8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476

Analysis

max time kernel
156s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
Size

316KB
MD5

528bcc049158a4bedf27542fcd6c7ff0
SHA1

b08cb396907cc40b5a8b6c645d7ed2cfe7b8328b
SHA256

8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476
SHA512

a01a7c7fcd23dcd9214bbe5b4b8662cbecbdab4c6ba50f6a3b86aa013d40ac0e93aaa0853790f8169cfa5f1f339925e7e2b7cca0466cfda94c26f70ba885c130
SSDEEP

6144:i73FQmDBY/K7WAsQ58eOjCM6/UrI35g73FQmDBy/K7WAs:i71QPSIAcGC71QJSI

Score

8^/10

evasion persistence trojan

Malware Config

Signatures

Executes dropped EXE 64 IoCs

Processes:

smss.exe8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.loglsass.exesmss.exe8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exelsass.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exe

pid	process
1888	smss.exe
4792	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log
2916	lsass.exe
1708	smss.exe
4680	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
5048	lsass.exe
428	smss.exe
4916	smss.exe
372	smss.exe
1044	smss.exe
448	smss.exe
3376	smss.exe
1348	smss.exe
4880	smss.exe
4136	smss.exe
1240	smss.exe
3100	smss.exe
444	smss.exe
1636	smss.exe
1976	smss.exe
3500	smss.exe
3580	smss.exe
4888	smss.exe
4320	smss.exe
1944	smss.exe
2344	smss.exe
1740	smss.exe
1656	smss.exe
3952	smss.exe
3404	smss.exe
1480	smss.exe
3020	smss.exe
4084	smss.exe
3856	smss.exe
1904	smss.exe
4792	smss.exe
4620	smss.exe
4048	smss.exe
4236	smss.exe
3200	smss.exe
5100	smss.exe
1556	smss.exe
4624	smss.exe
1972	smss.exe
2900	smss.exe
2224	smss.exe
4940	smss.exe
4584	smss.exe
4536	smss.exe
1424	smss.exe
3244	smss.exe
1008	smss.exe
4180	smss.exe
3808	smss.exe
4260	smss.exe
1860	smss.exe
2348	smss.exe
4228	smss.exe
1564	smss.exe
2292	smss.exe
4276	smss.exe
100	smss.exe
4188	smss.exe
4956	smss.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.loglsass.exelsass.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	lsass.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

2340 regsvr32.exe
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

lsass.exe

description ioc process

Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN lsass.exe

pid	process
2340	regsvr32.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN	lsass.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.loglsass.exelsass.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	lsass.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

lsass.exe

description ioc process

File opened (read-only) \??\E: lsass.exe

description	ioc	process
File opened (read-only)	\??\E:	lsass.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

lsass.exe

description	ioc	process
File opened for modification	C:\AUTORUN.INF	lsass.exe
File created	C:\AUTORUN.INF	lsass.exe
File opened for modification	D:\AUTORUN.INF	lsass.exe
File opened for modification	\??\E:\AUTORUN.INF	lsass.exe

Drops file in System32 directory 13 IoCs

Processes:

lsass.exe8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.loglsass.exe8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\com\bak	lsass.exe
File opened for modification	C:\Windows\SysWOW64\com\netcfg.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\com\lsass.exe	lsass.exe
File created	C:\Windows\SysWOW64\com\lsass.exe	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log
File opened for modification	C:\Windows\SysWOW64\com\smss.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\com\smss.exe	lsass.exe
File created	C:\Windows\SysWOW64\com\smss.exe	lsass.exe
File created	C:\Windows\SysWOW64\com\netcfg.000	lsass.exe
File created	C:\Windows\SysWOW64\com\netcfg.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\com\smss.exe	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
File created	C:\Windows\SysWOW64\com\smss.exe	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
File opened for modification	C:\Windows\SysWOW64\com\smss.exe	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log
File opened for modification	C:\Windows\SysWOW64\com\netcfg.000	lsass.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

regsvr32.exe8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SoundRec\protocol\StdExecute\server\ = "sndrec32.exe"	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\com"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ProgID\ = "IFOBJ.IfObjCtrl.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SoundRec\protocol\StdExecute	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\InprocServer32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SoundRec	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SoundRec\protocol	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SoundRec\protocol\StdFileEditing	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{450EC9C4-0F7F-407F-B084-D1147FE9DDCC}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\FLAGS\ = "2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ = "_DIfObjEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ = "IfObj Control"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\ = "ifObj ActiveX Control module"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ = "_DIfObj"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\ = "IfObj Control"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll, 1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ = "_DIfObj"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IFOBJ.IfObjCtrl.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control\	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SoundRec\protocol\StdFileEditing\server	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2D96C4BF-8DCA-4A97-A24A-896FF841AE2D}\TypeLib\ = "{814293BA-8708-42E9-A6B7-1BD3172B9DDF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\MiscStatus\1\ = "131473"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Control	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D9901239-34A2-448D-A000-3705544ECE9D}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SoundRec\protocol\StdFileEditing\server\ = "sndrec32.exe"	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{814293BA-8708-42E9-A6B7-1BD3172B9DDF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\com\\netcfg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AAC17985-187F-4457-A841-E60BAE6359C2}	regsvr32.exe

Suspicious use of SetWindowsHookEx 17 IoCs

Processes:

8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.loglsass.exe8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exelsass.exe

pid	process
316	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
316	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
316	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
316	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
4792	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log
4792	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log
4792	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log
4792	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log
2916	lsass.exe
2916	lsass.exe
2916	lsass.exe
2916	lsass.exe
4680	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
5048	lsass.exe
5048	lsass.exe
5048	lsass.exe
5048	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.loglsass.exelsass.exe

description	pid	process	target process
PID 316 wrote to memory of 2444	316	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe	cacls.exe
PID 316 wrote to memory of 2444	316	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe	cacls.exe
PID 316 wrote to memory of 2444	316	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe	cacls.exe
PID 316 wrote to memory of 1888	316	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe	smss.exe
PID 316 wrote to memory of 1888	316	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe	smss.exe
PID 316 wrote to memory of 1888	316	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe	smss.exe
PID 316 wrote to memory of 4792	316	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log
PID 316 wrote to memory of 4792	316	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log
PID 316 wrote to memory of 4792	316	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log
PID 4792 wrote to memory of 400	4792	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log	cacls.exe
PID 4792 wrote to memory of 400	4792	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log	cacls.exe
PID 4792 wrote to memory of 400	4792	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log	cacls.exe
PID 4792 wrote to memory of 2916	4792	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log	lsass.exe
PID 4792 wrote to memory of 2916	4792	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log	lsass.exe
PID 4792 wrote to memory of 2916	4792	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log	lsass.exe
PID 4792 wrote to memory of 1708	4792	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log	smss.exe
PID 4792 wrote to memory of 1708	4792	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log	smss.exe
PID 4792 wrote to memory of 1708	4792	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log	smss.exe
PID 4792 wrote to memory of 4680	4792	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
PID 4792 wrote to memory of 4680	4792	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
PID 4792 wrote to memory of 4680	4792	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
PID 4792 wrote to memory of 5048	4792	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log	lsass.exe
PID 4792 wrote to memory of 5048	4792	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log	lsass.exe
PID 4792 wrote to memory of 5048	4792	8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log	lsass.exe
PID 2916 wrote to memory of 3552	2916	lsass.exe	cacls.exe
PID 2916 wrote to memory of 3552	2916	lsass.exe	cacls.exe
PID 2916 wrote to memory of 3552	2916	lsass.exe	cacls.exe
PID 5048 wrote to memory of 920	5048	lsass.exe	cacls.exe
PID 5048 wrote to memory of 920	5048	lsass.exe	cacls.exe
PID 5048 wrote to memory of 920	5048	lsass.exe	cacls.exe
PID 2916 wrote to memory of 428	2916	lsass.exe	smss.exe
PID 2916 wrote to memory of 428	2916	lsass.exe	smss.exe
PID 2916 wrote to memory of 428	2916	lsass.exe	smss.exe
PID 2916 wrote to memory of 4916	2916	lsass.exe	smss.exe
PID 2916 wrote to memory of 4916	2916	lsass.exe	smss.exe
PID 2916 wrote to memory of 4916	2916	lsass.exe	smss.exe
PID 2916 wrote to memory of 372	2916	lsass.exe	smss.exe
PID 2916 wrote to memory of 372	2916	lsass.exe	smss.exe
PID 2916 wrote to memory of 372	2916	lsass.exe	smss.exe
PID 2916 wrote to memory of 1044	2916	lsass.exe	smss.exe
PID 2916 wrote to memory of 1044	2916	lsass.exe	smss.exe
PID 2916 wrote to memory of 1044	2916	lsass.exe	smss.exe
PID 2916 wrote to memory of 4284	2916	lsass.exe	cmd.exe
PID 2916 wrote to memory of 4284	2916	lsass.exe	cmd.exe
PID 2916 wrote to memory of 4284	2916	lsass.exe	cmd.exe
PID 2916 wrote to memory of 448	2916	lsass.exe	smss.exe
PID 2916 wrote to memory of 448	2916	lsass.exe	smss.exe
PID 2916 wrote to memory of 448	2916	lsass.exe	smss.exe
PID 2916 wrote to memory of 3376	2916	lsass.exe	smss.exe
PID 2916 wrote to memory of 3376	2916	lsass.exe	smss.exe
PID 2916 wrote to memory of 3376	2916	lsass.exe	smss.exe
PID 2916 wrote to memory of 4708	2916	lsass.exe	cmd.exe
PID 2916 wrote to memory of 4708	2916	lsass.exe	cmd.exe
PID 2916 wrote to memory of 4708	2916	lsass.exe	cmd.exe
PID 2916 wrote to memory of 2340	2916	lsass.exe	regsvr32.exe
PID 2916 wrote to memory of 2340	2916	lsass.exe	regsvr32.exe
PID 2916 wrote to memory of 2340	2916	lsass.exe	regsvr32.exe
PID 2916 wrote to memory of 1348	2916	lsass.exe	smss.exe
PID 2916 wrote to memory of 1348	2916	lsass.exe	smss.exe
PID 2916 wrote to memory of 1348	2916	lsass.exe	smss.exe
PID 2916 wrote to memory of 4880	2916	lsass.exe	smss.exe
PID 2916 wrote to memory of 4880	2916	lsass.exe	smss.exe
PID 2916 wrote to memory of 4880	2916	lsass.exe	smss.exe
PID 2916 wrote to memory of 4136	2916	lsass.exe	smss.exe

C:\Users\Admin\AppData\Local\Temp\8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
"C:\Users\Admin\AppData\Local\Temp\8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe"
1⤵
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
2⤵
PID:2444

C:\Windows\SysWOW64\com\smss.exe
c:\users\admin\appdata\local\temp\8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe|c:\users\admin\appdata\local\temp\8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log
2⤵
- Executes dropped EXE
PID:1888

\??\c:\users\admin\appdata\local\temp\8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log
"c:\users\admin\appdata\local\temp\8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4792

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
3⤵
PID:400

C:\Windows\SysWOW64\com\lsass.exe
"C:\Windows\system32\com\lsass.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2916

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
4⤵
PID:3552

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:428

C:\Windows\SysWOW64\com\smss.exe
C:\Windows\system32\com\lsass.exe|C:\pagefile.pif
4⤵
- Executes dropped EXE
PID:4916

C:\Windows\SysWOW64\com\smss.exe
C:\Windows\system32\com\lsass.exe|D:\pagefile.pif
4⤵
- Executes dropped EXE
PID:372

C:\Windows\SysWOW64\com\smss.exe
C:\Windows\system32\com\lsass.exe|E:\pagefile.pif
4⤵
- Executes dropped EXE
PID:1044

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c rd /s /q C:\Windows\system32\com\bak
4⤵
PID:4284

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:448

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:3376

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c rd /s /q C:\Windows\system32\com\bak
4⤵
PID:4708

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" C:\Windows\system32\com\netcfg.dll /s
4⤵
- Loads dropped DLL
- Modifies registry class
PID:2340

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:1348

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:4880

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:4136

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:1240

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:3100

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:444

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:1636

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:1976

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:3500

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:3580

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:4888

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:4320

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:1944

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:2344

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:1740

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:1656

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:3952

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:3404

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:1480

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:3020

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:4084

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:3856

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:1904

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:4792

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:4620

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:4048

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:4236

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:3200

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:5100

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:1556

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:4624

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:1972

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:2900

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:2224

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:4940

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:4584

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:4536

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:1424

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:3244

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:1008

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:4180

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:3808

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:4260

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:1860

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:2348

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:4228

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:1564

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:2292

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:4276

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:100

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:4188

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
- Executes dropped EXE
PID:4956

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:3800

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:3804

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:4232

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:3252

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:780

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:4392

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:1888

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:316

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:1856

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:1708

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5092

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:3352

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:4660

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:4324

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:1620

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:4532

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:3988

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:1248

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:4304

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:4560

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:2700

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5096

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:3936

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:4800

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:4332

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:880

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:776

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:4612

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:4020

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:4148

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:2616

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:2016

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:4296

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:2648

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:4160

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:4272

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:2704

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:2548

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:3144

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:2244

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:3124

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:4640

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:1060

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:768

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:3240

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:1712

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:4632

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:736

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:1940

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:3536

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:4644

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:1616

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:4884

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:4388

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:1680

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:1844

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:224

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:1484

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:3824

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:4564

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:4728

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:2036

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:2812

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:3448

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:4576

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:3296

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:1132

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:1624

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:4004

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:4400

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:3784

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:1540

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:4756

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:1260

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:4340

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:3912

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:4480

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:1548

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:1752

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5068

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:1928

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:2500

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:4416

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:3292

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:3332

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:4372

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:3780

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:3648

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:3908

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:400

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:2600

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:4496

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:2732

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5052

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:1468

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:4992

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5032

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:3604

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:1816

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:4808

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:2132

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:1096

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:3792

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:2184

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:588

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:3156

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:984

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:208

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:3692

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:4364

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5132

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5140

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5148

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5156

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5164

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5172

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5180

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5196

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5256

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5268

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5292

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5308

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5324

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5336

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5344

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5352

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5360

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5368

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5376

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5384

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5392

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5400

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5408

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5416

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5424

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5432

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5440

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5448

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5456

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5464

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5488

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5496

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5504

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5512

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5520

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5528

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5536

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5544

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5552

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5564

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5572

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5580

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5588

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5600

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5608

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5616

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5624

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5632

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5640

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5648

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5656

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5664

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5672

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5680

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5688

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5696

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5704

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5712

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5720

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5728

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5736

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5744

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5752

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5760

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5768

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5776

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5784

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5792

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5800

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5808

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5816

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5824

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5832

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5840

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5848

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5856

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5864

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5872

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5880

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5888

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5896

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5904

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5912

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5924

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5936

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5944

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5952

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5960

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5968

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5976

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5984

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5992

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:6000

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:6008

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:6016

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:6024

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:6032

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:6040

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:6048

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:6076

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:6084

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:6092

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:6100

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:6108

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:6116

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:6128

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:6136

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:3768

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:3488

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:2340

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:3452

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:4424

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:3084

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:2192

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:3948

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:2816

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:3108

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:2492

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:3508

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:4408

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:4920

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:2044

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:1164

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:4596

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:2116

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:1996

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:1936

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:3700

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:1180

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:2008

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:5300

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:2212

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:1784

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:4520

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:1640

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:6152

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:6160

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:6168

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:6176

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:6184

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:6200

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:6208

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:6216

C:\Windows\SysWOW64\com\smss.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~.pif
4⤵
PID:6224

C:\Windows\SysWOW64\com\smss.exe
c:\users\admin\appdata\local\temp\8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.~|c:\users\admin\appdata\local\temp\8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
3⤵
- Executes dropped EXE
PID:1708

\??\c:\users\admin\appdata\local\temp\8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4680

C:\Windows\SysWOW64\com\lsass.exe
^c:\users\admin\appdata\local\temp\8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log
3⤵
- Executes dropped EXE
- Checks computer location settings
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5048

C:\Windows\SysWOW64\cacls.exe
"C:\Windows\System32\cacls.exe" C:\Windows\system32\com /e /t /g Admin:F
4⤵
PID:920

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe
Filesize
124KB

MD5
93446abae1ada8c218735bc1c0acdf9d

SHA1
f14cb92d4a5f490e41dfaca17f4b5d1aacc60368

SHA256
e22c54614f00e2d10aaad970b857371957da97fea4e676eb53f3460b5688db80

SHA512
004389c4727a53cec9d70ac945d4561b6c3b61ea72b24b15ce61e81da8bea56e97595fb54f91bc04f2fe3b6268d6310de34be013a36db10406ccd2bf91c328cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log
Filesize
316KB

MD5
528bcc049158a4bedf27542fcd6c7ff0

SHA1
b08cb396907cc40b5a8b6c645d7ed2cfe7b8328b

SHA256
8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476

SHA512
a01a7c7fcd23dcd9214bbe5b4b8662cbecbdab4c6ba50f6a3b86aa013d40ac0e93aaa0853790f8169cfa5f1f339925e7e2b7cca0466cfda94c26f70ba885c130

Download Submit
C:\Windows\SysWOW64\Com\lsass.exe
Filesize
96KB

MD5
b51ff3f622ff354ebd794730df990d69

SHA1
e457e4fe353ed5f90d86996238b27f59b1ee8663

SHA256
a3de3743d0acfd00a4ede2b8c254a26856fb7e4eae9904ebbcf7a138aa136bb1

SHA512
b854a241f56bf5f5be119af1f5a751535970e66d018ff9eea5167a14409b036162d66fd6ce706ddfb831ac64d243078c76b915e04c228af9b4f5ccc9e8cd3083

Download Submit
C:\Windows\SysWOW64\Com\lsass.exe
Filesize
96KB

MD5
b51ff3f622ff354ebd794730df990d69

SHA1
e457e4fe353ed5f90d86996238b27f59b1ee8663

SHA256
a3de3743d0acfd00a4ede2b8c254a26856fb7e4eae9904ebbcf7a138aa136bb1

SHA512
b854a241f56bf5f5be119af1f5a751535970e66d018ff9eea5167a14409b036162d66fd6ce706ddfb831ac64d243078c76b915e04c228af9b4f5ccc9e8cd3083

Download Submit
C:\Windows\SysWOW64\Com\netcfg.dll
Filesize
44KB

MD5
cf1f3506599598844148afb012f227de

SHA1
19f57909e3101e000700ef9790c7a6df3e40e41b

SHA256
f2dd657b735314683e2c139b4e7b93df7918e9a8ec4ce1de3d05b0a8c1a4da33

SHA512
bf43fc34eeb9f76b7cc24dd5a640f9ba4642c3065434eccc163d1ab6483fe3d5d3baaaa224260eed4468bc8dcecbdf9d3cc25e16d48c232cf86c2b6bcea43cad

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\Com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\com\lsass.exe
Filesize
96KB

MD5
b51ff3f622ff354ebd794730df990d69

SHA1
e457e4fe353ed5f90d86996238b27f59b1ee8663

SHA256
a3de3743d0acfd00a4ede2b8c254a26856fb7e4eae9904ebbcf7a138aa136bb1

SHA512
b854a241f56bf5f5be119af1f5a751535970e66d018ff9eea5167a14409b036162d66fd6ce706ddfb831ac64d243078c76b915e04c228af9b4f5ccc9e8cd3083

Download Submit
C:\Windows\SysWOW64\com\netcfg.dll
Filesize
44KB

MD5
cf1f3506599598844148afb012f227de

SHA1
19f57909e3101e000700ef9790c7a6df3e40e41b

SHA256
f2dd657b735314683e2c139b4e7b93df7918e9a8ec4ce1de3d05b0a8c1a4da33

SHA512
bf43fc34eeb9f76b7cc24dd5a640f9ba4642c3065434eccc163d1ab6483fe3d5d3baaaa224260eed4468bc8dcecbdf9d3cc25e16d48c232cf86c2b6bcea43cad

Download Submit
C:\Windows\SysWOW64\com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
C:\Windows\SysWOW64\com\smss.exe
Filesize
9KB

MD5
237947b755928d5bd1299bd15e7bd7b2

SHA1
496d174e8559e918ba07cd7e00dfa130aa937c5c

SHA256
d3c4db470e42581531996d7045dbbb9ab69b95e02a22425ac1a28222c78a7c6e

SHA512
8623212c14f74e9161cff9290a43968badfd5f95aed07be51048f555a632966e2fddd2722b2e93d87b8d6cb4952f197674e0658fc8acee02a5a382a0a16188ca

Download Submit
\??\c:\users\admin\appdata\local\temp\8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476.exe.log
Filesize
316KB

MD5
528bcc049158a4bedf27542fcd6c7ff0

SHA1
b08cb396907cc40b5a8b6c645d7ed2cfe7b8328b

SHA256
8807fe38d5f725e9f2556fc9bd98587cec7825a482520d9ac7a2885a95fcf476

SHA512
a01a7c7fcd23dcd9214bbe5b4b8662cbecbdab4c6ba50f6a3b86aa013d40ac0e93aaa0853790f8169cfa5f1f339925e7e2b7cca0466cfda94c26f70ba885c130

Download Submit
memory/372-156-0x0000000000000000-mapping.dmp

Download
memory/400-138-0x0000000000000000-mapping.dmp

Download
memory/428-152-0x0000000000000000-mapping.dmp

Download
memory/444-180-0x0000000000000000-mapping.dmp

Download
memory/448-162-0x0000000000000000-mapping.dmp

Download
memory/920-151-0x0000000000000000-mapping.dmp

Download
memory/1008-248-0x0000000000000000-mapping.dmp

Download
memory/1044-159-0x0000000000000000-mapping.dmp

Download
memory/1240-176-0x0000000000000000-mapping.dmp

Download
memory/1348-170-0x0000000000000000-mapping.dmp

Download
memory/1424-244-0x0000000000000000-mapping.dmp

Download
memory/1480-206-0x0000000000000000-mapping.dmp

Download
memory/1556-228-0x0000000000000000-mapping.dmp

Download
memory/1636-182-0x0000000000000000-mapping.dmp

Download
memory/1656-200-0x0000000000000000-mapping.dmp

Download
memory/1708-142-0x0000000000000000-mapping.dmp

Download
memory/1740-198-0x0000000000000000-mapping.dmp

Download
memory/1860-256-0x0000000000000000-mapping.dmp

Download
memory/1888-133-0x0000000000000000-mapping.dmp

Download
memory/1904-214-0x0000000000000000-mapping.dmp

Download
memory/1944-194-0x0000000000000000-mapping.dmp

Download
memory/1972-232-0x0000000000000000-mapping.dmp

Download
memory/1976-184-0x0000000000000000-mapping.dmp

Download
memory/2224-236-0x0000000000000000-mapping.dmp

Download
memory/2340-167-0x0000000000000000-mapping.dmp

Download
memory/2344-196-0x0000000000000000-mapping.dmp

Download
memory/2348-258-0x0000000000000000-mapping.dmp

Download
memory/2444-132-0x0000000000000000-mapping.dmp

Download
memory/2900-234-0x0000000000000000-mapping.dmp

Download
memory/2916-140-0x0000000000000000-mapping.dmp

Download
memory/3020-208-0x0000000000000000-mapping.dmp

Download
memory/3100-178-0x0000000000000000-mapping.dmp

Download
memory/3200-224-0x0000000000000000-mapping.dmp

Download
memory/3244-246-0x0000000000000000-mapping.dmp

Download
memory/3376-164-0x0000000000000000-mapping.dmp

Download
memory/3404-204-0x0000000000000000-mapping.dmp

Download
memory/3500-186-0x0000000000000000-mapping.dmp

Download
memory/3552-149-0x0000000000000000-mapping.dmp

Download
memory/3580-188-0x0000000000000000-mapping.dmp

Download
memory/3808-252-0x0000000000000000-mapping.dmp

Download
memory/3856-212-0x0000000000000000-mapping.dmp

Download
memory/3952-202-0x0000000000000000-mapping.dmp

Download
memory/4048-220-0x0000000000000000-mapping.dmp

Download
memory/4084-210-0x0000000000000000-mapping.dmp

Download
memory/4136-174-0x0000000000000000-mapping.dmp

Download
memory/4180-250-0x0000000000000000-mapping.dmp

Download
memory/4236-222-0x0000000000000000-mapping.dmp

Download
memory/4260-254-0x0000000000000000-mapping.dmp

Download
memory/4284-161-0x0000000000000000-mapping.dmp

Download
memory/4320-192-0x0000000000000000-mapping.dmp

Download
memory/4536-242-0x0000000000000000-mapping.dmp

Download
memory/4584-240-0x0000000000000000-mapping.dmp

Download
memory/4620-218-0x0000000000000000-mapping.dmp

Download
memory/4624-230-0x0000000000000000-mapping.dmp

Download
memory/4680-145-0x0000000000000000-mapping.dmp

Download
memory/4708-166-0x0000000000000000-mapping.dmp

Download
memory/4792-216-0x0000000000000000-mapping.dmp

Download
memory/4792-135-0x0000000000000000-mapping.dmp

Download
memory/4880-172-0x0000000000000000-mapping.dmp

Download
memory/4888-190-0x0000000000000000-mapping.dmp

Download
memory/4916-154-0x0000000000000000-mapping.dmp

Download
memory/4940-238-0x0000000000000000-mapping.dmp

Download
memory/5048-147-0x0000000000000000-mapping.dmp

Download
memory/5100-226-0x0000000000000000-mapping.dmp

Download