4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

Analysis

max time kernel
150s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 22:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139.exe
Size

83KB
MD5

018983f5006f7b26c7f2d52eca2f3aed
SHA1

26e0a342bc6e6ba102777d0d3a1ccb58c7239e54
SHA256

4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139
SHA512

dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6
SSDEEP

1536:MQeKcnrJXSWLv5z2+KWa4jSEJs+pVlq6AQBgP:MQHcnrJXSUBz2+KWagSBUVfAHP

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
3908	explorer.exe
4624	explorer.exe
4820	explorer.exe
4800	explorer.exe
4692	explorer.exe
968	explorer.exe
2980	explorer.exe
812	explorer.exe
4440	smss.exe
3980	smss.exe
2636	explorer.exe
228	explorer.exe
1076	smss.exe
2668	explorer.exe
4080	explorer.exe
776	smss.exe
3688	explorer.exe
4908	explorer.exe
3580	explorer.exe
4160	explorer.exe
3200	smss.exe
548	explorer.exe
1776	explorer.exe
2336	explorer.exe
1016	explorer.exe
4196	explorer.exe
1328	smss.exe
1892	explorer.exe
3756	explorer.exe
1556	explorer.exe
3476	explorer.exe
1432	explorer.exe
5012	explorer.exe
4740	smss.exe
1204	explorer.exe
864	explorer.exe
2572	explorer.exe
3512	explorer.exe
1096	explorer.exe
4056	explorer.exe
5060	smss.exe
4920	explorer.exe
5072	explorer.exe
1352	explorer.exe
728	explorer.exe
1884	explorer.exe
4836	explorer.exe
1028	explorer.exe
4052	explorer.exe
5112	explorer.exe
4756	smss.exe
4888	explorer.exe
4868	explorer.exe
5016	explorer.exe
4768	explorer.exe
1980	explorer.exe
1844	smss.exe
4964	explorer.exe
5064	explorer.exe
2288	smss.exe
1392	explorer.exe
3368	explorer.exe
444	explorer.exe
5080	smss.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2036-132-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x000d000000022e10-134.dat	upx
behavioral2/files/0x000d000000022e10-135.dat	upx
behavioral2/memory/3908-136-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x0007000000022e1e-137.dat	upx
behavioral2/files/0x000d000000022e10-139.dat	upx
behavioral2/memory/4624-140-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x0008000000022e1e-141.dat	upx
behavioral2/memory/2036-142-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x000d000000022e10-144.dat	upx
behavioral2/memory/4820-145-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/3908-146-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x0009000000022e1e-147.dat	upx
behavioral2/files/0x000d000000022e10-149.dat	upx
behavioral2/memory/4800-150-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/4624-151-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x000a000000022e1e-152.dat	upx
behavioral2/files/0x000d000000022e10-154.dat	upx
behavioral2/memory/4692-155-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/4820-156-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x000b000000022e1e-157.dat	upx
behavioral2/files/0x000d000000022e10-159.dat	upx
behavioral2/memory/968-160-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/4800-161-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x000c000000022e1e-162.dat	upx
behavioral2/files/0x000d000000022e10-164.dat	upx
behavioral2/memory/2980-165-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/4692-166-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x0006000000022e20-167.dat	upx
behavioral2/files/0x000d000000022e10-169.dat	upx
behavioral2/memory/812-170-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/968-171-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x0007000000022e20-172.dat	upx
behavioral2/files/0x0007000000022e20-174.dat	upx
behavioral2/memory/4440-175-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x0007000000022e20-177.dat	upx
behavioral2/memory/3980-178-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x000d000000022e10-180.dat	upx
behavioral2/memory/2980-181-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/2636-182-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x000d000000022e10-184.dat	upx
behavioral2/files/0x0007000000022e20-186.dat	upx
behavioral2/memory/228-187-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/1076-188-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x000d000000022e10-190.dat	upx
behavioral2/memory/812-191-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/2668-192-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x000d000000022e10-194.dat	upx
behavioral2/memory/4080-195-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x0007000000022e20-197.dat	upx
behavioral2/memory/776-198-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x000d000000022e10-200.dat	upx
behavioral2/files/0x000d000000022e10-202.dat	upx
behavioral2/memory/4440-203-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/3688-204-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/4908-205-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x000d000000022e10-207.dat	upx
behavioral2/memory/3980-208-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/3580-209-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x000d000000022e10-211.dat	upx
behavioral2/memory/2636-212-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/4160-213-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x0007000000022e20-215.dat	upx
behavioral2/memory/3200-216-0x0000000000400000-0x0000000000458000-memory.dmp	upx

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\s:	explorer.exe
File opened (read-only)	\??\n:	explorer.exe
File opened (read-only)	\??\f:	explorer.exe
File opened (read-only)	\??\n:	explorer.exe
File opened (read-only)	\??\g:	explorer.exe
File opened (read-only)	\??\q:	smss.exe
File opened (read-only)	\??\h:	explorer.exe
File opened (read-only)	\??\o:	explorer.exe
File opened (read-only)	\??\v:	explorer.exe
File opened (read-only)	\??\g:	explorer.exe
File opened (read-only)	\??\t:	explorer.exe
File opened (read-only)	\??\v:	explorer.exe
File opened (read-only)	\??\r:	explorer.exe
File opened (read-only)	\??\j:	explorer.exe
File opened (read-only)	\??\t:	explorer.exe
File opened (read-only)	\??\l:	explorer.exe
File opened (read-only)	\??\i:	explorer.exe
File opened (read-only)	\??\i:	smss.exe
File opened (read-only)	\??\x:	explorer.exe
File opened (read-only)	\??\u:	explorer.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\s:	smss.exe
File opened (read-only)	\??\x:	explorer.exe
File opened (read-only)	\??\z:	explorer.exe
File opened (read-only)	\??\t:	explorer.exe
File opened (read-only)	\??\t:	explorer.exe
File opened (read-only)	\??\k:	smss.exe
File opened (read-only)	\??\u:	explorer.exe
File opened (read-only)	\??\t:	explorer.exe
File opened (read-only)	\??\n:	explorer.exe
File opened (read-only)	\??\q:	explorer.exe
File opened (read-only)	\??\g:	smss.exe
File opened (read-only)	\??\q:	explorer.exe
File opened (read-only)	\??\k:	explorer.exe
File opened (read-only)	\??\p:	smss.exe
File opened (read-only)	\??\k:	explorer.exe
File opened (read-only)	\??\g:	smss.exe
File opened (read-only)	\??\n:	explorer.exe
File opened (read-only)	\??\u:	explorer.exe
File opened (read-only)	\??\q:	smss.exe
File opened (read-only)	\??\m:	explorer.exe
File opened (read-only)	\??\n:	smss.exe
File opened (read-only)	\??\v:	smss.exe
File opened (read-only)	\??\i:	smss.exe
File opened (read-only)	\??\t:	smss.exe
File opened (read-only)	\??\g:	explorer.exe
File opened (read-only)	\??\u:	explorer.exe
File opened (read-only)	\??\n:	explorer.exe
File opened (read-only)	\??\k:	4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139.exe
File opened (read-only)	\??\t:	explorer.exe
File opened (read-only)	\??\v:	explorer.exe
File opened (read-only)	\??\w:	explorer.exe
File opened (read-only)	\??\m:	explorer.exe
File opened (read-only)	\??\g:	explorer.exe
File opened (read-only)	\??\l:	explorer.exe
File opened (read-only)	\??\l:	explorer.exe
File opened (read-only)	\??\e:	smss.exe
File opened (read-only)	\??\m:	explorer.exe
File opened (read-only)	\??\e:	explorer.exe
File opened (read-only)	\??\q:	explorer.exe
File opened (read-only)	\??\q:	explorer.exe
File opened (read-only)	\??\j:	smss.exe
File opened (read-only)	\??\j:	explorer.exe
File opened (read-only)	\??\w:	smss.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rrpahaoxtk\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rrpahaoxtk\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\rrpahaoxtk\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wsfojsnurq\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\wsfojsnurq\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rrpahaoxtk\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rrpahaoxtk\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rrpahaoxtk\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rrpahaoxtk\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\rrpahaoxtk\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wsfojsnurq\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\rrpahaoxtk\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rrpahaoxtk\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wsfojsnurq\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\wsfojsnurq\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wsfojsnurq\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\rrpahaoxtk\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\wsfojsnurq\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wsfojsnurq\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\rrpahaoxtk\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\wsfojsnurq\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rrpahaoxtk\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wsfojsnurq\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\rrpahaoxtk\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wsfojsnurq\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\wsfojsnurq\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\rrpahaoxtk\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rrpahaoxtk\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\wsfojsnurq\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\wsfojsnurq\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\wsfojsnurq\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wsfojsnurq\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\wsfojsnurq\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\rrpahaoxtk\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wsfojsnurq\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\rrpahaoxtk\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\rrpahaoxtk\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\wsfojsnurq\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\wsfojsnurq\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\wsfojsnurq\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\wsfojsnurq\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\rrpahaoxtk\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\rrpahaoxtk\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wsfojsnurq\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\wsfojsnurq\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wsfojsnurq\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wsfojsnurq\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rrpahaoxtk\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\rrpahaoxtk\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\wsfojsnurq\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\wsfojsnurq\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\rrpahaoxtk\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\wsfojsnurq\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\wsfojsnurq\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rrpahaoxtk\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\wsfojsnurq\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wsfojsnurq\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rrpahaoxtk\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rrpahaoxtk\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rrpahaoxtk\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wsfojsnurq\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\rrpahaoxtk\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wsfojsnurq\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\wsfojsnurq\explorer.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2036	4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139.exe
2036	4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139.exe
3908	explorer.exe
3908	explorer.exe
4624	explorer.exe
4624	explorer.exe
4820	explorer.exe
4820	explorer.exe
4800	explorer.exe
4800	explorer.exe
4692	explorer.exe
4692	explorer.exe
968	explorer.exe
968	explorer.exe
2980	explorer.exe
2980	explorer.exe
812	explorer.exe
812	explorer.exe
4440	smss.exe
4440	smss.exe
3980	smss.exe
3980	smss.exe
2636	explorer.exe
2636	explorer.exe
228	explorer.exe
228	explorer.exe
1076	smss.exe
1076	smss.exe
2668	explorer.exe
2668	explorer.exe
4080	explorer.exe
4080	explorer.exe
776	smss.exe
776	smss.exe
3688	explorer.exe
3688	explorer.exe
4908	explorer.exe
4908	explorer.exe
3580	explorer.exe
3580	explorer.exe
4160	explorer.exe
4160	explorer.exe
3200	smss.exe
3200	smss.exe
548	explorer.exe
548	explorer.exe
1776	explorer.exe
1776	explorer.exe
2336	explorer.exe
2336	explorer.exe
1016	explorer.exe
1016	explorer.exe
4196	explorer.exe
4196	explorer.exe
1328	smss.exe
1328	smss.exe
1892	explorer.exe
1892	explorer.exe
3756	explorer.exe
3756	explorer.exe
1556	explorer.exe
1556	explorer.exe
3476	explorer.exe
3476	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	2036	4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139.exe
Token: SeLoadDriverPrivilege	3908	explorer.exe
Token: SeLoadDriverPrivilege	4624	explorer.exe
Token: SeLoadDriverPrivilege	4820	explorer.exe
Token: SeLoadDriverPrivilege	4800	explorer.exe
Token: SeLoadDriverPrivilege	4692	explorer.exe
Token: SeLoadDriverPrivilege	968	explorer.exe
Token: SeLoadDriverPrivilege	2980	explorer.exe
Token: SeLoadDriverPrivilege	812	explorer.exe
Token: SeLoadDriverPrivilege	4440	smss.exe
Token: SeLoadDriverPrivilege	3980	smss.exe
Token: SeLoadDriverPrivilege	2636	explorer.exe
Token: SeLoadDriverPrivilege	228	explorer.exe
Token: SeLoadDriverPrivilege	1076	smss.exe
Token: SeLoadDriverPrivilege	2668	explorer.exe
Token: SeLoadDriverPrivilege	4080	explorer.exe
Token: SeLoadDriverPrivilege	776	smss.exe
Token: SeLoadDriverPrivilege	3688	explorer.exe
Token: SeLoadDriverPrivilege	4908	explorer.exe
Token: SeLoadDriverPrivilege	3580	explorer.exe
Token: SeLoadDriverPrivilege	4160	explorer.exe
Token: SeLoadDriverPrivilege	3200	smss.exe
Token: SeLoadDriverPrivilege	548	explorer.exe
Token: SeLoadDriverPrivilege	1776	explorer.exe
Token: SeLoadDriverPrivilege	2336	explorer.exe
Token: SeLoadDriverPrivilege	1016	explorer.exe
Token: SeLoadDriverPrivilege	4196	explorer.exe
Token: SeLoadDriverPrivilege	1328	smss.exe
Token: SeLoadDriverPrivilege	1892	explorer.exe
Token: SeLoadDriverPrivilege	3756	explorer.exe
Token: SeLoadDriverPrivilege	1556	explorer.exe
Token: SeLoadDriverPrivilege	3476	explorer.exe
Token: SeLoadDriverPrivilege	1432	explorer.exe
Token: SeLoadDriverPrivilege	5012	explorer.exe
Token: SeLoadDriverPrivilege	4740	smss.exe
Token: SeLoadDriverPrivilege	1204	explorer.exe
Token: SeLoadDriverPrivilege	864	explorer.exe
Token: SeLoadDriverPrivilege	2572	explorer.exe
Token: SeLoadDriverPrivilege	3512	explorer.exe
Token: SeLoadDriverPrivilege	1096	explorer.exe
Token: SeLoadDriverPrivilege	4056	explorer.exe
Token: SeLoadDriverPrivilege	5060	smss.exe
Token: SeLoadDriverPrivilege	4920	explorer.exe
Token: SeLoadDriverPrivilege	5072	explorer.exe
Token: SeLoadDriverPrivilege	1352	explorer.exe
Token: SeLoadDriverPrivilege	728	explorer.exe
Token: SeLoadDriverPrivilege	1884	explorer.exe
Token: SeLoadDriverPrivilege	4836	explorer.exe
Token: SeLoadDriverPrivilege	1028	explorer.exe
Token: SeLoadDriverPrivilege	4052	explorer.exe
Token: SeLoadDriverPrivilege	5112	explorer.exe
Token: SeLoadDriverPrivilege	4756	smss.exe
Token: SeLoadDriverPrivilege	4888	explorer.exe
Token: SeLoadDriverPrivilege	4868	explorer.exe
Token: SeLoadDriverPrivilege	5016	explorer.exe
Token: SeLoadDriverPrivilege	4768	explorer.exe
Token: SeLoadDriverPrivilege	1980	explorer.exe
Token: SeLoadDriverPrivilege	1844	smss.exe
Token: SeLoadDriverPrivilege	4964	explorer.exe
Token: SeLoadDriverPrivilege	5064	explorer.exe
Token: SeLoadDriverPrivilege	2288	smss.exe
Token: SeLoadDriverPrivilege	1392	explorer.exe
Token: SeLoadDriverPrivilege	3368	explorer.exe
Token: SeLoadDriverPrivilege	444	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 3908	2036	4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139.exe	81
PID 2036 wrote to memory of 3908	2036	4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139.exe	81
PID 2036 wrote to memory of 3908	2036	4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139.exe	81
PID 3908 wrote to memory of 4624	3908	explorer.exe	82
PID 3908 wrote to memory of 4624	3908	explorer.exe	82
PID 3908 wrote to memory of 4624	3908	explorer.exe	82
PID 4624 wrote to memory of 4820	4624	explorer.exe	83
PID 4624 wrote to memory of 4820	4624	explorer.exe	83
PID 4624 wrote to memory of 4820	4624	explorer.exe	83
PID 4820 wrote to memory of 4800	4820	explorer.exe	84
PID 4820 wrote to memory of 4800	4820	explorer.exe	84
PID 4820 wrote to memory of 4800	4820	explorer.exe	84
PID 4800 wrote to memory of 4692	4800	explorer.exe	85
PID 4800 wrote to memory of 4692	4800	explorer.exe	85
PID 4800 wrote to memory of 4692	4800	explorer.exe	85
PID 4692 wrote to memory of 968	4692	explorer.exe	86
PID 4692 wrote to memory of 968	4692	explorer.exe	86
PID 4692 wrote to memory of 968	4692	explorer.exe	86
PID 968 wrote to memory of 2980	968	explorer.exe	88
PID 968 wrote to memory of 2980	968	explorer.exe	88
PID 968 wrote to memory of 2980	968	explorer.exe	88
PID 2980 wrote to memory of 812	2980	explorer.exe	89
PID 2980 wrote to memory of 812	2980	explorer.exe	89
PID 2980 wrote to memory of 812	2980	explorer.exe	89
PID 2036 wrote to memory of 4440	2036	4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139.exe	90
PID 2036 wrote to memory of 4440	2036	4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139.exe	90
PID 2036 wrote to memory of 4440	2036	4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139.exe	90
PID 3908 wrote to memory of 3980	3908	explorer.exe	91
PID 3908 wrote to memory of 3980	3908	explorer.exe	91
PID 3908 wrote to memory of 3980	3908	explorer.exe	91
PID 812 wrote to memory of 2636	812	explorer.exe	92
PID 812 wrote to memory of 2636	812	explorer.exe	92
PID 812 wrote to memory of 2636	812	explorer.exe	92
PID 4440 wrote to memory of 228	4440	smss.exe	93
PID 4440 wrote to memory of 228	4440	smss.exe	93
PID 4440 wrote to memory of 228	4440	smss.exe	93
PID 4624 wrote to memory of 1076	4624	explorer.exe	94
PID 4624 wrote to memory of 1076	4624	explorer.exe	94
PID 4624 wrote to memory of 1076	4624	explorer.exe	94
PID 3980 wrote to memory of 2668	3980	smss.exe	95
PID 3980 wrote to memory of 2668	3980	smss.exe	95
PID 3980 wrote to memory of 2668	3980	smss.exe	95
PID 2636 wrote to memory of 4080	2636	explorer.exe	96
PID 2636 wrote to memory of 4080	2636	explorer.exe	96
PID 2636 wrote to memory of 4080	2636	explorer.exe	96
PID 4820 wrote to memory of 776	4820	explorer.exe	97
PID 4820 wrote to memory of 776	4820	explorer.exe	97
PID 4820 wrote to memory of 776	4820	explorer.exe	97
PID 228 wrote to memory of 3688	228	explorer.exe	98
PID 228 wrote to memory of 3688	228	explorer.exe	98
PID 228 wrote to memory of 3688	228	explorer.exe	98
PID 1076 wrote to memory of 4908	1076	smss.exe	99
PID 1076 wrote to memory of 4908	1076	smss.exe	99
PID 1076 wrote to memory of 4908	1076	smss.exe	99
PID 2668 wrote to memory of 3580	2668	explorer.exe	100
PID 2668 wrote to memory of 3580	2668	explorer.exe	100
PID 2668 wrote to memory of 3580	2668	explorer.exe	100
PID 4080 wrote to memory of 4160	4080	explorer.exe	101
PID 4080 wrote to memory of 4160	4080	explorer.exe	101
PID 4080 wrote to memory of 4160	4080	explorer.exe	101
PID 4800 wrote to memory of 3200	4800	explorer.exe	102
PID 4800 wrote to memory of 3200	4800	explorer.exe	102
PID 4800 wrote to memory of 3200	4800	explorer.exe	102
PID 776 wrote to memory of 548	776	smss.exe	103

C:\Users\Admin\AppData\Local\Temp\4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139.exe
"C:\Users\Admin\AppData\Local\Temp\4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139.exe"
1⤵
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
  C:\Windows\system32\wsfojsnurq\explorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3908
- - C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
    C:\Windows\system32\wsfojsnurq\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4624
  - - C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
      C:\Windows\system32\wsfojsnurq\explorer.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4820
    - - C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4800
      - C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:812
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4080
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4160
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4196
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5012
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4920
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4888
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        17⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        18⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        19⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        20⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        21⤵
        Drops file in System32 directory
        
        PID:5524
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        22⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        23⤵
        
        PID:7464
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        24⤵
        
        PID:8360
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        25⤵
        
        PID:9820
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        26⤵
        
        PID:11272
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        27⤵
        
        PID:13340
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        28⤵
        
        PID:16116
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        23⤵
        
        PID:18180
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        22⤵
        
        PID:15516
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        23⤵
        
        PID:18720
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        21⤵
        
        PID:13288
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        22⤵
        
        PID:15588
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        20⤵
        
        PID:10684
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        21⤵
        
        PID:12424
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        22⤵
        
        PID:15764
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        19⤵
        
        PID:9692
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        20⤵
        
        PID:10724
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        21⤵
        
        PID:12472
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        22⤵
        
        PID:15868
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        23⤵
        
        PID:18828
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        18⤵
        
        PID:8292
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        19⤵
        
        PID:9724
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        20⤵
        
        PID:10752
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        21⤵
        
        PID:12480
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        22⤵
        
        PID:15812
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        17⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        18⤵
        
        PID:8272
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        19⤵
        
        PID:9676
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        20⤵
        
        PID:10720
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        21⤵
        
        PID:12392
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        22⤵
        
        PID:15756
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        16⤵
        Drops file in System32 directory
        
        PID:6720
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        17⤵
        Enumerates connected drives
        
        PID:7372
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        18⤵
        
        PID:8284
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        19⤵
        
        PID:9740
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        20⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        21⤵
        
        PID:968
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        22⤵
        
        PID:15968
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        17⤵
        
        PID:18332
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        15⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        17⤵
        Enumerates connected drives
        
        PID:7388
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        18⤵
        
        PID:8316
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        19⤵
        
        PID:9732
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        20⤵
        
        PID:10772
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        21⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        22⤵
        
        PID:15884
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        23⤵
        
        PID:18820
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        17⤵
        
        PID:18324
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        16⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        17⤵
        
        PID:18728
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        14⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        17⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        18⤵
        
        PID:8324
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        19⤵
        
        PID:9768
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        20⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        21⤵
        
        PID:12528
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        22⤵
        
        PID:15780
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        23⤵
        
        PID:18792
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        17⤵
        
        PID:18308
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        16⤵
        
        PID:15420
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        15⤵
        
        PID:13164
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:15548
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        17⤵
        
        PID:18776
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        13⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        Drops file in System32 directory
        
        PID:5384
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        Drops file in System32 directory
        
        PID:5316
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        17⤵
        
        PID:7312
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        18⤵
        Enumerates connected drives
        
        PID:8240
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        19⤵
        Drops file in System32 directory
        
        PID:9668
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        20⤵
        
        PID:10740
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        21⤵
        
        PID:12488
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        22⤵
        
        PID:15832
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        17⤵
        
        PID:18292
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        16⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        15⤵
        
        PID:13112
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:14788
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        14⤵
        
        PID:11260
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:13188
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:15476
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        12⤵
        
        PID:420
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        Drops file in System32 directory
        
        PID:6688
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        17⤵
        
        PID:7320
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        18⤵
        
        PID:8256
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        19⤵
        
        PID:9660
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        20⤵
        Drops file in System32 directory
        
        PID:10668
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        21⤵
        
        PID:12376
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        22⤵
        
        PID:15736
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        17⤵
        
        PID:18300
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        16⤵
        
        PID:15368
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        15⤵
        
        PID:13104
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:15396
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        14⤵
        Enumerates connected drives
        
        PID:11252
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:13172
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:15540
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        13⤵
        
        PID:9576
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:5252
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:13180
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:15556
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        17⤵
        
        PID:18768
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        11⤵
        Executes dropped EXE
        
        PID:5080
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        
        PID:996
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:1752
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        17⤵
        
        PID:7476
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        18⤵
        
        PID:8352
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        19⤵
        
        PID:9804
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        20⤵
        
        PID:10664
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        21⤵
        
        PID:12368
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        22⤵
        
        PID:16004
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        23⤵
        
        PID:19036
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        17⤵
        
        PID:18284
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        16⤵
        
        PID:15484
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        15⤵
        
        PID:13240
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:15604
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        14⤵
        
        PID:10600
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:13232
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:15532
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        13⤵
        
        PID:9628
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:12388
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:15744
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        12⤵
        
        PID:8196
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:9588
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:13200
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:15564
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4756
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:444
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        Enumerates connected drives
        
        PID:3164
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        Enumerates connected drives
        
        PID:5300
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        17⤵
        
        PID:7292
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        18⤵
        
        PID:8224
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        19⤵
        
        PID:9644
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        20⤵
        
        PID:10732
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        21⤵
        
        PID:12468
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        22⤵
        
        PID:15772
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        17⤵
        
        PID:18316
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        16⤵
        
        PID:15232
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        17⤵
        
        PID:18712
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        15⤵
        
        PID:13048
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        14⤵
        
        PID:11212
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:13096
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:15448
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        13⤵
        
        PID:9568
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:10572
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:13268
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:15596
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        12⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        
        PID:9548
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:11236
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:13064
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        11⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:9536
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        Drops file in System32 directory
        
        PID:11228
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:13056
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5060
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5112
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3368
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:4244
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        17⤵
        
        PID:7224
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        18⤵
        
        PID:896
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        19⤵
        
        PID:9372
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        20⤵
        
        PID:11164
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        21⤵
        
        PID:12960
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        22⤵
        
        PID:14956
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        17⤵
        
        PID:17844
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        16⤵
        
        PID:15048
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        17⤵
        
        PID:18024
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        15⤵
        
        PID:12676
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:15176
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        17⤵
        
        PID:7348
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        14⤵
        Drops file in System32 directory
        
        PID:10916
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:12736
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:15256
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        17⤵
        
        PID:7520
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        13⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:10964
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:12788
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:15272
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        17⤵
        
        PID:7604
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        12⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:9268
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:11132
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:12968
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        17⤵
        
        PID:18688
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        11⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        
        PID:7788
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        
        PID:9304
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        Drops file in System32 directory
        
        PID:11092
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:12900
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        17⤵
        
        PID:18244
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        10⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        11⤵
        Enumerates connected drives
        
        PID:7184
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:9332
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:11156
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:12952
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:14900
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        11⤵
        
        PID:17776
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4740
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5072
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4868
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        11⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        17⤵
        Enumerates connected drives
        
        PID:7648
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        18⤵
        
        PID:8528
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        19⤵
        
        PID:10004
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        20⤵
        
        PID:11464
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        21⤵
        
        PID:13444
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        22⤵
        
        PID:16180
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        17⤵
        
        PID:18580
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        16⤵
        
        PID:15692
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        15⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:15824
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        17⤵
        
        PID:18804
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        14⤵
        Enumerates connected drives
        
        PID:5452
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:13196
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:15900
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        17⤵
        
        PID:18812
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        13⤵
        
        PID:9788
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:10692
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:16012
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        12⤵
        
        PID:8388
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:9868
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:11316
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:13412
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:16084
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        11⤵
        Enumerates connected drives
        
        PID:7512
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        Enumerates connected drives
        
        PID:8408
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        
        PID:9876
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:11288
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:13348
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:16092
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        10⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        11⤵
        
        PID:7536
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        
        PID:8420
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:9896
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:11356
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:13404
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:16124
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        11⤵
        
        PID:18408
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        9⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        11⤵
        
        PID:7496
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        Enumerates connected drives
        
        PID:8368
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        
        PID:9812
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:4196
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:13304
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:16024
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        11⤵
        
        PID:18416
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        10⤵
        
        PID:15504
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1328
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1204
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1352
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5016
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:3208
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:1072
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:5492
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        17⤵
        
        PID:7664
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        18⤵
        
        PID:8544
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        19⤵
        
        PID:10020
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        20⤵
        
        PID:11496
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        21⤵
        
        PID:13512
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        22⤵
        
        PID:16224
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        17⤵
        
        PID:18572
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        16⤵
        
        PID:15788
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        17⤵
        
        PID:18760
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        15⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:15908
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        14⤵
        Enumerates connected drives
        
        PID:1036
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:13208
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:16032
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        13⤵
        
        PID:9848
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:11280
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:15892
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        17⤵
        
        PID:18836
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        12⤵
        
        PID:8448
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        
        PID:9916
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:11348
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:13384
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:16108
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        11⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        Enumerates connected drives
        
        PID:8484
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:9948
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:11408
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:13480
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:16172
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        10⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:7584
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        
        PID:8456
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        
        PID:9924
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:11336
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:13376
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:16100
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        11⤵
        
        PID:18392
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        9⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        11⤵
        
        PID:7624
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        
        PID:8500
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        
        PID:9956
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:11428
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:13488
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:16232
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        11⤵
        
        PID:18384
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        10⤵
        
        PID:15652
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        11⤵
        
        PID:18696
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        8⤵
        Enumerates connected drives
        
        PID:5460
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        11⤵
        
        PID:7592
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:8464
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        
        PID:9964
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:11436
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:13468
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:16164
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        11⤵
        
        PID:18400
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        10⤵
        
        PID:15620
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        11⤵
        
        PID:18704
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        9⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:15800
      - C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3200
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:864
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        
        PID:728
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4768
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        11⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:216
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        Drops file in System32 directory
        
        PID:7088
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        17⤵
        Enumerates connected drives
        
        PID:7884
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        18⤵
        
        PID:8812
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        19⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        20⤵
        
        PID:11868
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        21⤵
        
        PID:13864
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        22⤵
        
        PID:16484
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        16⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        15⤵
        
        PID:13744
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        14⤵
        
        PID:11764
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:13784
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        13⤵
        
        PID:9448
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:11780
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:13768
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        12⤵
        
        PID:8764
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        
        PID:9500
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:11828
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:13816
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:16380
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        11⤵
        
        PID:7828
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        
        PID:8748
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        
        PID:9456
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:11788
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:13776
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        10⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:7836
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        
        PID:8740
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        
        PID:9464
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:11820
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:13824
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:728
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        11⤵
        
        PID:19084
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        9⤵
        Enumerates connected drives
        
        PID:6140
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        11⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        
        PID:8796
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        
        PID:9520
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:11852
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:13848
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:16436
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        11⤵
        
        PID:19076
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        10⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        8⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        Drops file in System32 directory
        
        PID:7016
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        11⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        
        PID:8700
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        
        PID:9360
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:11716
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:13708
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        11⤵
        
        PID:18680
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        10⤵
        
        PID:16292
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        9⤵
        
        PID:13608
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:16332
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        7⤵
        Enumerates connected drives
        
        PID:4048
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        8⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        11⤵
        
        PID:7704
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        
        PID:8716
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:11708
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:13700
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:15708
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        11⤵
        
        PID:18656
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        10⤵
        
        PID:16312
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        9⤵
        
        PID:13636
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:16360
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        8⤵
        Enumerates connected drives
        
        PID:11656
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:13652
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:4920
    - - C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:776
      - C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:548
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3756
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1884
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        11⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        
        PID:440
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:5692
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        Drops file in System32 directory
        
        PID:5980
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        17⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        18⤵
        
        PID:9040
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        19⤵
        
        PID:10220
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        20⤵
        
        PID:12200
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        21⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        22⤵
        
        PID:16944
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        16⤵
        
        PID:16492
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        15⤵
        
        PID:14000
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:16624
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        14⤵
        
        PID:11952
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:14028
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:16632
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        13⤵
        
        PID:10036
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:12008
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:14060
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:16676
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        12⤵
        
        PID:8952
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        
        PID:10104
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:12068
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:14172
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:16812
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        11⤵
        
        PID:7948
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        
        PID:8968
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        
        PID:10160
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:12084
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:14252
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:16780
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        10⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        11⤵
        Enumerates connected drives
        
        PID:7940
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:8960
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        
        PID:10112
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        Drops file in System32 directory
        
        PID:12048
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:14160
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:16804
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        9⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:7928
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        Enumerates connected drives
        
        PID:9000
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:10152
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:12076
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:14260
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:16820
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        10⤵
        
        PID:16404
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        8⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        Enumerates connected drives
        
        PID:5964
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        11⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        Enumerates connected drives
        
        PID:9016
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:12132
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:14296
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:16772
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        10⤵
        
        PID:16428
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        9⤵
        
        PID:13924
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:16524
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        7⤵
        
        PID:604
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        8⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        11⤵
        
        PID:7908
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        
        PID:8928
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:10044
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:12020
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:14052
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:16712
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        10⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        9⤵
        
        PID:13872
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:16508
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        8⤵
        
        PID:11900
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:13968
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:16580
      - C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        6⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        7⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        8⤵
        Drops file in System32 directory
        
        PID:5644
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        Enumerates connected drives
        
        PID:7148
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        11⤵
        
        PID:7900
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:8920
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        
        PID:10052
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:11988
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:14040
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:16640
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        10⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        9⤵
        
        PID:13880
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:16460
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        8⤵
        
        PID:11892
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:13976
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:16564
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        7⤵
        Drops file in System32 directory
        
        PID:4620
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        8⤵
        
        PID:11884
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:13916
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:16532
  - - C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
      C:\Windows\system32\rrpahaoxtk\smss.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1076
    - - C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4908
      - C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3476
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1096
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1028
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5064
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        11⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        
        PID:596
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:5168
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        17⤵
        Drops file in System32 directory
        
        PID:7820
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        18⤵
        
        PID:9136
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        19⤵
        Enumerates connected drives
        
        PID:10612
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        20⤵
        
        PID:12396
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        21⤵
        
        PID:14776
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        22⤵
        
        PID:17648
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        16⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        15⤵
        
        PID:14412
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        14⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:14664
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:17500
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        13⤵
        Drops file in System32 directory
        
        PID:10448
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:14632
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:17460
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        12⤵
        Enumerates connected drives
        
        PID:4892
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        
        PID:10520
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:12320
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:14700
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:17632
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        11⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:4252
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        
        PID:10528
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:12312
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:14708
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:17640
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        10⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        11⤵
        
        PID:7576
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        
        PID:8888
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        
        PID:10464
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:14716
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        9⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        11⤵
        
        PID:424
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:8608
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        
        PID:10244
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:11968
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:14444
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:17048
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        10⤵
        
        PID:17016
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        8⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        11⤵
        
        PID:7328
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        
        PID:10416
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:14624
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:7196
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        10⤵
        
        PID:17040
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        9⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:17400
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        7⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        8⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        Drops file in System32 directory
        
        PID:6992
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:7360
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        
        PID:8828
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        
        PID:10344
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:14544
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:17276
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        10⤵
        
        PID:17008
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        9⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:17264
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        8⤵
        
        PID:11600
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:14240
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:1584
      - C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        6⤵
        Enumerates connected drives
        
        PID:4900
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        7⤵
        Enumerates connected drives
        
        PID:5076
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        8⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        11⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        
        PID:8676
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        
        PID:10336
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:14536
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:560
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        10⤵
        
        PID:17024
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        9⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:17120
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        8⤵
        
        PID:11584
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:14144
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:17392
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        7⤵
        Drops file in System32 directory
        
        PID:4884
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        8⤵
        
        PID:11688
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:17360
    - - C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        5⤵
        
        PID:3712
      - C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        6⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        7⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        8⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        11⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:8848
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        
        PID:10396
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:4968
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:14596
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        10⤵
        
        PID:17080
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        9⤵
        
        PID:13956
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:17196
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        8⤵
        
        PID:11696
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        7⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        8⤵
        
        PID:11628
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:14324
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:4840
      - C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        6⤵
        
        PID:9152
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        7⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        8⤵
        
        PID:11620
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:1268
- - C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
    C:\Windows\system32\rrpahaoxtk\smss.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3980
  - - C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
      C:\Windows\system32\wsfojsnurq\explorer.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3580
      - C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1016
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1432
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4056
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4052
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1392
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        11⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:7200
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        17⤵
        
        PID:8020
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        18⤵
        
        PID:9344
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        19⤵
        Enumerates connected drives
        
        PID:11120
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        20⤵
        
        PID:12980
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        21⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        16⤵
        
        PID:17804
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        15⤵
        
        PID:15020
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:18088
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        14⤵
        
        PID:12628
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:15068
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        13⤵
        
        PID:10876
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:12692
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:15160
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:376
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        12⤵
        
        PID:8560
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        
        PID:10900
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:12744
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:15248
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:7552
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        11⤵
        
        PID:8080
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        
        PID:880
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:10932
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:12724
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:15264
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:18228
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        10⤵
        Drops file in System32 directory
        
        PID:3980
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        11⤵
        
        PID:8128
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        
        PID:9248
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:11068
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:12880
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:18268
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        9⤵
        
        PID:6476
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        11⤵
        Enumerates connected drives
        
        PID:7780
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        
        PID:9232
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:11080
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:12928
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:14864
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:18552
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        10⤵
        
        PID:17684
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        8⤵
        Enumerates connected drives
        
        PID:6044
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        11⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        
        PID:316
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:10956
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:12796
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:15280
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:18276
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        10⤵
        
        PID:17588
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        9⤵
        
        PID:14856
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:17712
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        7⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        8⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        Drops file in System32 directory
        
        PID:6496
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        11⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        
        PID:9256
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:11012
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:12844
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:15336
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:18236
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        10⤵
        
        PID:17668
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        9⤵
        
        PID:14908
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        8⤵
        
        PID:12540
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:14916
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:18056
      - C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        6⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        7⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        8⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        11⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        
        PID:10996
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:12836
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:15352
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:18220
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        10⤵
        
        PID:17596
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        9⤵
        
        PID:14832
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:17752
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        8⤵
        
        PID:12504
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:14924
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:18080
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        7⤵
        
        PID:10816
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        8⤵
        
        PID:12572
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:15004
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:7424
    - - C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        5⤵
        
        PID:4972
      - C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        6⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        7⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        8⤵
        Enumerates connected drives
        
        PID:6072
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        Enumerates connected drives
        
        PID:6488
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        11⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        
        PID:9240
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        
        PID:11020
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:12892
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:18260
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        10⤵
        
        PID:17676
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        9⤵
        
        PID:14948
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:18064
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        8⤵
        
        PID:12532
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:14940
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:18048
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        7⤵
        
        PID:10832
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        8⤵
        
        PID:12636
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:15056
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:18072
      - C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        6⤵
        
        PID:9208
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        7⤵
        
        PID:10852
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        8⤵
        
        PID:12644
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:15076
  - - C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
      C:\Windows\system32\rrpahaoxtk\smss.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2288
    - - C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        5⤵
        
        PID:4216
      - C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        6⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        7⤵
        Enumerates connected drives
        
        PID:5192
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        8⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        Enumerates connected drives
        
        PID:4940
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        11⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        
        PID:8572
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        
        PID:10892
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:12700
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:15168
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:18212
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        10⤵
        
        PID:17576
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        9⤵
        
        PID:14868
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:17720
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        8⤵
        
        PID:12496
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:14932
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:18040
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        7⤵
        
        PID:10808
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        8⤵
        Enumerates connected drives
        
        PID:12580
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:14988
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:18032
      - C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        6⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        7⤵
        
        PID:10784
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        8⤵
        
        PID:12588
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:14980
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:17428
    - - C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        5⤵
        Enumerates connected drives
        
        PID:8060
      - C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        6⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        7⤵
        Drops file in System32 directory
        
        PID:10776
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        8⤵
        
        PID:12564
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:14996
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:4696
- C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
  C:\Windows\system32\rrpahaoxtk\smss.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4440
- - C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
    C:\Windows\system32\wsfojsnurq\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:228
  - - C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
      C:\Windows\system32\wsfojsnurq\explorer.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3688
    - - C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1776
      - C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3512
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4836
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4964
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        11⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        16⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        17⤵
        
        PID:8880
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        18⤵
        Enumerates connected drives
        
        PID:10472
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        19⤵
        
        PID:12296
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        20⤵
        
        PID:14724
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        21⤵
        
        PID:17624
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        15⤵
        
        PID:17168
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        14⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:16904
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        13⤵
        
        PID:11932
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:14344
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:16940
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        12⤵
        Drops file in System32 directory
        
        PID:10256
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        
        PID:11940
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:14380
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        11⤵
        
        PID:8648
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        
        PID:10368
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        
        PID:12224
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:14560
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:17480
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        10⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        11⤵
        
        PID:8660
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        
        PID:10300
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:14528
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        9⤵
        Enumerates connected drives
        
        PID:4404
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:7440
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        11⤵
        
        PID:8836
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        
        PID:10376
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        
        PID:12280
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:14604
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        8⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        11⤵
        
        PID:8668
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        
        PID:10328
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        
        PID:12172
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:14612
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:17440
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        9⤵
        
        PID:16984
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        7⤵
        Drops file in System32 directory
        
        PID:5788
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        8⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        11⤵
        Enumerates connected drives
        
        PID:8584
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        9⤵
        
        PID:16920
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        8⤵
        
        PID:13576
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:17180
      - C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        6⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        7⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        8⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        Drops file in System32 directory
        
        PID:3504
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        11⤵
        
        PID:8624
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        
        PID:10264
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:14424
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        9⤵
        
        PID:16928
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        8⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:17220
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        7⤵
        
        PID:11524
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        8⤵
        
        PID:13964
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:17232
    - - C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        5⤵
        
        PID:4788
      - C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        6⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        7⤵
        Drops file in System32 directory
        
        PID:5772
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        8⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:8148
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        11⤵
        
        PID:8576
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        
        PID:11948
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:14436
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        9⤵
        
        PID:16912
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        8⤵
        
        PID:13584
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:17064
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        7⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        8⤵
        
        PID:13996
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:17248
      - C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        6⤵
        Drops file in System32 directory
        
        PID:10184
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        7⤵
        
        PID:11568
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        8⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:17380
  - - C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
      C:\Windows\system32\rrpahaoxtk\smss.exe
      4⤵
      PID:3968
    - - C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        5⤵
        
        PID:3708
      - C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        6⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        7⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        8⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:8164
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        11⤵
        
        PID:8616
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        
        PID:10272
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        
        PID:12044
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:14452
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        9⤵
        
        PID:16976
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        8⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:17256
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        7⤵
        
        PID:11576
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        8⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:3828
      - C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        6⤵
        
        PID:740
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        7⤵
        
        PID:11608
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        8⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:6940
    - - C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        5⤵
        
        PID:9128
      - C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        6⤵
        Enumerates connected drives
        
        PID:2556
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        7⤵
        
        PID:11512
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        8⤵
        
        PID:14104
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:17340
- - C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
    C:\Windows\system32\rrpahaoxtk\smss.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1844
  - - C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
      C:\Windows\system32\wsfojsnurq\explorer.exe
      4⤵
      PID:2020
    - - C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        5⤵
        
        PID:2292
      - C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        6⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        7⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        8⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        10⤵
        
        PID:8132
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        11⤵
        
        PID:9176
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        12⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        13⤵
        
        PID:11676
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        14⤵
        
        PID:14168
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        15⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        9⤵
        
        PID:16884
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        8⤵
        
        PID:13560
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:17112
        
        C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        7⤵
        
        PID:11384
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        8⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:17132
      - C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        6⤵
        
        PID:10148
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        7⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        8⤵
        
        PID:13628
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:17140
    - - C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
        
        C:\Windows\system32\rrpahaoxtk\smss.exe
        5⤵
        
        PID:9096
      - C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        6⤵
        
        PID:10120
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        7⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        8⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:17148
  - - C:\Windows\SysWOW64\rrpahaoxtk\smss.exe
      C:\Windows\system32\rrpahaoxtk\smss.exe
      4⤵
      Enumerates connected drives
      PID:8100
    - - C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        5⤵
        
        PID:9112
      - C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        6⤵
        Drops file in System32 directory
        
        PID:10212
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        7⤵
        
        PID:11552
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        8⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\wsfojsnurq\explorer.exe
        
        C:\Windows\system32\wsfojsnurq\explorer.exe
        9⤵
        
        PID:17108

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\rrpahaoxtk\smss.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\rrpahaoxtk\smss.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\rrpahaoxtk\smss.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\rrpahaoxtk\smss.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\rrpahaoxtk\smss.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\rrpahaoxtk\smss.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\rrpahaoxtk\smss.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\rrpahaoxtk\smss.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\rrpahaoxtk\smss.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\rrpahaoxtk\smss.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\rrpahaoxtk\smss.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\rrpahaoxtk\smss.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\rrpahaoxtk\smss.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\rrpahaoxtk\smss.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\rrpahaoxtk\smss.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\rrpahaoxtk\smss.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\rrpahaoxtk\smss.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\wsfojsnurq\explorer.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\wsfojsnurq\explorer.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\wsfojsnurq\explorer.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\wsfojsnurq\explorer.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\wsfojsnurq\explorer.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\wsfojsnurq\explorer.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\wsfojsnurq\explorer.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\wsfojsnurq\explorer.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\wsfojsnurq\explorer.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\wsfojsnurq\explorer.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\wsfojsnurq\explorer.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\wsfojsnurq\explorer.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\wsfojsnurq\explorer.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\wsfojsnurq\explorer.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\wsfojsnurq\explorer.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\wsfojsnurq\explorer.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\wsfojsnurq\explorer.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\wsfojsnurq\explorer.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\wsfojsnurq\explorer.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\wsfojsnurq\explorer.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\wsfojsnurq\explorer.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\wsfojsnurq\explorer.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\wsfojsnurq\explorer.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\wsfojsnurq\explorer.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\wsfojsnurq\explorer.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\wsfojsnurq\explorer.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\wsfojsnurq\explorer.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\wsfojsnurq\explorer.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\wsfojsnurq\explorer.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\wsfojsnurq\explorer.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\wsfojsnurq\explorer.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\wsfojsnurq\explorer.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\wsfojsnurq\explorer.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\wsfojsnurq\explorer.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\wsfojsnurq\explorer.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\wsfojsnurq\explorer.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\wsfojsnurq\explorer.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\wsfojsnurq\explorer.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\wsfojsnurq\explorer.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\wsfojsnurq\explorer.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\wsfojsnurq\explorer.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\wsfojsnurq\explorer.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\wsfojsnurq\explorer.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\wsfojsnurq\explorer.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\wsfojsnurq\explorer.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\wsfojsnurq\explorer.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
C:\Windows\SysWOW64\wsfojsnurq\explorer.exe

Filesize
83KB

MD5
018983f5006f7b26c7f2d52eca2f3aed

SHA1
26e0a342bc6e6ba102777d0d3a1ccb58c7239e54

SHA256
4872e2a1e82f610bfce408c75db571a31d64133febfc4a3f49b2b4c679b7e139

SHA512
dbb7f549280707009278dab8aa005e7428b679a8f3ba89adc71d0386a1000f56b71c62774e01d1857f3c09b2f65fc53d64abb54069c8afdf3212764021c323e6

Download Submit
memory/228-187-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/228-224-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/548-274-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/548-219-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/776-244-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/776-198-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/812-191-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/812-170-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/864-271-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/968-171-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/968-160-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1016-231-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1076-188-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1076-225-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1204-267-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1328-238-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1432-257-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1556-252-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1776-226-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1776-280-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1892-241-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2036-142-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2036-132-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2336-227-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2336-281-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2572-275-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2636-182-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2636-212-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2668-192-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2668-230-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2980-181-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2980-165-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3200-270-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3200-216-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3476-253-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3512-282-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3580-209-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3580-256-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3688-204-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3688-250-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3756-245-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3908-146-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3908-136-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3980-208-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3980-178-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4080-236-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4080-195-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4160-264-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4160-213-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4196-237-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4440-175-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4440-203-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4624-140-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4624-151-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4692-155-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4692-166-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4740-266-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4800-161-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4800-150-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4820-156-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4820-145-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4908-205-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4908-251-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/5012-265-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download