4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

Analysis

max time kernel
129s
max time network
181s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad.exe
Size

82KB
MD5

53124fbc6f667f24741c8b8d1acfa471
SHA1

e88e6c5cc467ce6cc4108cab03273f67984b1f4b
SHA256

4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad
SHA512

bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5
SSDEEP

1536:JQeKcnrJXSWLv5z2+krfz7wN5JT70wj+gX0KQ1gP:JQHcnrJXSUBz2+kT3K5l9jVX0KbP

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
4844	explorer.exe
4708	explorer.exe
4716	explorer.exe
4556	explorer.exe
5108	explorer.exe
1300	explorer.exe
4524	explorer.exe
648	smss.exe
1908	explorer.exe
3016	smss.exe
2916	explorer.exe
2260	explorer.exe
4572	smss.exe
2284	explorer.exe
4424	explorer.exe
360	smss.exe
3104	explorer.exe
2620	explorer.exe
1228	explorer.exe
1952	explorer.exe
1948	smss.exe
3984	explorer.exe
1308	explorer.exe
2644	explorer.exe
888	explorer.exe
1344	smss.exe
4668	explorer.exe
1900	explorer.exe
4864	explorer.exe
1844	explorer.exe
4324	explorer.exe
2592	explorer.exe
4212	smss.exe
2732	explorer.exe
4136	explorer.exe
4888	explorer.exe
3964	explorer.exe
4944	explorer.exe
2868	explorer.exe
3424	explorer.exe
2000	explorer.exe
2304	explorer.exe
3636	explorer.exe
4744	explorer.exe
1232	explorer.exe
1768	smss.exe
4132	explorer.exe
1772	explorer.exe
2924	explorer.exe
4344	explorer.exe
4520	smss.exe
3064	explorer.exe
3676	explorer.exe
2112	explorer.exe
1420	explorer.exe
3480	smss.exe
1832	explorer.exe
2960	explorer.exe
2192	explorer.exe
4848	smss.exe
3380	explorer.exe
4876	explorer.exe
4972	smss.exe
1160	explorer.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4776-132-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x0006000000022e46-135.dat	upx
behavioral2/files/0x0006000000022e46-134.dat	upx
behavioral2/memory/4844-136-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x0006000000022e47-137.dat	upx
behavioral2/files/0x0006000000022e46-139.dat	upx
behavioral2/memory/4708-140-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x0007000000022e47-141.dat	upx
behavioral2/files/0x0006000000022e46-143.dat	upx
behavioral2/memory/4716-144-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/4776-145-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/4844-146-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x000400000001e3d9-147.dat	upx
behavioral2/files/0x0006000000022e46-149.dat	upx
behavioral2/memory/4556-150-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/4708-151-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x000500000001e3d9-152.dat	upx
behavioral2/files/0x0006000000022e46-154.dat	upx
behavioral2/memory/5108-155-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/4716-156-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x000600000001e3d9-157.dat	upx
behavioral2/files/0x0006000000022e46-159.dat	upx
behavioral2/memory/1300-160-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/4556-161-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x000700000001e3d9-162.dat	upx
behavioral2/files/0x0006000000022e46-164.dat	upx
behavioral2/memory/5108-165-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/4524-166-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x000800000001e3d9-167.dat	upx
behavioral2/files/0x000800000001e3d9-169.dat	upx
behavioral2/memory/1300-170-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/648-171-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x0006000000022e46-173.dat	upx
behavioral2/memory/1908-174-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x000800000001e3d9-176.dat	upx
behavioral2/memory/3016-177-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x0006000000022e46-179.dat	upx
behavioral2/memory/4524-180-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/2916-181-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x0006000000022e46-183.dat	upx
behavioral2/files/0x000800000001e3d9-185.dat	upx
behavioral2/memory/2260-186-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/4572-187-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x0006000000022e46-189.dat	upx
behavioral2/memory/2284-190-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x0006000000022e46-192.dat	upx
behavioral2/memory/648-193-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/4424-194-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x000800000001e3d9-196.dat	upx
behavioral2/memory/360-197-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x0006000000022e46-199.dat	upx
behavioral2/files/0x0006000000022e46-201.dat	upx
behavioral2/memory/1908-202-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/3104-203-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/2620-204-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x0006000000022e46-206.dat	upx
behavioral2/memory/3016-207-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/1228-208-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x0006000000022e46-210.dat	upx
behavioral2/files/0x000800000001e3d9-212.dat	upx
behavioral2/memory/2916-213-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/1952-214-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/1948-215-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x0006000000022e46-217.dat	upx

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\k:	explorer.exe
File opened (read-only)	\??\y:	explorer.exe
File opened (read-only)	\??\m:	smss.exe
File opened (read-only)	\??\t:	explorer.exe
File opened (read-only)	\??\q:	smss.exe
File opened (read-only)	\??\m:	explorer.exe
File opened (read-only)	\??\i:	explorer.exe
File opened (read-only)	\??\q:	explorer.exe
File opened (read-only)	\??\v:	explorer.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\v:	explorer.exe
File opened (read-only)	\??\i:	explorer.exe
File opened (read-only)	\??\r:	explorer.exe
File opened (read-only)	\??\y:	explorer.exe
File opened (read-only)	\??\t:	smss.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\l:	explorer.exe
File opened (read-only)	\??\m:	smss.exe
File opened (read-only)	\??\q:	explorer.exe
File opened (read-only)	\??\w:	explorer.exe
File opened (read-only)	\??\f:	explorer.exe
File opened (read-only)	\??\w:	smss.exe
File opened (read-only)	\??\k:	explorer.exe
File opened (read-only)	\??\w:	explorer.exe
File opened (read-only)	\??\w:	explorer.exe
File opened (read-only)	\??\g:	smss.exe
File opened (read-only)	\??\o:	explorer.exe
File opened (read-only)	\??\z:	explorer.exe
File opened (read-only)	\??\k:	explorer.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\r:	smss.exe
File opened (read-only)	\??\k:	explorer.exe
File opened (read-only)	\??\z:	smss.exe
File opened (read-only)	\??\n:	smss.exe
File opened (read-only)	\??\w:	explorer.exe
File opened (read-only)	\??\t:	explorer.exe
File opened (read-only)	\??\u:	explorer.exe
File opened (read-only)	\??\x:	explorer.exe
File opened (read-only)	\??\j:	explorer.exe
File opened (read-only)	\??\g:	explorer.exe
File opened (read-only)	\??\f:	explorer.exe
File opened (read-only)	\??\s:	explorer.exe
File opened (read-only)	\??\v:	explorer.exe
File opened (read-only)	\??\x:	explorer.exe
File opened (read-only)	\??\l:	smss.exe
File opened (read-only)	\??\t:	explorer.exe
File opened (read-only)	\??\t:	explorer.exe
File opened (read-only)	\??\w:	explorer.exe
File opened (read-only)	\??\o:	explorer.exe
File opened (read-only)	\??\r:	explorer.exe
File opened (read-only)	\??\r:	explorer.exe
File opened (read-only)	\??\o:	explorer.exe
File opened (read-only)	\??\u:	explorer.exe
File opened (read-only)	\??\w:	explorer.exe
File opened (read-only)	\??\i:	explorer.exe
File opened (read-only)	\??\z:	explorer.exe
File opened (read-only)	\??\m:	explorer.exe
File opened (read-only)	\??\q:	smss.exe
File opened (read-only)	\??\s:	explorer.exe
File opened (read-only)	\??\s:	explorer.exe
File opened (read-only)	\??\r:	explorer.exe
File opened (read-only)	\??\e:	explorer.exe
File opened (read-only)	\??\i:	smss.exe
File opened (read-only)	\??\e:	explorer.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wbhngxwlux\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\adokiprlpc\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\adokiprlpc\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\wbhngxwlux\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\wbhngxwlux\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\adokiprlpc\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\adokiprlpc\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\wbhngxwlux\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\wbhngxwlux\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\wbhngxwlux\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wbhngxwlux\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\adokiprlpc\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\wbhngxwlux\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\adokiprlpc\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wbhngxwlux\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\adokiprlpc\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\adokiprlpc\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\wbhngxwlux\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\adokiprlpc\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\adokiprlpc\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\adokiprlpc\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\adokiprlpc\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\adokiprlpc\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\adokiprlpc\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\adokiprlpc\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\wbhngxwlux\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wbhngxwlux\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\adokiprlpc\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\adokiprlpc\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\adokiprlpc\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\adokiprlpc\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\adokiprlpc\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\adokiprlpc\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\adokiprlpc\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wbhngxwlux\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wbhngxwlux\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\wbhngxwlux\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\adokiprlpc\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\wbhngxwlux\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\wbhngxwlux\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\adokiprlpc\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\adokiprlpc\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\wbhngxwlux\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\adokiprlpc\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\adokiprlpc\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\adokiprlpc\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wbhngxwlux\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\wbhngxwlux\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\adokiprlpc\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\wbhngxwlux\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\wbhngxwlux\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\wbhngxwlux\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wbhngxwlux\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wbhngxwlux\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wbhngxwlux\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wbhngxwlux\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\adokiprlpc\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wbhngxwlux\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\wbhngxwlux\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\adokiprlpc\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\adokiprlpc\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\wbhngxwlux\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\wbhngxwlux\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\wbhngxwlux\explorer.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4776	4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad.exe
4776	4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad.exe
4844	explorer.exe
4844	explorer.exe
4708	explorer.exe
4708	explorer.exe
4716	explorer.exe
4716	explorer.exe
4556	explorer.exe
4556	explorer.exe
5108	explorer.exe
5108	explorer.exe
1300	explorer.exe
1300	explorer.exe
4524	explorer.exe
4524	explorer.exe
648	smss.exe
648	smss.exe
1908	explorer.exe
1908	explorer.exe
3016	smss.exe
3016	smss.exe
2916	explorer.exe
2916	explorer.exe
2260	explorer.exe
2260	explorer.exe
4572	smss.exe
4572	smss.exe
2284	explorer.exe
2284	explorer.exe
4424	explorer.exe
4424	explorer.exe
360	smss.exe
360	smss.exe
3104	explorer.exe
3104	explorer.exe
2620	explorer.exe
2620	explorer.exe
1228	explorer.exe
1228	explorer.exe
1952	explorer.exe
1952	explorer.exe
1948	smss.exe
1948	smss.exe
3984	explorer.exe
3984	explorer.exe
1308	explorer.exe
1308	explorer.exe
2644	explorer.exe
2644	explorer.exe
888	explorer.exe
888	explorer.exe
1344	smss.exe
1344	smss.exe
4668	explorer.exe
4668	explorer.exe
1900	explorer.exe
1900	explorer.exe
4864	explorer.exe
4864	explorer.exe
1844	explorer.exe
1844	explorer.exe
4324	explorer.exe
4324	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	4776	4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad.exe
Token: SeLoadDriverPrivilege	4844	explorer.exe
Token: SeLoadDriverPrivilege	4708	explorer.exe
Token: SeLoadDriverPrivilege	4716	explorer.exe
Token: SeLoadDriverPrivilege	4556	explorer.exe
Token: SeLoadDriverPrivilege	5108	explorer.exe
Token: SeLoadDriverPrivilege	1300	explorer.exe
Token: SeLoadDriverPrivilege	4524	explorer.exe
Token: SeLoadDriverPrivilege	648	smss.exe
Token: SeLoadDriverPrivilege	1908	explorer.exe
Token: SeLoadDriverPrivilege	3016	smss.exe
Token: SeLoadDriverPrivilege	2916	explorer.exe
Token: SeLoadDriverPrivilege	2260	explorer.exe
Token: SeLoadDriverPrivilege	4572	smss.exe
Token: SeLoadDriverPrivilege	2284	explorer.exe
Token: SeLoadDriverPrivilege	4424	explorer.exe
Token: SeLoadDriverPrivilege	360	smss.exe
Token: SeLoadDriverPrivilege	3104	explorer.exe
Token: SeLoadDriverPrivilege	2620	explorer.exe
Token: SeLoadDriverPrivilege	1228	explorer.exe
Token: SeLoadDriverPrivilege	1952	explorer.exe
Token: SeLoadDriverPrivilege	1948	smss.exe
Token: SeLoadDriverPrivilege	3984	explorer.exe
Token: SeLoadDriverPrivilege	1308	explorer.exe
Token: SeLoadDriverPrivilege	2644	explorer.exe
Token: SeLoadDriverPrivilege	888	explorer.exe
Token: SeLoadDriverPrivilege	1344	smss.exe
Token: SeLoadDriverPrivilege	4668	explorer.exe
Token: SeLoadDriverPrivilege	1900	explorer.exe
Token: SeLoadDriverPrivilege	4864	explorer.exe
Token: SeLoadDriverPrivilege	1844	explorer.exe
Token: SeLoadDriverPrivilege	4324	explorer.exe
Token: SeLoadDriverPrivilege	2592	explorer.exe
Token: SeLoadDriverPrivilege	4212	smss.exe
Token: SeLoadDriverPrivilege	2732	explorer.exe
Token: SeLoadDriverPrivilege	4136	explorer.exe
Token: SeLoadDriverPrivilege	4888	explorer.exe
Token: SeLoadDriverPrivilege	3964	explorer.exe
Token: SeLoadDriverPrivilege	4944	explorer.exe
Token: SeLoadDriverPrivilege	2868	explorer.exe
Token: SeLoadDriverPrivilege	3424	explorer.exe
Token: SeLoadDriverPrivilege	2000	explorer.exe
Token: SeLoadDriverPrivilege	2304	explorer.exe
Token: SeLoadDriverPrivilege	3636	explorer.exe
Token: SeLoadDriverPrivilege	4744	explorer.exe
Token: SeLoadDriverPrivilege	1232	explorer.exe
Token: SeLoadDriverPrivilege	1768	smss.exe
Token: SeLoadDriverPrivilege	4132	explorer.exe
Token: SeLoadDriverPrivilege	1772	explorer.exe
Token: SeLoadDriverPrivilege	2924	explorer.exe
Token: SeLoadDriverPrivilege	4344	explorer.exe
Token: SeLoadDriverPrivilege	3064	explorer.exe
Token: SeLoadDriverPrivilege	4520	smss.exe
Token: SeLoadDriverPrivilege	3676	explorer.exe
Token: SeLoadDriverPrivilege	2112	explorer.exe
Token: SeLoadDriverPrivilege	1420	explorer.exe
Token: SeLoadDriverPrivilege	3480	smss.exe
Token: SeLoadDriverPrivilege	1832	explorer.exe
Token: SeLoadDriverPrivilege	2960	explorer.exe
Token: SeLoadDriverPrivilege	2192	explorer.exe
Token: SeLoadDriverPrivilege	4848	smss.exe
Token: SeLoadDriverPrivilege	3380	explorer.exe
Token: SeLoadDriverPrivilege	4876	explorer.exe
Token: SeLoadDriverPrivilege	4972	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4776 wrote to memory of 4844	4776	4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad.exe	81
PID 4776 wrote to memory of 4844	4776	4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad.exe	81
PID 4776 wrote to memory of 4844	4776	4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad.exe	81
PID 4844 wrote to memory of 4708	4844	explorer.exe	82
PID 4844 wrote to memory of 4708	4844	explorer.exe	82
PID 4844 wrote to memory of 4708	4844	explorer.exe	82
PID 4708 wrote to memory of 4716	4708	explorer.exe	83
PID 4708 wrote to memory of 4716	4708	explorer.exe	83
PID 4708 wrote to memory of 4716	4708	explorer.exe	83
PID 4716 wrote to memory of 4556	4716	explorer.exe	84
PID 4716 wrote to memory of 4556	4716	explorer.exe	84
PID 4716 wrote to memory of 4556	4716	explorer.exe	84
PID 4556 wrote to memory of 5108	4556	explorer.exe	85
PID 4556 wrote to memory of 5108	4556	explorer.exe	85
PID 4556 wrote to memory of 5108	4556	explorer.exe	85
PID 5108 wrote to memory of 1300	5108	explorer.exe	86
PID 5108 wrote to memory of 1300	5108	explorer.exe	86
PID 5108 wrote to memory of 1300	5108	explorer.exe	86
PID 1300 wrote to memory of 4524	1300	explorer.exe	88
PID 1300 wrote to memory of 4524	1300	explorer.exe	88
PID 1300 wrote to memory of 4524	1300	explorer.exe	88
PID 4776 wrote to memory of 648	4776	4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad.exe	90
PID 4776 wrote to memory of 648	4776	4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad.exe	90
PID 4776 wrote to memory of 648	4776	4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad.exe	90
PID 4524 wrote to memory of 1908	4524	explorer.exe	91
PID 4524 wrote to memory of 1908	4524	explorer.exe	91
PID 4524 wrote to memory of 1908	4524	explorer.exe	91
PID 4844 wrote to memory of 3016	4844	explorer.exe	92
PID 4844 wrote to memory of 3016	4844	explorer.exe	92
PID 4844 wrote to memory of 3016	4844	explorer.exe	92
PID 648 wrote to memory of 2916	648	smss.exe	93
PID 648 wrote to memory of 2916	648	smss.exe	93
PID 648 wrote to memory of 2916	648	smss.exe	93
PID 1908 wrote to memory of 2260	1908	explorer.exe	94
PID 1908 wrote to memory of 2260	1908	explorer.exe	94
PID 1908 wrote to memory of 2260	1908	explorer.exe	94
PID 4708 wrote to memory of 4572	4708	explorer.exe	95
PID 4708 wrote to memory of 4572	4708	explorer.exe	95
PID 4708 wrote to memory of 4572	4708	explorer.exe	95
PID 3016 wrote to memory of 2284	3016	smss.exe	98
PID 3016 wrote to memory of 2284	3016	smss.exe	98
PID 3016 wrote to memory of 2284	3016	smss.exe	98
PID 2916 wrote to memory of 4424	2916	explorer.exe	99
PID 2916 wrote to memory of 4424	2916	explorer.exe	99
PID 2916 wrote to memory of 4424	2916	explorer.exe	99
PID 4716 wrote to memory of 360	4716	explorer.exe	100
PID 4716 wrote to memory of 360	4716	explorer.exe	100
PID 4716 wrote to memory of 360	4716	explorer.exe	100
PID 2260 wrote to memory of 3104	2260	explorer.exe	102
PID 2260 wrote to memory of 3104	2260	explorer.exe	102
PID 2260 wrote to memory of 3104	2260	explorer.exe	102
PID 4572 wrote to memory of 2620	4572	smss.exe	103
PID 4572 wrote to memory of 2620	4572	smss.exe	103
PID 4572 wrote to memory of 2620	4572	smss.exe	103
PID 2284 wrote to memory of 1228	2284	explorer.exe	104
PID 2284 wrote to memory of 1228	2284	explorer.exe	104
PID 2284 wrote to memory of 1228	2284	explorer.exe	104
PID 4424 wrote to memory of 1952	4424	explorer.exe	106
PID 4424 wrote to memory of 1952	4424	explorer.exe	106
PID 4424 wrote to memory of 1952	4424	explorer.exe	106
PID 4556 wrote to memory of 1948	4556	explorer.exe	107
PID 4556 wrote to memory of 1948	4556	explorer.exe	107
PID 4556 wrote to memory of 1948	4556	explorer.exe	107
PID 360 wrote to memory of 3984	360	smss.exe	108

C:\Users\Admin\AppData\Local\Temp\4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad.exe
"C:\Users\Admin\AppData\Local\Temp\4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
  C:\Windows\system32\wbhngxwlux\explorer.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4844
- - C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
    C:\Windows\system32\wbhngxwlux\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4708
  - - C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
      C:\Windows\system32\wbhngxwlux\explorer.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4716
    - - C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4556
      - C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3104
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1308
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1844
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4944
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4132
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2960
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        17⤵
        Drops file in System32 directory
        
        PID:2056
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        18⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        19⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        20⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        21⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        22⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        23⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        24⤵
        Enumerates connected drives
        
        PID:4424
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        25⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        26⤵
        Drops file in System32 directory
        
        PID:11484
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        27⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        28⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        22⤵
        
        PID:16708
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        21⤵
        
        PID:14228
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        22⤵
        
        PID:16936
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        20⤵
        
        PID:12176
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        21⤵
        
        PID:14320
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        22⤵
        
        PID:17172
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        19⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        20⤵
        
        PID:12248
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        21⤵
        Enumerates connected drives
        
        PID:14328
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        22⤵
        
        PID:17180
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        18⤵
        
        PID:9096
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        19⤵
        
        PID:10208
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        20⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        21⤵
        
        PID:13484
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        22⤵
        
        PID:17056
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        17⤵
        
        PID:8068
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        18⤵
        
        PID:9156
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        19⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        20⤵
        
        PID:11332
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        21⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        22⤵
        
        PID:17400
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        16⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        17⤵
        Enumerates connected drives
        
        PID:8044
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        18⤵
        
        PID:9108
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        19⤵
        
        PID:10200
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        20⤵
        
        PID:11300
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        21⤵
        
        PID:820
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        22⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        15⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        17⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        18⤵
        
        PID:9128
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        19⤵
        
        PID:9220
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        20⤵
        
        PID:11280
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        21⤵
        
        PID:728
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        22⤵
        
        PID:17364
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        16⤵
        
        PID:16508
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        14⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        17⤵
        
        PID:8100
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        18⤵
        
        PID:9192
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        19⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        20⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        21⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        22⤵
        
        PID:17480
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        16⤵
        
        PID:16520
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        15⤵
        
        PID:14020
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:16832
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        13⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:6160
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:636
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        17⤵
        
        PID:8132
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        18⤵
        Drops file in System32 directory
        
        PID:9208
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        19⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        20⤵
        
        PID:11416
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        21⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        22⤵
        
        PID:17348
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        16⤵
        
        PID:16640
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        15⤵
        
        PID:14116
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:16840
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        14⤵
        
        PID:12028
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:14180
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:16948
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        12⤵
        
        PID:964
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        17⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        18⤵
        
        PID:9164
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        19⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        20⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        21⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        22⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        16⤵
        
        PID:16464
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        15⤵
        
        PID:14068
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:16848
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        14⤵
        Drops file in System32 directory
        
        PID:11952
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:14028
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:16604
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        13⤵
        
        PID:9820
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:12184
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:14288
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:17212
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        11⤵
        Enumerates connected drives
        
        PID:2236
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        17⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        18⤵
        
        PID:9072
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        19⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        20⤵
        
        PID:12256
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        21⤵
        Enumerates connected drives
        
        PID:5620
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        22⤵
        
        PID:17004
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        16⤵
        
        PID:16420
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        15⤵
        
        PID:13876
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:16748
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        14⤵
        Drops file in System32 directory
        
        PID:11884
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:13956
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:16880
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        13⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:11936
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        Enumerates connected drives
        
        PID:14052
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:16812
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        12⤵
        
        PID:8892
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:9780
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        Drops file in System32 directory
        
        PID:11976
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:14036
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:16824
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3480
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        11⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:5112
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:4676
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        Drops file in System32 directory
        
        PID:5812
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        17⤵
        
        PID:8020
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        18⤵
        
        PID:9064
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        19⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        20⤵
        Drops file in System32 directory
        
        PID:11288
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        21⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        22⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        16⤵
        
        PID:16444
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        15⤵
        Enumerates connected drives
        
        PID:13924
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:16764
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        14⤵
        
        PID:11920
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        Enumerates connected drives
        
        PID:14060
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:16964
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        13⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:11984
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:14044
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:16660
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        12⤵
        
        PID:8884
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:9832
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:12112
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:14280
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:17196
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        11⤵
        Enumerates connected drives
        
        PID:7908
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        Enumerates connected drives
        
        PID:8936
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:9812
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:12096
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:14304
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:17072
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1768
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        11⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        
        PID:816
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:308
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        Drops file in System32 directory
        
        PID:4928
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        17⤵
        
        PID:8052
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        18⤵
        
        PID:9136
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        19⤵
        
        PID:10228
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        20⤵
        
        PID:11296
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        21⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        22⤵
        
        PID:17288
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        16⤵
        
        PID:16480
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        15⤵
        
        PID:14008
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:16796
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        14⤵
        
        PID:12020
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:14272
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:16996
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        13⤵
        
        PID:9908
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:12120
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:14296
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:17080
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        12⤵
        
        PID:8980
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:9916
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:12192
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:14312
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:17204
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        11⤵
        
        PID:7964
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        
        PID:9004
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:9928
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:12240
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:17296
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        10⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        11⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        
        PID:8972
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:9852
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:12060
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:14196
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:17088
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4212
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4344
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4876
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        Drops file in System32 directory
        
        PID:5420
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        17⤵
        
        PID:7324
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        18⤵
        
        PID:8228
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        19⤵
        
        PID:9512
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        20⤵
        
        PID:10816
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        21⤵
        
        PID:12768
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        22⤵
        
        PID:15908
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        17⤵
        
        PID:17948
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        16⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        17⤵
        
        PID:18576
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        15⤵
        
        PID:12952
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        17⤵
        
        PID:18624
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        14⤵
        
        PID:11060
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:12996
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:14840
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        17⤵
        
        PID:18584
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        13⤵
        
        PID:9280
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:11068
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:12964
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        17⤵
        
        PID:18680
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        12⤵
        Drops file in System32 directory
        
        PID:7808
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:9272
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:11108
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:12988
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        17⤵
        
        PID:18696
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        11⤵
        
        PID:7208
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:9328
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:11156
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:13140
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:15488
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        10⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        11⤵
        
        PID:7224
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        
        PID:7484
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:9396
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:13276
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:15640
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        11⤵
        
        PID:18412
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        9⤵
        Drops file in System32 directory
        
        PID:5372
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        11⤵
        
        PID:7192
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:9264
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:11088
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:13004
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        17⤵
        
        PID:18672
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        11⤵
        
        PID:18372
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        10⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        11⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1344
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        11⤵
        Executes dropped EXE
        
        PID:1160
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        Drops file in System32 directory
        
        PID:6840
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        17⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        18⤵
        
        PID:8448
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        19⤵
        
        PID:9724
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        20⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        21⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        22⤵
        
        PID:15924
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        17⤵
        
        PID:18484
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        16⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        15⤵
        
        PID:13104
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:15604
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        14⤵
        
        PID:11224
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:13208
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:15536
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        13⤵
        
        PID:9464
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        Enumerates connected drives
        
        PID:12712
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:15932
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        12⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:9416
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:15664
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        11⤵
        
        PID:7300
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        
        PID:8200
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:9520
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:10916
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:12900
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:15884
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        10⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        11⤵
        Enumerates connected drives
        
        PID:7268
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:9440
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:10596
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:12860
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:15876
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        11⤵
        
        PID:7236
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        9⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        Drops file in System32 directory
        
        PID:6676
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        11⤵
        
        PID:7260
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:4752
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:9408
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:5324
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:15656
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        17⤵
        
        PID:18984
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        11⤵
        
        PID:7216
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        10⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        11⤵
        
        PID:18336
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        8⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        Enumerates connected drives
        
        PID:6660
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        11⤵
        
        PID:7240
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:9320
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:11148
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:13132
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:15432
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        11⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        10⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        11⤵
        
        PID:7524
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        9⤵
        
        PID:12916
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:14788
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        11⤵
        
        PID:18500
      - C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        6⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1900
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4888
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4744
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        11⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:5660
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        Enumerates connected drives
        
        PID:7036
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        17⤵
        
        PID:7684
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        18⤵
        Drops file in System32 directory
        
        PID:8648
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        19⤵
        
        PID:10064
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        20⤵
        
        PID:11588
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        21⤵
        
        PID:13632
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        22⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        16⤵
        
        PID:16056
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        15⤵
        
        PID:13408
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:16096
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        14⤵
        
        PID:11424
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:13432
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:16116
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        13⤵
        
        PID:9968
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:11476
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:13456
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:16260
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        12⤵
        
        PID:8568
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:10008
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        Drops file in System32 directory
        
        PID:11512
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:13552
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:16312
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        11⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        
        PID:8560
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:9980
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:11448
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:13464
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:16248
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        10⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        11⤵
        Enumerates connected drives
        
        PID:7636
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        
        PID:8608
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:10032
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:11552
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:13588
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:16328
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        9⤵
        Enumerates connected drives
        
        PID:6056
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        11⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        
        PID:8592
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:10000
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        Drops file in System32 directory
        
        PID:11504
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:13544
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:16336
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        10⤵
        
        PID:15812
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        8⤵
        Drops file in System32 directory
        
        PID:5628
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        11⤵
        
        PID:7624
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:8600
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:10044
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:11544
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:13580
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:16320
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        10⤵
        
        PID:15804
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        9⤵
        
        PID:13324
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:15968
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        7⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        8⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        11⤵
        Enumerates connected drives
        
        PID:7672
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        
        PID:8640
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:10072
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:11596
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        Drops file in System32 directory
        
        PID:13664
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        11⤵
        
        PID:18948
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        10⤵
        
        PID:15984
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        9⤵
        
        PID:13344
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:16080
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        8⤵
        Drops file in System32 directory
        
        PID:11396
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        
        PID:13388
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:16088
    - - C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:360
      - C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3984
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4864
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3964
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1232
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1420
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        11⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        17⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        18⤵
        
        PID:9032
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        19⤵
        Enumerates connected drives
        
        PID:2024
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        20⤵
        
        PID:11312
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        21⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        22⤵
        
        PID:17356
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        16⤵
        
        PID:16392
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        15⤵
        
        PID:13884
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:16740
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        14⤵
        
        PID:11832
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:13852
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:16684
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        13⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:11852
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:13908
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:16756
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        12⤵
        
        PID:8852
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        Drops file in System32 directory
        
        PID:11860
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:13940
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:16720
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        11⤵
        
        PID:7864
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        
        PID:8868
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:11900
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:13932
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:16732
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        10⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:7940
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        
        PID:8964
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:9860
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:12068
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:14248
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:17064
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        9⤵
        Drops file in System32 directory
        
        PID:4056
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        11⤵
        
        PID:7872
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        
        PID:8900
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:9804
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:12008
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        Enumerates connected drives
        
        PID:14188
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:16956
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        10⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        8⤵
        Drops file in System32 directory
        
        PID:5732
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        11⤵
        
        PID:7832
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        
        PID:8828
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:1952
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:11892
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:13964
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:16856
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        10⤵
        
        PID:16344
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        9⤵
        
        PID:13736
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        7⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        8⤵
        Enumerates connected drives
        
        PID:5752
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        11⤵
        
        PID:7880
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        
        PID:8924
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:12156
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:14256
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:17048
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        10⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        9⤵
        
        PID:13744
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        8⤵
        
        PID:11764
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        
        PID:13796
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:16408
      - C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        6⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        7⤵
        
        PID:216
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        8⤵
        Enumerates connected drives
        
        PID:5744
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        11⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        
        PID:8820
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:11820
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:13860
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:16548
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        10⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        9⤵
        
        PID:13760
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:16064
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        8⤵
        
        PID:11772
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        
        PID:13804
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:16400
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        7⤵
        
        PID:10160
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        8⤵
        
        PID:11796
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        
        PID:13828
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:16532
  - - C:\Windows\SysWOW64\adokiprlpc\smss.exe
      C:\Windows\system32\adokiprlpc\smss.exe
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4572
    - - C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
      - C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4324
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        11⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        Drops file in System32 directory
        
        PID:6028
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        17⤵
        
        PID:7740
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        18⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        19⤵
        
        PID:10468
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        20⤵
        Enumerates connected drives
        
        PID:12320
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        21⤵
        
        PID:14812
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        22⤵
        
        PID:17720
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        16⤵
        
        PID:17260
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        15⤵
        
        PID:14496
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:17548
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        14⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:14460
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        13⤵
        
        PID:10288
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:14452
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        12⤵
        
        PID:8536
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:10296
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:14428
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:17496
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        11⤵
        
        PID:7532
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:10336
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:5772
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:14608
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:17588
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        10⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        11⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        
        PID:8796
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:10420
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:14696
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:17608
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        9⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        11⤵
        
        PID:7584
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        
        PID:8740
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:10376
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:14668
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:17596
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        10⤵
        
        PID:17120
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        8⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        Drops file in System32 directory
        
        PID:6296
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        11⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:10320
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:3120
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:14592
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:17420
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        10⤵
        
        PID:17040
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        9⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        7⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        8⤵
        Drops file in System32 directory
        
        PID:5984
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        11⤵
        
        PID:780
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        
        PID:8756
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:10352
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:11704
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:14660
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:17516
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        10⤵
        
        PID:17112
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        9⤵
        
        PID:14392
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:17532
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        8⤵
        
        PID:11668
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        
        PID:14340
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:6924
      - C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        6⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        7⤵
        Enumerates connected drives
        
        PID:5148
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        8⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        11⤵
        
        PID:7556
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        Enumerates connected drives
        
        PID:3396
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:10384
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:14712
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:17632
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        10⤵
        
        PID:17012
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        9⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:17312
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        8⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:17508
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        7⤵
        
        PID:10272
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        8⤵
        Enumerates connected drives
        
        PID:5808
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        
        PID:14404
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:17540
    - - C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        5⤵
        
        PID:4196
      - C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        6⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        7⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        8⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        Enumerates connected drives
        
        PID:6280
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        11⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        
        PID:8748
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:10368
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:14652
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:17524
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        10⤵
        
        PID:17144
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        9⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:17488
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        8⤵
        
        PID:11584
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        7⤵
        
        PID:10252
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        8⤵
        Enumerates connected drives
        
        PID:11676
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        
        PID:14364
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:7096
      - C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        6⤵
        
        PID:8472
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        7⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        8⤵
        
        PID:11660
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        
        PID:14348
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:5072
- - C:\Windows\SysWOW64\adokiprlpc\smss.exe
    C:\Windows\system32\adokiprlpc\smss.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3016
  - - C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
      C:\Windows\system32\wbhngxwlux\explorer.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2284
    - - C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1228
      - C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:888
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3424
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3380
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        11⤵
        
        PID:524
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:5348
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        17⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        18⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        19⤵
        
        PID:10936
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        20⤵
        Enumerates connected drives
        
        PID:12740
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        21⤵
        
        PID:14360
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        22⤵
        
        PID:7312
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        16⤵
        
        PID:17844
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        15⤵
        
        PID:15088
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:18184
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        14⤵
        
        PID:12572
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:15120
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:18252
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        13⤵
        
        PID:10720
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:12556
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:15096
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:18200
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        12⤵
        
        PID:8780
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:10752
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:12612
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:15200
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:18152
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        11⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        
        PID:8800
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:10700
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        Drops file in System32 directory
        
        PID:12528
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:15104
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:18160
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        10⤵
        Drops file in System32 directory
        
        PID:648
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        11⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        
        PID:8524
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:10664
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:12516
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:15064
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:18144
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        9⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        11⤵
        
        PID:7256
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        Enumerates connected drives
        
        PID:4960
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:10764
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:12636
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:15296
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:18404
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        10⤵
        
        PID:17696
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        8⤵
        Drops file in System32 directory
        
        PID:6140
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        11⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:10772
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        Drops file in System32 directory
        
        PID:12604
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:15212
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:18260
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        10⤵
        
        PID:17704
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        9⤵
        
        PID:14868
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:17864
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        7⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        8⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:2328
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:360
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:10692
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:12564
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:15112
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:18208
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        10⤵
        
        PID:17712
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        9⤵
        
        PID:14844
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:17736
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        8⤵
        
        PID:12364
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        
        PID:14928
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:18012
      - C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        6⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        7⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        8⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        11⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        
        PID:8392
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:10860
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:12660
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:15272
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:18348
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        10⤵
        
        PID:17672
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        9⤵
        
        PID:14884
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:17896
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        8⤵
        Enumerates connected drives
        
        PID:12428
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        
        PID:15004
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:18028
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        7⤵
        
        PID:10556
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        8⤵
        
        PID:12400
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        
        PID:14936
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:18036
    - - C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        5⤵
        
        PID:3460
      - C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        6⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        7⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        8⤵
        Drops file in System32 directory
        
        PID:6108
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        11⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:10648
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:12500
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:15072
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:18328
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        10⤵
        
        PID:17656
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        9⤵
        
        PID:14832
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:17744
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        8⤵
        Drops file in System32 directory
        
        PID:12356
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        
        PID:14944
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:17924
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        7⤵
        
        PID:10508
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        8⤵
        
        PID:12344
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        
        PID:14904
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:18020
      - C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        6⤵
        
        PID:8464
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        7⤵
        Enumerates connected drives
        
        PID:10492
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        8⤵
        
        PID:12412
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        
        PID:15016
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:18128
  - - C:\Windows\SysWOW64\adokiprlpc\smss.exe
      C:\Windows\system32\adokiprlpc\smss.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4848
    - - C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        5⤵
        
        PID:3544
      - C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        6⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        7⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        8⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        Drops file in System32 directory
        
        PID:6940
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        11⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:10876
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:12676
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:15288
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:18356
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        10⤵
        
        PID:17664
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        9⤵
        
        PID:14892
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:17908
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        8⤵
        
        PID:12420
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        
        PID:15032
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:18192
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        7⤵
        
        PID:10548
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        8⤵
        
        PID:12396
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        
        PID:14952
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:17932
      - C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        6⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        7⤵
        
        PID:10588
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        8⤵
        Enumerates connected drives
        
        PID:12476
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        
        PID:15024
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:17916
    - - C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        5⤵
        Enumerates connected drives
        
        PID:7784
      - C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        6⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        7⤵
        Drops file in System32 directory
        
        PID:10616
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        8⤵
        
        PID:12488
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        
        PID:15056
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:18136
- C:\Windows\SysWOW64\adokiprlpc\smss.exe
  C:\Windows\system32\adokiprlpc\smss.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:648
- - C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
    C:\Windows\system32\wbhngxwlux\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
      C:\Windows\system32\wbhngxwlux\explorer.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4424
    - - C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
      - C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4668
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4136
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3636
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3676
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        11⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        Drops file in System32 directory
        
        PID:6864
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        16⤵
        
        PID:7592
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        17⤵
        
        PID:8544
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        18⤵
        
        PID:9944
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        19⤵
        
        PID:11368
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        20⤵
        Enumerates connected drives
        
        PID:13360
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        21⤵
        
        PID:16132
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        16⤵
        
        PID:18600
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        15⤵
        
        PID:15496
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        14⤵
        
        PID:13268
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:15596
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        13⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:13304
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:15728
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        12⤵
        Enumerates connected drives
        
        PID:9540
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:10912
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:15860
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        11⤵
        
        PID:8304
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        
        PID:9584
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:10676
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:12736
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:15956
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        10⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        11⤵
        
        PID:8252
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        
        PID:9496
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:10624
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:15764
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        9⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        Drops file in System32 directory
        
        PID:7380
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        11⤵
        
        PID:8312
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        
        PID:9592
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:10708
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:15940
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        10⤵
        
        PID:7444
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        8⤵
        Enumerates connected drives
        
        PID:2220
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        11⤵
        
        PID:8296
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        
        PID:9564
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:10832
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:12828
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:15892
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        10⤵
        
        PID:7372
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        9⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:18592
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        7⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        8⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        Enumerates connected drives
        
        PID:6740
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:7356
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:8284
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        Enumerates connected drives
        
        PID:9620
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:12932
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:15852
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        10⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        9⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:18644
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        8⤵
        
        PID:13036
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:18548
      - C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        6⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        7⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        8⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:7412
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        11⤵
        
        PID:8368
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        
        PID:9636
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:5448
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:15868
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        10⤵
        
        PID:18120
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        9⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:18636
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        8⤵
        
        PID:13120
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        
        PID:15480
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        7⤵
        
        PID:11140
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        8⤵
        
        PID:13200
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        
        PID:15516
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:18884
    - - C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        5⤵
        
        PID:3776
      - C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        6⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        7⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        8⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        Enumerates connected drives
        
        PID:6796
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:7404
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        11⤵
        Enumerates connected drives
        
        PID:8376
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        
        PID:9680
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:12960
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:15948
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        10⤵
        
        PID:7456
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        9⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:18732
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        8⤵
        
        PID:13072
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:18716
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        7⤵
        
        PID:11184
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        8⤵
        
        PID:13192
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        
        PID:15560
      - C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        6⤵
        
        PID:9360
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        7⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:11244
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        8⤵
        
        PID:13260
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        
        PID:15584
  - - C:\Windows\SysWOW64\adokiprlpc\smss.exe
      C:\Windows\system32\adokiprlpc\smss.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4972
    - - C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        5⤵
        
        PID:2308
      - C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        6⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        7⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        8⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        Enumerates connected drives
        
        PID:6760
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:8348
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        
        PID:9656
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:16008
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        10⤵
        
        PID:7400
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        9⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:18688
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        8⤵
        
        PID:13056
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        
        PID:15368
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        7⤵
        
        PID:11128
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        8⤵
        
        PID:13112
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        
        PID:15440
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:18892
      - C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        6⤵
        
        PID:9352
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        7⤵
        
        PID:11252
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        8⤵
        
        PID:13240
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        
        PID:15568
    - - C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        5⤵
        Enumerates connected drives
        
        PID:2240
      - C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        6⤵
        Drops file in System32 directory
        
        PID:9424
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        7⤵
        
        PID:10520
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        8⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        
        PID:15648
- - C:\Windows\SysWOW64\adokiprlpc\smss.exe
    C:\Windows\system32\adokiprlpc\smss.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    PID:4520
  - - C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
      C:\Windows\system32\wbhngxwlux\explorer.exe
      4⤵
      PID:4300
    - - C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        5⤵
        
        PID:2416
      - C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        6⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        7⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        8⤵
        Drops file in System32 directory
        
        PID:3800
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:7448
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:8384
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        12⤵
        
        PID:9696
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        13⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        14⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        15⤵
        
        PID:15900
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        10⤵
        
        PID:7460
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        9⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:18724
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        8⤵
        
        PID:13080
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        7⤵
        
        PID:11192
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        8⤵
        
        PID:13184
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        
        PID:15552
      - C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        6⤵
        
        PID:9384
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        7⤵
        
        PID:11204
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        8⤵
        
        PID:13252
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        
        PID:15528
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        10⤵
        
        PID:18920
    - - C:\Windows\SysWOW64\adokiprlpc\smss.exe
        
        C:\Windows\system32\adokiprlpc\smss.exe
        5⤵
        
        PID:3572
      - C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        6⤵
        
        PID:9432
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        7⤵
        
        PID:10748
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        8⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        
        PID:15916
  - - C:\Windows\SysWOW64\adokiprlpc\smss.exe
      C:\Windows\system32\adokiprlpc\smss.exe
      4⤵
      PID:7292
    - - C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        5⤵
        Enumerates connected drives
        
        PID:3124
      - C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        6⤵
        
        PID:9528
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        7⤵
        
        PID:10800
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        8⤵
        
        PID:12776
        
        C:\Windows\SysWOW64\wbhngxwlux\explorer.exe
        
        C:\Windows\system32\wbhngxwlux\explorer.exe
        9⤵
        
        PID:15784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\adokiprlpc\smss.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\adokiprlpc\smss.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\adokiprlpc\smss.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\adokiprlpc\smss.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\adokiprlpc\smss.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\adokiprlpc\smss.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\adokiprlpc\smss.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\adokiprlpc\smss.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\adokiprlpc\smss.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\adokiprlpc\smss.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\adokiprlpc\smss.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\adokiprlpc\smss.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\adokiprlpc\smss.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\adokiprlpc\smss.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\adokiprlpc\smss.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\adokiprlpc\smss.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\adokiprlpc\smss.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\wbhngxwlux\explorer.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\wbhngxwlux\explorer.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\wbhngxwlux\explorer.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\wbhngxwlux\explorer.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\wbhngxwlux\explorer.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\wbhngxwlux\explorer.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\wbhngxwlux\explorer.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\wbhngxwlux\explorer.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\wbhngxwlux\explorer.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\wbhngxwlux\explorer.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\wbhngxwlux\explorer.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\wbhngxwlux\explorer.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\wbhngxwlux\explorer.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\wbhngxwlux\explorer.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\wbhngxwlux\explorer.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\wbhngxwlux\explorer.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\wbhngxwlux\explorer.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\wbhngxwlux\explorer.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\wbhngxwlux\explorer.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\wbhngxwlux\explorer.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\wbhngxwlux\explorer.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\wbhngxwlux\explorer.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\wbhngxwlux\explorer.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\wbhngxwlux\explorer.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\wbhngxwlux\explorer.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\wbhngxwlux\explorer.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\wbhngxwlux\explorer.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\wbhngxwlux\explorer.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\wbhngxwlux\explorer.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\wbhngxwlux\explorer.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\wbhngxwlux\explorer.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\wbhngxwlux\explorer.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\wbhngxwlux\explorer.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\wbhngxwlux\explorer.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\wbhngxwlux\explorer.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\wbhngxwlux\explorer.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\wbhngxwlux\explorer.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\wbhngxwlux\explorer.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\wbhngxwlux\explorer.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\wbhngxwlux\explorer.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\wbhngxwlux\explorer.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\wbhngxwlux\explorer.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\wbhngxwlux\explorer.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\wbhngxwlux\explorer.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\wbhngxwlux\explorer.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\wbhngxwlux\explorer.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
C:\Windows\SysWOW64\wbhngxwlux\explorer.exe

Filesize
82KB

MD5
53124fbc6f667f24741c8b8d1acfa471

SHA1
e88e6c5cc467ce6cc4108cab03273f67984b1f4b

SHA256
4b7e8f92f8a4e41cb6661ea77419fa27a9d325b1fd8ed5b8c573352ad4d64bad

SHA512
bfed83d2990a751a8d8ddfda73a45ba2d738df132f0be596ea8df2e0a1040ea2e98f9e2ae924141c2d7aa05b6838295bc8b6796a5437432ba0ae861d572c5ec5

Download Submit
memory/360-245-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/360-197-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/648-193-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/648-171-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/888-230-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1228-255-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1228-208-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1300-160-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1300-170-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1308-225-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1308-280-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1344-235-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1844-247-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1900-240-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1908-202-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1908-174-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1948-269-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1948-215-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1952-268-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1952-214-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2260-186-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2260-223-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2284-229-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2284-190-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2592-256-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2620-204-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2620-251-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2644-226-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2644-281-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2732-264-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2916-181-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2916-213-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3016-207-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3016-177-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3104-250-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3104-203-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3964-276-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3984-219-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3984-275-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4136-265-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4212-263-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4324-252-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4424-194-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4424-239-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4524-180-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4524-166-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4556-150-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4556-161-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4572-187-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4572-224-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4668-236-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4708-151-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4708-140-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4716-156-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4716-144-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4776-132-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4776-145-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4844-136-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4844-146-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4864-246-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4888-270-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4944-277-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/5108-165-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/5108-155-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download