\voyzcgj.exe
        
        C:\Windows\system32\voyzcgj.exe 2784 "C:\Windows\SysWOW64\kpmbkpc.exe"
        521⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\fkrjkik.exe
        
        C:\Windows\system32\fkrjkik.exe 2720 "C:\Windows\SysWOW64\voyzcgj.exe"
        522⤵
        System Location Discovery: System Language Discovery
        
        PID:1488
        
        C:\Windows\SysWOW64\prdhuzs.exe
        
        C:\Windows\system32\prdhuzs.exe 2660 "C:\Windows\SysWOW64\fkrjkik.exe"
        523⤵
        
        PID:3268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\qzwntof.exe

Filesize
527KB

MD5
f051ab4e7b5646a97caafe260e99df7b

SHA1
0f2f7661cfccb9e9ef030b4c7cbcae591c277081

SHA256
d9a4c7563632f29fa26548660bd4131faf2cfe5a7fc58564883680018dafee6d

SHA512
05140c4e52c1d0ca249d4e62daef86acea6eb0591b7bb9ca05ede05c99d3f9597ad82123bfab1c85d402e7e107df2483151db03f65a00b86878267ced867ba45

Download Submit
memory/316-349-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/748-108-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/748-121-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/892-461-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/964-203-0x00000000048B0000-0x0000000004A8A000-memory.dmp

Filesize
1.9MB

Download
memory/964-204-0x00000000048B0000-0x0000000004A8A000-memory.dmp

Filesize
1.9MB

Download
memory/964-208-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/968-407-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/1032-524-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/1144-39-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/1144-50-0x00000000048F0000-0x0000000004ACA000-memory.dmp

Filesize
1.9MB

Download
memory/1144-52-0x00000000048F0000-0x0000000004ACA000-memory.dmp

Filesize
1.9MB

Download
memory/1144-43-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/1248-489-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/1480-124-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/1480-123-0x00000000048E0000-0x0000000004ABA000-memory.dmp

Filesize
1.9MB

Download
memory/1480-122-0x00000000048E0000-0x0000000004ABA000-memory.dmp

Filesize
1.9MB

Download
memory/1496-28-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/1496-36-0x0000000004820000-0x00000000049FA000-memory.dmp

Filesize
1.9MB

Download
memory/1496-23-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/1496-22-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/1496-27-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/1496-35-0x0000000004820000-0x00000000049FA000-memory.dmp

Filesize
1.9MB

Download
memory/1552-219-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/1552-232-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/1568-106-0x00000000048B0000-0x0000000004A8A000-memory.dmp

Filesize
1.9MB

Download
memory/1568-109-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/1568-94-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/1576-419-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/1612-531-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/1628-76-0x0000000004800000-0x00000000049DA000-memory.dmp

Filesize
1.9MB

Download
memory/1628-83-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/1628-69-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/1656-547-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/1748-356-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/1772-321-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/1776-538-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/1792-207-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/1792-221-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/1816-293-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/1860-286-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/1988-412-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2020-328-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2032-272-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2136-335-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2216-251-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2228-138-0x00000000048A0000-0x0000000004A7A000-memory.dmp

Filesize
1.9MB

Download
memory/2228-141-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2256-370-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2280-363-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2300-391-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2316-481-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2332-279-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2364-193-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2364-177-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2364-189-0x00000000049B0000-0x0000000004B8A000-memory.dmp

Filesize
1.9MB

Download
memory/2364-190-0x00000000049B0000-0x0000000004B8A000-memory.dmp

Filesize
1.9MB

Download
memory/2376-454-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2380-426-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2416-53-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2416-59-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2416-55-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2416-66-0x00000000048D0000-0x0000000004AAA000-memory.dmp

Filesize
1.9MB

Download
memory/2416-68-0x00000000048D0000-0x0000000004AAA000-memory.dmp

Filesize
1.9MB

Download
memory/2476-468-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2480-300-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2528-384-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2532-165-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2532-154-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2544-398-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2592-377-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2616-241-0x00000000048A0000-0x0000000004A7A000-memory.dmp

Filesize
1.9MB

Download
memory/2616-242-0x00000000048A0000-0x0000000004A7A000-memory.dmp

Filesize
1.9MB

Download
memory/2616-244-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2620-552-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2648-510-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2704-179-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2704-178-0x0000000004800000-0x00000000049DA000-memory.dmp

Filesize
1.9MB

Download
memory/2704-176-0x0000000004800000-0x00000000049DA000-memory.dmp

Filesize
1.9MB

Download
memory/2708-482-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2752-307-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2764-561-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2780-433-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2808-7-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2808-2-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2808-20-0x0000000004830000-0x0000000004A0A000-memory.dmp

Filesize
1.9MB

Download
memory/2808-0-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2808-19-0x0000000004830000-0x0000000004A0A000-memory.dmp

Filesize
1.9MB

Download
memory/2808-5-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2808-6-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2808-1-0x0000000000401000-0x000000000042A000-memory.dmp

Filesize
164KB

Download
memory/2808-3-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2808-4-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2808-11-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2832-496-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2844-139-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2844-153-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2844-151-0x00000000048E0000-0x0000000004ABA000-memory.dmp

Filesize
1.9MB

Download
memory/2848-314-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2884-342-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2900-566-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2904-440-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2936-258-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/2960-265-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/3000-447-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/3004-505-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/3016-96-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download
memory/3044-517-0x0000000000400000-0x00000000005DA000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads