c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

Analysis

max time kernel
135s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30/10/2022, 20:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960.exe
Size

80KB
MD5

835a528f479be475f428c43bd7eabba1
SHA1

49131ec477f0d73cd98c54ec99f4642dba32d6e1
SHA256

c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960
SHA512

6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279
SSDEEP

1536:BnKZViWUC/JV16uXKTVXxs7djVBM5DPQ5ge:B0ViWhz161TE7dVeNPXe

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
1644	explorer.exe
1076	explorer.exe
2036	explorer.exe
1696	explorer.exe
1208	explorer.exe
1532	smss.exe
1212	explorer.exe
1920	smss.exe
1104	explorer.exe
668	smss.exe
1500	explorer.exe
1676	explorer.exe
1668	explorer.exe
828	smss.exe
1720	explorer.exe
1572	explorer.exe
1956	explorer.exe
1652	explorer.exe
1736	smss.exe
832	explorer.exe
280	explorer.exe
1824	explorer.exe
1700	explorer.exe
1724	explorer.exe
1984	smss.exe
1276	explorer.exe
1096	explorer.exe
1812	smss.exe
1440	explorer.exe
2012	explorer.exe
620	explorer.exe
1400	explorer.exe
1528	smss.exe
1460	explorer.exe
1644	explorer.exe
1912	smss.exe
1448	explorer.exe
1396	explorer.exe
924	smss.exe
1608	explorer.exe
1536	explorer.exe
1556	explorer.exe
1252	explorer.exe
1992	smss.exe
2068	smss.exe
2096	explorer.exe
2088	explorer.exe
2112	explorer.exe
2212	smss.exe
2228	explorer.exe
2204	explorer.exe
2304	explorer.exe
2324	explorer.exe
2336	smss.exe
2384	explorer.exe
2376	explorer.exe
2480	explorer.exe
2516	smss.exe
2548	explorer.exe
2596	smss.exe
2608	explorer.exe
2636	explorer.exe
2656	smss.exe
2684	explorer.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1660-55-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/files/0x000900000001318e-56.dat	upx
behavioral1/files/0x000900000001318e-57.dat	upx
behavioral1/files/0x000900000001318e-59.dat	upx
behavioral1/memory/1644-62-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/files/0x000900000001318e-63.dat	upx
behavioral1/files/0x000800000001339d-64.dat	upx
behavioral1/files/0x000900000001318e-65.dat	upx
behavioral1/files/0x000900000001318e-66.dat	upx
behavioral1/files/0x000900000001318e-68.dat	upx
behavioral1/memory/1076-71-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/files/0x000900000001339d-72.dat	upx
behavioral1/files/0x000900000001318e-73.dat	upx
behavioral1/files/0x000900000001318e-74.dat	upx
behavioral1/files/0x000900000001318e-76.dat	upx
behavioral1/memory/1660-78-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/2036-80-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/1644-81-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/files/0x000a00000001339d-82.dat	upx
behavioral1/files/0x000900000001318e-83.dat	upx
behavioral1/files/0x000900000001318e-84.dat	upx
behavioral1/files/0x000900000001318e-86.dat	upx
behavioral1/memory/1696-89-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/1076-90-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/files/0x000b00000001339d-91.dat	upx
behavioral1/files/0x000900000001318e-92.dat	upx
behavioral1/files/0x000900000001318e-93.dat	upx
behavioral1/files/0x000900000001318e-95.dat	upx
behavioral1/memory/1208-98-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/files/0x000c00000001339d-99.dat	upx
behavioral1/files/0x000c00000001339d-100.dat	upx
behavioral1/files/0x000c00000001339d-103.dat	upx
behavioral1/files/0x000c00000001339d-101.dat	upx
behavioral1/memory/1532-106-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/2036-107-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/files/0x000900000001318e-108.dat	upx
behavioral1/files/0x000900000001318e-109.dat	upx
behavioral1/files/0x000900000001318e-111.dat	upx
behavioral1/files/0x000c00000001339d-113.dat	upx
behavioral1/files/0x000c00000001339d-114.dat	upx
behavioral1/files/0x000c00000001339d-116.dat	upx
behavioral1/memory/1920-120-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/1212-119-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/files/0x000900000001318e-124.dat	upx
behavioral1/files/0x000900000001318e-122.dat	upx
behavioral1/files/0x000900000001318e-121.dat	upx
behavioral1/memory/1696-126-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/1104-128-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/files/0x000c00000001339d-129.dat	upx
behavioral1/files/0x000c00000001339d-130.dat	upx
behavioral1/files/0x000c00000001339d-132.dat	upx
behavioral1/files/0x000900000001318e-134.dat	upx
behavioral1/files/0x000900000001318e-136.dat	upx
behavioral1/files/0x000900000001318e-138.dat	upx
behavioral1/memory/668-139-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/files/0x000900000001318e-141.dat	upx
behavioral1/files/0x000900000001318e-142.dat	upx
behavioral1/files/0x000900000001318e-144.dat	upx
behavioral1/memory/1208-147-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/1676-150-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/memory/1500-149-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral1/files/0x000900000001318e-151.dat	upx
behavioral1/files/0x000900000001318e-152.dat	upx
behavioral1/files/0x000900000001318e-154.dat	upx

Loads dropped DLL 64 IoCs

pid	Process
1660	c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960.exe
1660	c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960.exe
1644	explorer.exe
1644	explorer.exe
1076	explorer.exe
1076	explorer.exe
2036	explorer.exe
2036	explorer.exe
1696	explorer.exe
1696	explorer.exe
1660	c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960.exe
1660	c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960.exe
1208	explorer.exe
1208	explorer.exe
1644	explorer.exe
1644	explorer.exe
1532	smss.exe
1532	smss.exe
1076	explorer.exe
1076	explorer.exe
1212	explorer.exe
1212	explorer.exe
1920	smss.exe
1920	smss.exe
1104	explorer.exe
1104	explorer.exe
2036	explorer.exe
2036	explorer.exe
668	smss.exe
668	smss.exe
1500	explorer.exe
1500	explorer.exe
1676	explorer.exe
1676	explorer.exe
1668	explorer.exe
1668	explorer.exe
1696	explorer.exe
1696	explorer.exe
828	smss.exe
828	smss.exe
1720	explorer.exe
1720	explorer.exe
1572	explorer.exe
1572	explorer.exe
1956	explorer.exe
1956	explorer.exe
1652	explorer.exe
1652	explorer.exe
1208	explorer.exe
1208	explorer.exe
1736	smss.exe
1736	smss.exe
832	explorer.exe
832	explorer.exe
1532	smss.exe
1532	smss.exe
280	explorer.exe
1824	explorer.exe
280	explorer.exe
1824	explorer.exe
1700	explorer.exe
1700	explorer.exe
1724	explorer.exe
1724	explorer.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\g:	explorer.exe
File opened (read-only)	\??\u:	explorer.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\n:	smss.exe
File opened (read-only)	\??\f:	explorer.exe
File opened (read-only)	\??\f:	explorer.exe
File opened (read-only)	\??\k:	explorer.exe
File opened (read-only)	\??\f:	explorer.exe
File opened (read-only)	\??\n:	c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960.exe
File opened (read-only)	\??\u:	explorer.exe
File opened (read-only)	\??\v:	explorer.exe
File opened (read-only)	\??\l:	explorer.exe
File opened (read-only)	\??\g:	explorer.exe
File opened (read-only)	\??\g:	smss.exe
File opened (read-only)	\??\q:	explorer.exe
File opened (read-only)	\??\u:	explorer.exe
File opened (read-only)	\??\v:	explorer.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\o:	explorer.exe
File opened (read-only)	\??\r:	explorer.exe
File opened (read-only)	\??\g:	smss.exe
File opened (read-only)	\??\l:	smss.exe
File opened (read-only)	\??\i:	explorer.exe
File opened (read-only)	\??\n:	explorer.exe
File opened (read-only)	\??\h:	explorer.exe
File opened (read-only)	\??\e:	smss.exe
File opened (read-only)	\??\f:	explorer.exe
File opened (read-only)	\??\y:	explorer.exe
File opened (read-only)	\??\m:	explorer.exe
File opened (read-only)	\??\k:	explorer.exe
File opened (read-only)	\??\y:	explorer.exe
File opened (read-only)	\??\u:	explorer.exe
File opened (read-only)	\??\u:	explorer.exe
File opened (read-only)	\??\q:	smss.exe
File opened (read-only)	\??\t:	explorer.exe
File opened (read-only)	\??\s:	explorer.exe
File opened (read-only)	\??\y:	explorer.exe
File opened (read-only)	\??\r:	explorer.exe
File opened (read-only)	\??\r:	explorer.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\q:	explorer.exe
File opened (read-only)	\??\m:	explorer.exe
File opened (read-only)	\??\t:	smss.exe
File opened (read-only)	\??\g:	smss.exe
File opened (read-only)	\??\r:	explorer.exe
File opened (read-only)	\??\n:	smss.exe
File opened (read-only)	\??\o:	explorer.exe
File opened (read-only)	\??\l:	smss.exe
File opened (read-only)	\??\z:	explorer.exe
File opened (read-only)	\??\w:	explorer.exe
File opened (read-only)	\??\s:	explorer.exe
File opened (read-only)	\??\s:	smss.exe
File opened (read-only)	\??\e:	explorer.exe
File opened (read-only)	\??\k:	explorer.exe
File opened (read-only)	\??\m:	explorer.exe
File opened (read-only)	\??\y:	explorer.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\s:	smss.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\n:	smss.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\y:	explorer.exe
File opened (read-only)	\??\x:	smss.exe
File opened (read-only)	\??\g:	explorer.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\lueixldbay\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\lueixldbay\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\irylnvgdrr\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\lueixldbay\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\lueixldbay\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\lueixldbay\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\irylnvgdrr\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\lueixldbay\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\lueixldbay\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\irylnvgdrr\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\lueixldbay\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\irylnvgdrr\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\lueixldbay\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\lueixldbay\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\irylnvgdrr\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\irylnvgdrr\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\lueixldbay\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\lueixldbay\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\irylnvgdrr\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\irylnvgdrr\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\lueixldbay\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\lueixldbay\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\lueixldbay\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\lueixldbay\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\irylnvgdrr\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\irylnvgdrr\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\lueixldbay\explorer.exe	c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960.exe
File created	C:\Windows\SysWOW64\lueixldbay\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\irylnvgdrr\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\irylnvgdrr\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\irylnvgdrr\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\irylnvgdrr\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\irylnvgdrr\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\irylnvgdrr\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\lueixldbay\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\irylnvgdrr\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\lueixldbay\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\lueixldbay\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\irylnvgdrr\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\lueixldbay\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\irylnvgdrr\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\irylnvgdrr\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\lueixldbay\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\lueixldbay\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\lueixldbay\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\irylnvgdrr\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\irylnvgdrr\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\lueixldbay\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\irylnvgdrr\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\irylnvgdrr\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\lueixldbay\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\lueixldbay\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\irylnvgdrr\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\irylnvgdrr\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\irylnvgdrr\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\irylnvgdrr\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\lueixldbay\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\lueixldbay\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\irylnvgdrr\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\irylnvgdrr\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\irylnvgdrr\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\lueixldbay\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\irylnvgdrr\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\lueixldbay\explorer.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1660	c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960.exe
1644	explorer.exe
1076	explorer.exe
2036	explorer.exe
1696	explorer.exe
1208	explorer.exe
1532	smss.exe
1212	explorer.exe
1920	smss.exe
1104	explorer.exe
668	smss.exe
1500	explorer.exe
1676	explorer.exe
1668	explorer.exe
828	smss.exe
1720	explorer.exe
1572	explorer.exe
1956	explorer.exe
1652	explorer.exe
1736	smss.exe
832	explorer.exe
280	explorer.exe
1824	explorer.exe
1700	explorer.exe
1724	explorer.exe
1984	smss.exe
1276	explorer.exe
1096	explorer.exe
1812	smss.exe
1440	explorer.exe
2012	explorer.exe
620	explorer.exe
1400	explorer.exe
1528	smss.exe
1644	explorer.exe
1460	explorer.exe
1912	smss.exe
1448	explorer.exe
1396	explorer.exe
924	smss.exe
1608	explorer.exe
1536	explorer.exe
1556	explorer.exe
1252	explorer.exe
1992	smss.exe
2068	smss.exe
2088	explorer.exe
2096	explorer.exe
2112	explorer.exe
2228	explorer.exe
2212	smss.exe
2204	explorer.exe
2304	explorer.exe
2324	explorer.exe
2336	smss.exe
2376	explorer.exe
2384	explorer.exe
2480	explorer.exe
2516	smss.exe
2548	explorer.exe
2608	explorer.exe
2596	smss.exe
2636	explorer.exe
2656	smss.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	1660	c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960.exe
Token: SeLoadDriverPrivilege	1644	explorer.exe
Token: SeLoadDriverPrivilege	1076	explorer.exe
Token: SeLoadDriverPrivilege	2036	explorer.exe
Token: SeLoadDriverPrivilege	1696	explorer.exe
Token: SeLoadDriverPrivilege	1208	explorer.exe
Token: SeLoadDriverPrivilege	1532	smss.exe
Token: SeLoadDriverPrivilege	1212	explorer.exe
Token: SeLoadDriverPrivilege	1920	smss.exe
Token: SeLoadDriverPrivilege	1104	explorer.exe
Token: SeLoadDriverPrivilege	668	smss.exe
Token: SeLoadDriverPrivilege	1500	explorer.exe
Token: SeLoadDriverPrivilege	1676	explorer.exe
Token: SeLoadDriverPrivilege	1668	explorer.exe
Token: SeLoadDriverPrivilege	828	smss.exe
Token: SeLoadDriverPrivilege	1720	explorer.exe
Token: SeLoadDriverPrivilege	1572	explorer.exe
Token: SeLoadDriverPrivilege	1956	explorer.exe
Token: SeLoadDriverPrivilege	1652	explorer.exe
Token: SeLoadDriverPrivilege	1736	smss.exe
Token: SeLoadDriverPrivilege	832	explorer.exe
Token: SeLoadDriverPrivilege	280	explorer.exe
Token: SeLoadDriverPrivilege	1824	explorer.exe
Token: SeLoadDriverPrivilege	1700	explorer.exe
Token: SeLoadDriverPrivilege	1724	explorer.exe
Token: SeLoadDriverPrivilege	1984	smss.exe
Token: SeLoadDriverPrivilege	1276	explorer.exe
Token: SeLoadDriverPrivilege	1096	explorer.exe
Token: SeLoadDriverPrivilege	1812	smss.exe
Token: SeLoadDriverPrivilege	1440	explorer.exe
Token: SeLoadDriverPrivilege	2012	explorer.exe
Token: SeLoadDriverPrivilege	620	explorer.exe
Token: SeLoadDriverPrivilege	1400	explorer.exe
Token: SeLoadDriverPrivilege	1528	smss.exe
Token: SeLoadDriverPrivilege	1644	explorer.exe
Token: SeLoadDriverPrivilege	1460	explorer.exe
Token: SeLoadDriverPrivilege	1912	smss.exe
Token: SeLoadDriverPrivilege	1448	explorer.exe
Token: SeLoadDriverPrivilege	1396	explorer.exe
Token: SeLoadDriverPrivilege	924	smss.exe
Token: SeLoadDriverPrivilege	1608	explorer.exe
Token: SeLoadDriverPrivilege	1536	explorer.exe
Token: SeLoadDriverPrivilege	1556	explorer.exe
Token: SeLoadDriverPrivilege	1252	explorer.exe
Token: SeLoadDriverPrivilege	1992	smss.exe
Token: SeLoadDriverPrivilege	2068	smss.exe
Token: SeLoadDriverPrivilege	2088	explorer.exe
Token: SeLoadDriverPrivilege	2096	explorer.exe
Token: SeLoadDriverPrivilege	2112	explorer.exe
Token: SeLoadDriverPrivilege	2228	explorer.exe
Token: SeLoadDriverPrivilege	2212	smss.exe
Token: SeLoadDriverPrivilege	2204	explorer.exe
Token: SeLoadDriverPrivilege	2304	explorer.exe
Token: SeLoadDriverPrivilege	2324	explorer.exe
Token: SeLoadDriverPrivilege	2336	smss.exe
Token: SeLoadDriverPrivilege	2376	explorer.exe
Token: SeLoadDriverPrivilege	2384	explorer.exe
Token: SeLoadDriverPrivilege	2480	explorer.exe
Token: SeLoadDriverPrivilege	2516	smss.exe
Token: SeLoadDriverPrivilege	2548	explorer.exe
Token: SeLoadDriverPrivilege	2608	explorer.exe
Token: SeLoadDriverPrivilege	2596	smss.exe
Token: SeLoadDriverPrivilege	2636	explorer.exe
Token: SeLoadDriverPrivilege	2656	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 1644	1660	c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960.exe	28
PID 1660 wrote to memory of 1644	1660	c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960.exe	28
PID 1660 wrote to memory of 1644	1660	c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960.exe	28
PID 1660 wrote to memory of 1644	1660	c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960.exe	28
PID 1644 wrote to memory of 1076	1644	explorer.exe	29
PID 1644 wrote to memory of 1076	1644	explorer.exe	29
PID 1644 wrote to memory of 1076	1644	explorer.exe	29
PID 1644 wrote to memory of 1076	1644	explorer.exe	29
PID 1076 wrote to memory of 2036	1076	explorer.exe	30
PID 1076 wrote to memory of 2036	1076	explorer.exe	30
PID 1076 wrote to memory of 2036	1076	explorer.exe	30
PID 1076 wrote to memory of 2036	1076	explorer.exe	30
PID 2036 wrote to memory of 1696	2036	explorer.exe	31
PID 2036 wrote to memory of 1696	2036	explorer.exe	31
PID 2036 wrote to memory of 1696	2036	explorer.exe	31
PID 2036 wrote to memory of 1696	2036	explorer.exe	31
PID 1696 wrote to memory of 1208	1696	explorer.exe	32
PID 1696 wrote to memory of 1208	1696	explorer.exe	32
PID 1696 wrote to memory of 1208	1696	explorer.exe	32
PID 1696 wrote to memory of 1208	1696	explorer.exe	32
PID 1660 wrote to memory of 1532	1660	c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960.exe	33
PID 1660 wrote to memory of 1532	1660	c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960.exe	33
PID 1660 wrote to memory of 1532	1660	c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960.exe	33
PID 1660 wrote to memory of 1532	1660	c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960.exe	33
PID 1208 wrote to memory of 1212	1208	explorer.exe	34
PID 1208 wrote to memory of 1212	1208	explorer.exe	34
PID 1208 wrote to memory of 1212	1208	explorer.exe	34
PID 1208 wrote to memory of 1212	1208	explorer.exe	34
PID 1644 wrote to memory of 1920	1644	explorer.exe	35
PID 1644 wrote to memory of 1920	1644	explorer.exe	35
PID 1644 wrote to memory of 1920	1644	explorer.exe	35
PID 1644 wrote to memory of 1920	1644	explorer.exe	35
PID 1532 wrote to memory of 1104	1532	smss.exe	36
PID 1532 wrote to memory of 1104	1532	smss.exe	36
PID 1532 wrote to memory of 1104	1532	smss.exe	36
PID 1532 wrote to memory of 1104	1532	smss.exe	36
PID 1076 wrote to memory of 668	1076	explorer.exe	37
PID 1076 wrote to memory of 668	1076	explorer.exe	37
PID 1076 wrote to memory of 668	1076	explorer.exe	37
PID 1076 wrote to memory of 668	1076	explorer.exe	37
PID 1212 wrote to memory of 1500	1212	explorer.exe	38
PID 1212 wrote to memory of 1500	1212	explorer.exe	38
PID 1212 wrote to memory of 1500	1212	explorer.exe	38
PID 1212 wrote to memory of 1500	1212	explorer.exe	38
PID 1920 wrote to memory of 1676	1920	smss.exe	39
PID 1920 wrote to memory of 1676	1920	smss.exe	39
PID 1920 wrote to memory of 1676	1920	smss.exe	39
PID 1920 wrote to memory of 1676	1920	smss.exe	39
PID 1104 wrote to memory of 1668	1104	explorer.exe	40
PID 1104 wrote to memory of 1668	1104	explorer.exe	40
PID 1104 wrote to memory of 1668	1104	explorer.exe	40
PID 1104 wrote to memory of 1668	1104	explorer.exe	40
PID 2036 wrote to memory of 828	2036	explorer.exe	41
PID 2036 wrote to memory of 828	2036	explorer.exe	41
PID 2036 wrote to memory of 828	2036	explorer.exe	41
PID 2036 wrote to memory of 828	2036	explorer.exe	41
PID 668 wrote to memory of 1720	668	smss.exe	42
PID 668 wrote to memory of 1720	668	smss.exe	42
PID 668 wrote to memory of 1720	668	smss.exe	42
PID 668 wrote to memory of 1720	668	smss.exe	42
PID 1500 wrote to memory of 1572	1500	explorer.exe	43
PID 1500 wrote to memory of 1572	1500	explorer.exe	43
PID 1500 wrote to memory of 1572	1500	explorer.exe	43
PID 1500 wrote to memory of 1572	1500	explorer.exe	43

C:\Users\Admin\AppData\Local\Temp\c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960.exe
"C:\Users\Admin\AppData\Local\Temp\c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\SysWOW64\lueixldbay\explorer.exe
  C:\Windows\system32\lueixldbay\explorer.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\SysWOW64\lueixldbay\explorer.exe
    C:\Windows\system32\lueixldbay\explorer.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1076
  - - C:\Windows\SysWOW64\lueixldbay\explorer.exe
      C:\Windows\system32\lueixldbay\explorer.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2036
    - - C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1696
      - C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        11⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        14⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        15⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        16⤵
        Drops file in System32 directory
        
        PID:3608
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        17⤵
        Drops file in System32 directory
        
        PID:3856
        
        C:\Windows\SysWOW64\irylnvgdrr\smss.exe
        
        C:\Windows\system32\irylnvgdrr\smss.exe
        13⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\irylnvgdrr\smss.exe
        
        C:\Windows\system32\irylnvgdrr\smss.exe
        12⤵
        Enumerates connected drives
        
        PID:3112
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:3728
        
        C:\Windows\SysWOW64\irylnvgdrr\smss.exe
        
        C:\Windows\system32\irylnvgdrr\smss.exe
        11⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:3136
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        13⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\irylnvgdrr\smss.exe
        
        C:\Windows\system32\irylnvgdrr\smss.exe
        10⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        11⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        12⤵
        Enumerates connected drives
        
        PID:692
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        13⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\irylnvgdrr\smss.exe
        
        C:\Windows\system32\irylnvgdrr\smss.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        11⤵
        Enumerates connected drives
        
        PID:2500
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        12⤵
        Enumerates connected drives
        
        PID:1756
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:3564
        
        C:\Windows\SysWOW64\irylnvgdrr\smss.exe
        
        C:\Windows\system32\irylnvgdrr\smss.exe
        10⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\irylnvgdrr\smss.exe
        
        C:\Windows\system32\irylnvgdrr\smss.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        9⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        10⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:2744
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        12⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        13⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\irylnvgdrr\smss.exe
        
        C:\Windows\system32\irylnvgdrr\smss.exe
        10⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\irylnvgdrr\smss.exe
        
        C:\Windows\system32\irylnvgdrr\smss.exe
        9⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        10⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\irylnvgdrr\smss.exe
        
        C:\Windows\system32\irylnvgdrr\smss.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        8⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1460
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        10⤵
        Enumerates connected drives
        
        PID:2676
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        11⤵
        Enumerates connected drives
        
        PID:2768
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        12⤵
        Enumerates connected drives
        
        PID:2704
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        13⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:3720
        
        C:\Windows\SysWOW64\irylnvgdrr\smss.exe
        
        C:\Windows\system32\irylnvgdrr\smss.exe
        10⤵
        
        PID:892
        
        C:\Windows\SysWOW64\irylnvgdrr\smss.exe
        
        C:\Windows\system32\irylnvgdrr\smss.exe
        9⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        10⤵
        Enumerates connected drives
        
        PID:4024
        
        C:\Windows\SysWOW64\irylnvgdrr\smss.exe
        
        C:\Windows\system32\irylnvgdrr\smss.exe
        8⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        9⤵
        Drops file in System32 directory
        
        PID:3808
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        10⤵
        Enumerates connected drives
        
        PID:1988
      - C:\Windows\SysWOW64\irylnvgdrr\smss.exe
        
        C:\Windows\system32\irylnvgdrr\smss.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1276
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        8⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        9⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2684
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:2692
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        12⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        13⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\irylnvgdrr\smss.exe
        
        C:\Windows\system32\irylnvgdrr\smss.exe
        10⤵
        Enumerates connected drives
        
        PID:4104
        
        C:\Windows\SysWOW64\irylnvgdrr\smss.exe
        
        C:\Windows\system32\irylnvgdrr\smss.exe
        9⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        10⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\irylnvgdrr\smss.exe
        
        C:\Windows\system32\irylnvgdrr\smss.exe
        8⤵
        Enumerates connected drives
        
        PID:2172
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        9⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        10⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\irylnvgdrr\smss.exe
        
        C:\Windows\system32\irylnvgdrr\smss.exe
        7⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        8⤵
        Drops file in System32 directory
        
        PID:764
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        9⤵
        Drops file in System32 directory
        
        PID:3772
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        10⤵
        Enumerates connected drives
        
        PID:3984
    - - C:\Windows\SysWOW64\irylnvgdrr\smss.exe
        
        C:\Windows\system32\irylnvgdrr\smss.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:828
      - C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:832
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1096
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1448
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        10⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:2908
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        12⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:3312
        
        C:\Windows\SysWOW64\irylnvgdrr\smss.exe
        
        C:\Windows\system32\irylnvgdrr\smss.exe
        10⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\irylnvgdrr\smss.exe
        
        C:\Windows\system32\irylnvgdrr\smss.exe
        9⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:4036
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        10⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\irylnvgdrr\smss.exe
        
        C:\Windows\system32\irylnvgdrr\smss.exe
        8⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        9⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\irylnvgdrr\smss.exe
        
        C:\Windows\system32\irylnvgdrr\smss.exe
        7⤵
        Drops file in System32 directory
        
        PID:2296
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        8⤵
        Enumerates connected drives
        
        PID:2804
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        9⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        10⤵
        
        PID:4232
      - C:\Windows\SysWOW64\irylnvgdrr\smss.exe
        
        C:\Windows\system32\irylnvgdrr\smss.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        7⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        8⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        9⤵
        Drops file in System32 directory
        
        PID:4052
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        10⤵
        
        PID:4292
  - - C:\Windows\SysWOW64\irylnvgdrr\smss.exe
      C:\Windows\system32\irylnvgdrr\smss.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:668
    - - C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
      - C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:280
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1440
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        8⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        10⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        11⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        12⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        13⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\irylnvgdrr\smss.exe
        
        C:\Windows\system32\irylnvgdrr\smss.exe
        9⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\irylnvgdrr\smss.exe
        
        C:\Windows\system32\irylnvgdrr\smss.exe
        8⤵
        Enumerates connected drives
        
        PID:3096
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        9⤵
        Enumerates connected drives
        
        PID:3712
        
        C:\Windows\SysWOW64\irylnvgdrr\smss.exe
        
        C:\Windows\system32\irylnvgdrr\smss.exe
        7⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        8⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        9⤵
        
        PID:3740
      - C:\Windows\SysWOW64\irylnvgdrr\smss.exe
        
        C:\Windows\system32\irylnvgdrr\smss.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        7⤵
        Enumerates connected drives
        
        PID:1716
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        8⤵
        Enumerates connected drives
        
        PID:972
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        9⤵
        
        PID:3464
    - - C:\Windows\SysWOW64\irylnvgdrr\smss.exe
        
        C:\Windows\system32\irylnvgdrr\smss.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
      - C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        7⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        8⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        9⤵
        
        PID:3448
      - C:\Windows\SysWOW64\irylnvgdrr\smss.exe
        
        C:\Windows\system32\irylnvgdrr\smss.exe
        6⤵
        
        PID:3964
- - C:\Windows\SysWOW64\irylnvgdrr\smss.exe
    C:\Windows\system32\irylnvgdrr\smss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1920
  - - C:\Windows\SysWOW64\lueixldbay\explorer.exe
      C:\Windows\system32\lueixldbay\explorer.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1676
    - - C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
      - C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:620
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        10⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:2584
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        12⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:3912
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:4204
        
        C:\Windows\SysWOW64\irylnvgdrr\smss.exe
        
        C:\Windows\system32\irylnvgdrr\smss.exe
        9⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\irylnvgdrr\smss.exe
        
        C:\Windows\system32\irylnvgdrr\smss.exe
        8⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        9⤵
        
        PID:268
        
        C:\Windows\SysWOW64\irylnvgdrr\smss.exe
        
        C:\Windows\system32\irylnvgdrr\smss.exe
        7⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        8⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        9⤵
        
        PID:3620
      - C:\Windows\SysWOW64\irylnvgdrr\smss.exe
        
        C:\Windows\system32\irylnvgdrr\smss.exe
        6⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        7⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        8⤵
        Enumerates connected drives
        
        PID:3280
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        9⤵
        Enumerates connected drives
        
        PID:3256
    - - C:\Windows\SysWOW64\irylnvgdrr\smss.exe
        
        C:\Windows\system32\irylnvgdrr\smss.exe
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
      - C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        6⤵
        Enumerates connected drives
        
        PID:2852
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        7⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        8⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        9⤵
        Enumerates connected drives
        
        PID:3336
      - C:\Windows\SysWOW64\irylnvgdrr\smss.exe
        
        C:\Windows\system32\irylnvgdrr\smss.exe
        6⤵
        
        PID:4268
  - - C:\Windows\SysWOW64\irylnvgdrr\smss.exe
      C:\Windows\system32\irylnvgdrr\smss.exe
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1912
    - - C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
      - C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        6⤵
        Drops file in System32 directory
        
        PID:2868
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        7⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        8⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        9⤵
        Enumerates connected drives
        
        PID:3380
      - C:\Windows\SysWOW64\irylnvgdrr\smss.exe
        
        C:\Windows\system32\irylnvgdrr\smss.exe
        6⤵
        
        PID:4276
    - - C:\Windows\SysWOW64\irylnvgdrr\smss.exe
        
        C:\Windows\system32\irylnvgdrr\smss.exe
        5⤵
        
        PID:4072
- C:\Windows\SysWOW64\irylnvgdrr\smss.exe
  C:\Windows\system32\irylnvgdrr\smss.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Windows\SysWOW64\lueixldbay\explorer.exe
    C:\Windows\system32\lueixldbay\explorer.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1104
  - - C:\Windows\SysWOW64\lueixldbay\explorer.exe
      C:\Windows\system32\lueixldbay\explorer.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1668
    - - C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
      - C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1400
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        8⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1252
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        10⤵
        Enumerates connected drives
        
        PID:2436
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        11⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        12⤵
        Enumerates connected drives
        
        PID:3188
        
        C:\Windows\SysWOW64\irylnvgdrr\smss.exe
        
        C:\Windows\system32\irylnvgdrr\smss.exe
        9⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\irylnvgdrr\smss.exe
        
        C:\Windows\system32\irylnvgdrr\smss.exe
        8⤵
        Drops file in System32 directory
        
        PID:3544
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        9⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\irylnvgdrr\smss.exe
        
        C:\Windows\system32\irylnvgdrr\smss.exe
        7⤵
        Enumerates connected drives
        
        PID:2776
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        8⤵
        Enumerates connected drives
        
        PID:3552
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        9⤵
        
        PID:1676
      - C:\Windows\SysWOW64\irylnvgdrr\smss.exe
        
        C:\Windows\system32\irylnvgdrr\smss.exe
        6⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        7⤵
        Drops file in System32 directory
        
        PID:588
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        8⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        9⤵
        Drops file in System32 directory
        
        PID:4000
    - - C:\Windows\SysWOW64\irylnvgdrr\smss.exe
        
        C:\Windows\system32\irylnvgdrr\smss.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
      - C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        6⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        7⤵
        Drops file in System32 directory
        
        PID:1816
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        8⤵
        Enumerates connected drives
        
        PID:3520
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        9⤵
        Enumerates connected drives
        
        PID:4016
      - C:\Windows\SysWOW64\irylnvgdrr\smss.exe
        
        C:\Windows\system32\irylnvgdrr\smss.exe
        6⤵
        
        PID:4792
  - - C:\Windows\SysWOW64\irylnvgdrr\smss.exe
      C:\Windows\system32\irylnvgdrr\smss.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:924
    - - C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
      - C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        6⤵
        Drops file in System32 directory
        
        PID:2968
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        7⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:2420
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        8⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        9⤵
        
        PID:3972
      - C:\Windows\SysWOW64\irylnvgdrr\smss.exe
        
        C:\Windows\system32\irylnvgdrr\smss.exe
        6⤵
        
        PID:4812
    - - C:\Windows\SysWOW64\irylnvgdrr\smss.exe
        
        C:\Windows\system32\irylnvgdrr\smss.exe
        5⤵
        Enumerates connected drives
        
        PID:3428
- - C:\Windows\SysWOW64\irylnvgdrr\smss.exe
    C:\Windows\system32\irylnvgdrr\smss.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1812
  - - C:\Windows\SysWOW64\lueixldbay\explorer.exe
      C:\Windows\system32\lueixldbay\explorer.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1396
    - - C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
      - C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        6⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        7⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        8⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:3480
        
        C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        9⤵
        
        PID:3920
    - - C:\Windows\SysWOW64\irylnvgdrr\smss.exe
        
        C:\Windows\system32\irylnvgdrr\smss.exe
        5⤵
        
        PID:3404
  - - C:\Windows\SysWOW64\irylnvgdrr\smss.exe
      C:\Windows\system32\irylnvgdrr\smss.exe
      4⤵
      Drops file in System32 directory
      PID:2592
    - - C:\Windows\SysWOW64\lueixldbay\explorer.exe
        
        C:\Windows\system32\lueixldbay\explorer.exe
        5⤵
        
        PID:3396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\irylnvgdrr\smss.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
C:\Windows\SysWOW64\irylnvgdrr\smss.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
C:\Windows\SysWOW64\irylnvgdrr\smss.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
C:\Windows\SysWOW64\irylnvgdrr\smss.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
C:\Windows\SysWOW64\irylnvgdrr\smss.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
C:\Windows\SysWOW64\irylnvgdrr\smss.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
C:\Windows\SysWOW64\irylnvgdrr\smss.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
C:\Windows\SysWOW64\irylnvgdrr\smss.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
C:\Windows\SysWOW64\irylnvgdrr\smss.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
C:\Windows\SysWOW64\irylnvgdrr\smss.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
C:\Windows\SysWOW64\lueixldbay\explorer.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
C:\Windows\SysWOW64\lueixldbay\explorer.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
C:\Windows\SysWOW64\lueixldbay\explorer.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
C:\Windows\SysWOW64\lueixldbay\explorer.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
C:\Windows\SysWOW64\lueixldbay\explorer.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
C:\Windows\SysWOW64\lueixldbay\explorer.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
C:\Windows\SysWOW64\lueixldbay\explorer.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
C:\Windows\SysWOW64\lueixldbay\explorer.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
C:\Windows\SysWOW64\lueixldbay\explorer.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
C:\Windows\SysWOW64\lueixldbay\explorer.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
C:\Windows\SysWOW64\lueixldbay\explorer.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
C:\Windows\SysWOW64\lueixldbay\explorer.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
C:\Windows\SysWOW64\lueixldbay\explorer.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
C:\Windows\SysWOW64\lueixldbay\explorer.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
C:\Windows\SysWOW64\lueixldbay\explorer.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
\Windows\SysWOW64\irylnvgdrr\smss.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
\Windows\SysWOW64\irylnvgdrr\smss.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
\Windows\SysWOW64\irylnvgdrr\smss.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
\Windows\SysWOW64\irylnvgdrr\smss.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
\Windows\SysWOW64\irylnvgdrr\smss.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
\Windows\SysWOW64\irylnvgdrr\smss.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
\Windows\SysWOW64\irylnvgdrr\smss.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
\Windows\SysWOW64\irylnvgdrr\smss.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
\Windows\SysWOW64\irylnvgdrr\smss.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
\Windows\SysWOW64\irylnvgdrr\smss.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
\Windows\SysWOW64\lueixldbay\explorer.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
\Windows\SysWOW64\lueixldbay\explorer.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
\Windows\SysWOW64\lueixldbay\explorer.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
\Windows\SysWOW64\lueixldbay\explorer.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
\Windows\SysWOW64\lueixldbay\explorer.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
\Windows\SysWOW64\lueixldbay\explorer.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
\Windows\SysWOW64\lueixldbay\explorer.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
\Windows\SysWOW64\lueixldbay\explorer.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
\Windows\SysWOW64\lueixldbay\explorer.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
\Windows\SysWOW64\lueixldbay\explorer.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
\Windows\SysWOW64\lueixldbay\explorer.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
\Windows\SysWOW64\lueixldbay\explorer.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
\Windows\SysWOW64\lueixldbay\explorer.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
\Windows\SysWOW64\lueixldbay\explorer.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
\Windows\SysWOW64\lueixldbay\explorer.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
\Windows\SysWOW64\lueixldbay\explorer.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
\Windows\SysWOW64\lueixldbay\explorer.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
\Windows\SysWOW64\lueixldbay\explorer.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
\Windows\SysWOW64\lueixldbay\explorer.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
\Windows\SysWOW64\lueixldbay\explorer.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
\Windows\SysWOW64\lueixldbay\explorer.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
\Windows\SysWOW64\lueixldbay\explorer.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
\Windows\SysWOW64\lueixldbay\explorer.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
\Windows\SysWOW64\lueixldbay\explorer.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
\Windows\SysWOW64\lueixldbay\explorer.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
\Windows\SysWOW64\lueixldbay\explorer.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
\Windows\SysWOW64\lueixldbay\explorer.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
\Windows\SysWOW64\lueixldbay\explorer.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
\Windows\SysWOW64\lueixldbay\explorer.exe

Filesize
80KB

MD5
835a528f479be475f428c43bd7eabba1

SHA1
49131ec477f0d73cd98c54ec99f4642dba32d6e1

SHA256
c17b8841e04f6f7ab4deffa981158e8e33b8b0c02a789d0740560fe65f1ca960

SHA512
6e121332676380d1c53f54bb47738702d2cf7d87451955bedd27a0e0d3a138f4bfd1a0e11dcc5d1d47e15454799f3825220298df49c0f5c951e2d3c084984279

Download Submit
memory/280-211-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/668-139-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/668-204-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/828-165-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/828-234-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/832-205-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1076-90-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1076-79-0x0000000000260000-0x00000000002BA000-memory.dmp

Filesize
360KB

Download
memory/1076-71-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1076-203-0x0000000002190000-0x00000000021EA000-memory.dmp

Filesize
360KB

Download
memory/1076-135-0x0000000002190000-0x00000000021EA000-memory.dmp

Filesize
360KB

Download
memory/1096-233-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1104-192-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1104-128-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1104-157-0x0000000001D80000-0x0000000001DDA000-memory.dmp

Filesize
360KB

Download
memory/1208-118-0x00000000008A0000-0x00000000008FA000-memory.dmp

Filesize
360KB

Download
memory/1208-98-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1208-147-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1212-119-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1212-215-0x0000000000260000-0x00000000002BA000-memory.dmp

Filesize
360KB

Download
memory/1212-183-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1212-148-0x0000000000260000-0x00000000002BA000-memory.dmp

Filesize
360KB

Download
memory/1276-229-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1500-149-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1500-216-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1532-156-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1532-106-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1532-127-0x0000000000330000-0x000000000038A000-memory.dmp

Filesize
360KB

Download
memory/1532-191-0x0000000000330000-0x000000000038A000-memory.dmp

Filesize
360KB

Download
memory/1572-177-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1572-242-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1644-70-0x0000000000260000-0x00000000002BA000-memory.dmp

Filesize
360KB

Download
memory/1644-230-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1644-81-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1644-62-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1652-193-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1660-54-0x0000000075FB1000-0x0000000075FB3000-memory.dmp

Filesize
8KB

Download
memory/1660-55-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1660-61-0x0000000000460000-0x00000000004BA000-memory.dmp

Filesize
360KB

Download
memory/1660-105-0x00000000021B0000-0x000000000220A000-memory.dmp

Filesize
360KB

Download
memory/1660-206-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1660-78-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1668-158-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1668-222-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1676-217-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1676-150-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1696-89-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1696-146-0x0000000000260000-0x00000000002BA000-memory.dmp

Filesize
360KB

Download
memory/1696-126-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1696-97-0x0000000000260000-0x00000000002BA000-memory.dmp

Filesize
360KB

Download
memory/1700-219-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1720-241-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1720-176-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1724-223-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1736-199-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1824-212-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1920-120-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1920-184-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1956-218-0x0000000000260000-0x00000000002BA000-memory.dmp

Filesize
360KB

Download
memory/1956-185-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1984-228-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2036-164-0x0000000000580000-0x00000000005DA000-memory.dmp

Filesize
360KB

Download
memory/2036-80-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2036-88-0x0000000000260000-0x00000000002BA000-memory.dmp

Filesize
360KB

Download
memory/2036-107-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download