e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

Analysis

max time kernel
157s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24/11/2022, 00:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6.exe
Size

84KB
MD5

36173eb61bdf83a0a96855d26f5f5160
SHA1

a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4
SHA256

e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6
SHA512

f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf
SSDEEP

1536:BnKZViWUC/JV16uXKTVXxs7djVBM5DPQ5gl:B0ViWhz161TE7dVeNPXl

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
4084	explorer.exe
4888	explorer.exe
1956	explorer.exe
1828	explorer.exe
3184	explorer.exe
4864	explorer.exe
4740	explorer.exe
3512	explorer.exe
1732	smss.exe
4248	explorer.exe
4556	smss.exe
5016	explorer.exe
2036	smss.exe
4608	explorer.exe
4420	explorer.exe
2396	explorer.exe
4728	smss.exe
3916	explorer.exe
3120	explorer.exe
1280	explorer.exe
1484	smss.exe
2332	explorer.exe
2340	explorer.exe
4784	explorer.exe
1112	explorer.exe
1500	explorer.exe
2752	smss.exe
2272	explorer.exe
2920	explorer.exe
2424	explorer.exe
2644	explorer.exe
3612	explorer.exe
3428	explorer.exe
912	smss.exe
1196	explorer.exe
2288	explorer.exe
2068	explorer.exe
544	explorer.exe
1652	explorer.exe
868	smss.exe
4984	explorer.exe
4736	explorer.exe
1236	explorer.exe
3908	explorer.exe
4012	explorer.exe
1292	explorer.exe
3108	explorer.exe
3416	smss.exe
3880	explorer.exe
1328	explorer.exe
4304	explorer.exe
5104	explorer.exe
3112	explorer.exe
4928	explorer.exe
5028	smss.exe
2660	explorer.exe
3240	explorer.exe
2776	explorer.exe
4576	smss.exe
2016	explorer.exe
4504	explorer.exe
112	explorer.exe
4200	explorer.exe
4528	smss.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3348-132-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/files/0x0006000000022f47-134.dat	upx
behavioral2/files/0x0006000000022f47-135.dat	upx
behavioral2/memory/4084-136-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/3348-137-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/files/0x0006000000022f48-138.dat	upx
behavioral2/files/0x0006000000022f47-140.dat	upx
behavioral2/memory/4888-141-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/files/0x0006000000022f4a-142.dat	upx
behavioral2/files/0x0006000000022f47-144.dat	upx
behavioral2/memory/1956-145-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/4084-146-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/files/0x000200000001e2cd-147.dat	upx
behavioral2/files/0x0006000000022f47-149.dat	upx
behavioral2/memory/1828-150-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/4888-151-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/files/0x000300000001e2cd-152.dat	upx
behavioral2/files/0x0006000000022f47-154.dat	upx
behavioral2/memory/3184-155-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/1956-156-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/files/0x000400000001e2cd-157.dat	upx
behavioral2/files/0x0006000000022f47-159.dat	upx
behavioral2/memory/4864-160-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/1828-161-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/files/0x0007000000022f51-162.dat	upx
behavioral2/files/0x0006000000022f47-164.dat	upx
behavioral2/memory/4740-165-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/3184-166-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/files/0x0008000000022f51-167.dat	upx
behavioral2/files/0x0006000000022f47-169.dat	upx
behavioral2/memory/3512-170-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/files/0x0009000000022f51-172.dat	upx
behavioral2/memory/4864-173-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/files/0x0009000000022f51-174.dat	upx
behavioral2/files/0x0006000000022f47-176.dat	upx
behavioral2/memory/4248-177-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/files/0x0009000000022f51-179.dat	upx
behavioral2/memory/4740-180-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/4556-181-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/files/0x0006000000022f47-183.dat	upx
behavioral2/memory/5016-184-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/files/0x0009000000022f51-186.dat	upx
behavioral2/files/0x0006000000022f47-188.dat	upx
behavioral2/memory/3512-189-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/2036-190-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/4608-191-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/files/0x0006000000022f47-193.dat	upx
behavioral2/memory/4420-194-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/1732-195-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/files/0x0006000000022f47-197.dat	upx
behavioral2/memory/2396-198-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/files/0x0009000000022f51-200.dat	upx
behavioral2/memory/4728-201-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/files/0x0006000000022f47-203.dat	upx
behavioral2/files/0x0006000000022f47-205.dat	upx
behavioral2/memory/4248-206-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/3916-207-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/3120-208-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/files/0x0006000000022f47-210.dat	upx
behavioral2/memory/4556-211-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/1280-212-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/files/0x0009000000022f51-214.dat	upx
behavioral2/files/0x0006000000022f47-216.dat	upx
behavioral2/memory/5016-217-0x0000000000400000-0x000000000045A000-memory.dmp	upx

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\n:	explorer.exe
File opened (read-only)	\??\e:	explorer.exe
File opened (read-only)	\??\i:	explorer.exe
File opened (read-only)	\??\q:	explorer.exe
File opened (read-only)	\??\l:	explorer.exe
File opened (read-only)	\??\g:	explorer.exe
File opened (read-only)	\??\q:	smss.exe
File opened (read-only)	\??\r:	explorer.exe
File opened (read-only)	\??\e:	explorer.exe
File opened (read-only)	\??\k:	explorer.exe
File opened (read-only)	\??\e:	explorer.exe
File opened (read-only)	\??\w:	explorer.exe
File opened (read-only)	\??\z:	explorer.exe
File opened (read-only)	\??\u:	smss.exe
File opened (read-only)	\??\y:	explorer.exe
File opened (read-only)	\??\i:	explorer.exe
File opened (read-only)	\??\r:	explorer.exe
File opened (read-only)	\??\m:	explorer.exe
File opened (read-only)	\??\u:	explorer.exe
File opened (read-only)	\??\k:	explorer.exe
File opened (read-only)	\??\g:	explorer.exe
File opened (read-only)	\??\l:	explorer.exe
File opened (read-only)	\??\j:	explorer.exe
File opened (read-only)	\??\v:	explorer.exe
File opened (read-only)	\??\j:	explorer.exe
File opened (read-only)	\??\j:	smss.exe
File opened (read-only)	\??\e:	explorer.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\k:	explorer.exe
File opened (read-only)	\??\y:	explorer.exe
File opened (read-only)	\??\r:	explorer.exe
File opened (read-only)	\??\p:	smss.exe
File opened (read-only)	\??\h:	explorer.exe
File opened (read-only)	\??\s:	explorer.exe
File opened (read-only)	\??\l:	explorer.exe
File opened (read-only)	\??\u:	explorer.exe
File opened (read-only)	\??\w:	smss.exe
File opened (read-only)	\??\q:	explorer.exe
File opened (read-only)	\??\y:	explorer.exe
File opened (read-only)	\??\t:	explorer.exe
File opened (read-only)	\??\z:	explorer.exe
File opened (read-only)	\??\n:	explorer.exe
File opened (read-only)	\??\f:	explorer.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\o:	smss.exe
File opened (read-only)	\??\w:	explorer.exe
File opened (read-only)	\??\w:	explorer.exe
File opened (read-only)	\??\w:	explorer.exe
File opened (read-only)	\??\r:	explorer.exe
File opened (read-only)	\??\i:	explorer.exe
File opened (read-only)	\??\z:	explorer.exe
File opened (read-only)	\??\s:	explorer.exe
File opened (read-only)	\??\z:	explorer.exe
File opened (read-only)	\??\g:	smss.exe
File opened (read-only)	\??\n:	explorer.exe
File opened (read-only)	\??\m:	explorer.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\q:	explorer.exe
File opened (read-only)	\??\k:	explorer.exe
File opened (read-only)	\??\z:	explorer.exe
File opened (read-only)	\??\n:	explorer.exe
File opened (read-only)	\??\j:	explorer.exe
File opened (read-only)	\??\o:	explorer.exe
File opened (read-only)	\??\o:	explorer.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ghlptlryem\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\roqjfowjbv\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\ghlptlryem\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\ghlptlryem\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\roqjfowjbv\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\ghlptlryem\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\ghlptlryem\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\roqjfowjbv\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\ghlptlryem\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\ghlptlryem\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\roqjfowjbv\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\roqjfowjbv\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\roqjfowjbv\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\roqjfowjbv\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\ghlptlryem\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\roqjfowjbv\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\roqjfowjbv\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\roqjfowjbv\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\roqjfowjbv\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\ghlptlryem\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\roqjfowjbv\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\ghlptlryem\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\ghlptlryem\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\ghlptlryem\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\roqjfowjbv\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\roqjfowjbv\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\roqjfowjbv\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\ghlptlryem\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\roqjfowjbv\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\ghlptlryem\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\roqjfowjbv\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\ghlptlryem\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\ghlptlryem\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\ghlptlryem\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\roqjfowjbv\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\roqjfowjbv\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\ghlptlryem\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\ghlptlryem\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\ghlptlryem\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\ghlptlryem\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\roqjfowjbv\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\roqjfowjbv\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\roqjfowjbv\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\ghlptlryem\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\ghlptlryem\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\ghlptlryem\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\ghlptlryem\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\roqjfowjbv\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\ghlptlryem\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\roqjfowjbv\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\ghlptlryem\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\roqjfowjbv\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\roqjfowjbv\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\ghlptlryem\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\ghlptlryem\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\ghlptlryem\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\roqjfowjbv\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\roqjfowjbv\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\roqjfowjbv\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\ghlptlryem\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\roqjfowjbv\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\ghlptlryem\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\roqjfowjbv\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\roqjfowjbv\smss.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3348	e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6.exe
3348	e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6.exe
4084	explorer.exe
4084	explorer.exe
4888	explorer.exe
4888	explorer.exe
1956	explorer.exe
1956	explorer.exe
1828	explorer.exe
1828	explorer.exe
3184	explorer.exe
3184	explorer.exe
4864	explorer.exe
4864	explorer.exe
4740	explorer.exe
4740	explorer.exe
3512	explorer.exe
3512	explorer.exe
1732	smss.exe
1732	smss.exe
4248	explorer.exe
4248	explorer.exe
4556	smss.exe
4556	smss.exe
5016	explorer.exe
5016	explorer.exe
2036	smss.exe
2036	smss.exe
4608	explorer.exe
4608	explorer.exe
4420	explorer.exe
4420	explorer.exe
2396	explorer.exe
2396	explorer.exe
4728	smss.exe
4728	smss.exe
3916	explorer.exe
3916	explorer.exe
3120	explorer.exe
3120	explorer.exe
1280	explorer.exe
1280	explorer.exe
1484	smss.exe
1484	smss.exe
2332	explorer.exe
2332	explorer.exe
2340	explorer.exe
2340	explorer.exe
4784	explorer.exe
4784	explorer.exe
1112	explorer.exe
1112	explorer.exe
1500	explorer.exe
1500	explorer.exe
2752	smss.exe
2752	smss.exe
2272	explorer.exe
2272	explorer.exe
2920	explorer.exe
2920	explorer.exe
2424	explorer.exe
2424	explorer.exe
2644	explorer.exe
2644	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	3348	e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6.exe
Token: SeLoadDriverPrivilege	4084	explorer.exe
Token: SeLoadDriverPrivilege	4888	explorer.exe
Token: SeLoadDriverPrivilege	1956	explorer.exe
Token: SeLoadDriverPrivilege	1828	explorer.exe
Token: SeLoadDriverPrivilege	3184	explorer.exe
Token: SeLoadDriverPrivilege	4864	explorer.exe
Token: SeLoadDriverPrivilege	4740	explorer.exe
Token: SeLoadDriverPrivilege	3512	explorer.exe
Token: SeLoadDriverPrivilege	1732	smss.exe
Token: SeLoadDriverPrivilege	4248	explorer.exe
Token: SeLoadDriverPrivilege	4556	smss.exe
Token: SeLoadDriverPrivilege	5016	explorer.exe
Token: SeLoadDriverPrivilege	2036	smss.exe
Token: SeLoadDriverPrivilege	4608	explorer.exe
Token: SeLoadDriverPrivilege	4420	explorer.exe
Token: SeLoadDriverPrivilege	2396	explorer.exe
Token: SeLoadDriverPrivilege	4728	smss.exe
Token: SeLoadDriverPrivilege	3916	explorer.exe
Token: SeLoadDriverPrivilege	3120	explorer.exe
Token: SeLoadDriverPrivilege	1280	explorer.exe
Token: SeLoadDriverPrivilege	1484	smss.exe
Token: SeLoadDriverPrivilege	2332	explorer.exe
Token: SeLoadDriverPrivilege	2340	explorer.exe
Token: SeLoadDriverPrivilege	4784	explorer.exe
Token: SeLoadDriverPrivilege	1112	explorer.exe
Token: SeLoadDriverPrivilege	1500	explorer.exe
Token: SeLoadDriverPrivilege	2752	smss.exe
Token: SeLoadDriverPrivilege	2272	explorer.exe
Token: SeLoadDriverPrivilege	2920	explorer.exe
Token: SeLoadDriverPrivilege	2424	explorer.exe
Token: SeLoadDriverPrivilege	2644	explorer.exe
Token: SeLoadDriverPrivilege	3612	explorer.exe
Token: SeLoadDriverPrivilege	3428	explorer.exe
Token: SeLoadDriverPrivilege	912	smss.exe
Token: SeLoadDriverPrivilege	1196	explorer.exe
Token: SeLoadDriverPrivilege	2288	explorer.exe
Token: SeLoadDriverPrivilege	2068	explorer.exe
Token: SeLoadDriverPrivilege	544	explorer.exe
Token: SeLoadDriverPrivilege	1652	explorer.exe
Token: SeLoadDriverPrivilege	868	smss.exe
Token: SeLoadDriverPrivilege	4984	explorer.exe
Token: SeLoadDriverPrivilege	4736	explorer.exe
Token: SeLoadDriverPrivilege	1236	explorer.exe
Token: SeLoadDriverPrivilege	3908	explorer.exe
Token: SeLoadDriverPrivilege	4012	explorer.exe
Token: SeLoadDriverPrivilege	1292	explorer.exe
Token: SeLoadDriverPrivilege	3108	explorer.exe
Token: SeLoadDriverPrivilege	3416	smss.exe
Token: SeLoadDriverPrivilege	3880	explorer.exe
Token: SeLoadDriverPrivilege	1328	explorer.exe
Token: SeLoadDriverPrivilege	4304	explorer.exe
Token: SeLoadDriverPrivilege	5104	explorer.exe
Token: SeLoadDriverPrivilege	3112	explorer.exe
Token: SeLoadDriverPrivilege	4928	explorer.exe
Token: SeLoadDriverPrivilege	5028	smss.exe
Token: SeLoadDriverPrivilege	2660	explorer.exe
Token: SeLoadDriverPrivilege	3240	explorer.exe
Token: SeLoadDriverPrivilege	2776	explorer.exe
Token: SeLoadDriverPrivilege	4576	smss.exe
Token: SeLoadDriverPrivilege	2016	explorer.exe
Token: SeLoadDriverPrivilege	4504	explorer.exe
Token: SeLoadDriverPrivilege	112	explorer.exe
Token: SeLoadDriverPrivilege	4200	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3348 wrote to memory of 4084	3348	e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6.exe	79
PID 3348 wrote to memory of 4084	3348	e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6.exe	79
PID 3348 wrote to memory of 4084	3348	e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6.exe	79
PID 4084 wrote to memory of 4888	4084	explorer.exe	80
PID 4084 wrote to memory of 4888	4084	explorer.exe	80
PID 4084 wrote to memory of 4888	4084	explorer.exe	80
PID 4888 wrote to memory of 1956	4888	explorer.exe	81
PID 4888 wrote to memory of 1956	4888	explorer.exe	81
PID 4888 wrote to memory of 1956	4888	explorer.exe	81
PID 1956 wrote to memory of 1828	1956	explorer.exe	86
PID 1956 wrote to memory of 1828	1956	explorer.exe	86
PID 1956 wrote to memory of 1828	1956	explorer.exe	86
PID 1828 wrote to memory of 3184	1828	explorer.exe	89
PID 1828 wrote to memory of 3184	1828	explorer.exe	89
PID 1828 wrote to memory of 3184	1828	explorer.exe	89
PID 3184 wrote to memory of 4864	3184	explorer.exe	92
PID 3184 wrote to memory of 4864	3184	explorer.exe	92
PID 3184 wrote to memory of 4864	3184	explorer.exe	92
PID 4864 wrote to memory of 4740	4864	explorer.exe	93
PID 4864 wrote to memory of 4740	4864	explorer.exe	93
PID 4864 wrote to memory of 4740	4864	explorer.exe	93
PID 4740 wrote to memory of 3512	4740	explorer.exe	94
PID 4740 wrote to memory of 3512	4740	explorer.exe	94
PID 4740 wrote to memory of 3512	4740	explorer.exe	94
PID 3348 wrote to memory of 1732	3348	e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6.exe	95
PID 3348 wrote to memory of 1732	3348	e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6.exe	95
PID 3348 wrote to memory of 1732	3348	e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6.exe	95
PID 3512 wrote to memory of 4248	3512	explorer.exe	96
PID 3512 wrote to memory of 4248	3512	explorer.exe	96
PID 3512 wrote to memory of 4248	3512	explorer.exe	96
PID 4084 wrote to memory of 4556	4084	explorer.exe	97
PID 4084 wrote to memory of 4556	4084	explorer.exe	97
PID 4084 wrote to memory of 4556	4084	explorer.exe	97
PID 1732 wrote to memory of 5016	1732	smss.exe	98
PID 1732 wrote to memory of 5016	1732	smss.exe	98
PID 1732 wrote to memory of 5016	1732	smss.exe	98
PID 4888 wrote to memory of 2036	4888	explorer.exe	99
PID 4888 wrote to memory of 2036	4888	explorer.exe	99
PID 4888 wrote to memory of 2036	4888	explorer.exe	99
PID 4248 wrote to memory of 4608	4248	explorer.exe	100
PID 4248 wrote to memory of 4608	4248	explorer.exe	100
PID 4248 wrote to memory of 4608	4248	explorer.exe	100
PID 4556 wrote to memory of 4420	4556	smss.exe	101
PID 4556 wrote to memory of 4420	4556	smss.exe	101
PID 4556 wrote to memory of 4420	4556	smss.exe	101
PID 5016 wrote to memory of 2396	5016	explorer.exe	102
PID 5016 wrote to memory of 2396	5016	explorer.exe	102
PID 5016 wrote to memory of 2396	5016	explorer.exe	102
PID 1956 wrote to memory of 4728	1956	explorer.exe	103
PID 1956 wrote to memory of 4728	1956	explorer.exe	103
PID 1956 wrote to memory of 4728	1956	explorer.exe	103
PID 2036 wrote to memory of 3916	2036	smss.exe	104
PID 2036 wrote to memory of 3916	2036	smss.exe	104
PID 2036 wrote to memory of 3916	2036	smss.exe	104
PID 4608 wrote to memory of 3120	4608	explorer.exe	105
PID 4608 wrote to memory of 3120	4608	explorer.exe	105
PID 4608 wrote to memory of 3120	4608	explorer.exe	105
PID 4420 wrote to memory of 1280	4420	explorer.exe	106
PID 4420 wrote to memory of 1280	4420	explorer.exe	106
PID 4420 wrote to memory of 1280	4420	explorer.exe	106
PID 1828 wrote to memory of 1484	1828	explorer.exe	107
PID 1828 wrote to memory of 1484	1828	explorer.exe	107
PID 1828 wrote to memory of 1484	1828	explorer.exe	107
PID 2396 wrote to memory of 2332	2396	explorer.exe	108

C:\Users\Admin\AppData\Local\Temp\e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6.exe
"C:\Users\Admin\AppData\Local\Temp\e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3348
- C:\Windows\SysWOW64\ghlptlryem\explorer.exe
  C:\Windows\system32\ghlptlryem\explorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4084
- - C:\Windows\SysWOW64\ghlptlryem\explorer.exe
    C:\Windows\system32\ghlptlryem\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4888
  - - C:\Windows\SysWOW64\ghlptlryem\explorer.exe
      C:\Windows\system32\ghlptlryem\explorer.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1956
    - - C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1828
      - C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3184
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3120
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1112
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3612
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4984
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4304
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4200
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        18⤵
        Drops file in System32 directory
        
        PID:1540
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        19⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        20⤵
        Drops file in System32 directory
        
        PID:5188
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        21⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        22⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        23⤵
        Drops file in System32 directory
        
        PID:6408
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        24⤵
        
        PID:8020
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        25⤵
        
        PID:9176
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        26⤵
        
        PID:10700
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        27⤵
        
        PID:12704
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        28⤵
        
        PID:15340
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        23⤵
        
        PID:17112
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        22⤵
        
        PID:14380
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        23⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        21⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        22⤵
        
        PID:14820
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        23⤵
        
        PID:17932
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        20⤵
        
        PID:10376
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        21⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        22⤵
        
        PID:15224
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        19⤵
        
        PID:8512
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        20⤵
        
        PID:10464
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        21⤵
        
        PID:12356
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        22⤵
        
        PID:15208
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        18⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        19⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        20⤵
        
        PID:10492
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        21⤵
        
        PID:12448
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        22⤵
        
        PID:15136
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        17⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        18⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        19⤵
        Enumerates connected drives
        
        PID:4064
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        20⤵
        
        PID:10588
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        21⤵
        
        PID:12556
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        22⤵
        
        PID:15152
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        16⤵
        Enumerates connected drives
        
        PID:6280
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        17⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        18⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        19⤵
        
        PID:9048
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        20⤵
        
        PID:10580
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        21⤵
        
        PID:12540
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        22⤵
        
        PID:15160
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        17⤵
        
        PID:17072
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        15⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        17⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        18⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        19⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        20⤵
        
        PID:10596
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        21⤵
        
        PID:12616
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        22⤵
        
        PID:15252
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        17⤵
        
        PID:17128
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        16⤵
        
        PID:14324
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        17⤵
        
        PID:17336
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        14⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        17⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        18⤵
        Drops file in System32 directory
        
        PID:7536
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        19⤵
        Enumerates connected drives
        
        PID:8988
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        20⤵
        
        PID:10612
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        21⤵
        
        PID:12696
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        22⤵
        
        PID:14900
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        17⤵
        
        PID:17016
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        16⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        17⤵
        
        PID:7460
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        15⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:14472
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        17⤵
        
        PID:17668
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        13⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        17⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        18⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        19⤵
        
        PID:9008
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        20⤵
        
        PID:10604
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        21⤵
        
        PID:12548
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        22⤵
        
        PID:15168
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        17⤵
        
        PID:17064
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        16⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        17⤵
        
        PID:7440
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        15⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:14452
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        17⤵
        
        PID:17776
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        14⤵
        
        PID:9840
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:14812
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        17⤵
        
        PID:18136
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        12⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:240
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:932
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        17⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        18⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        19⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        20⤵
        
        PID:10548
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        21⤵
        
        PID:12712
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        22⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        17⤵
        
        PID:17028
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        16⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        17⤵
        
        PID:7420
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        15⤵
        
        PID:11784
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:14536
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        17⤵
        
        PID:17820
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        14⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:11956
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:14628
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        17⤵
        
        PID:17916
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        13⤵
        
        PID:9196
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:12136
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:14724
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        17⤵
        
        PID:18092
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4576
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:4896
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        Enumerates connected drives
        
        PID:5936
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        Enumerates connected drives
        
        PID:6272
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        17⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        18⤵
        Enumerates connected drives
        
        PID:2268
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        19⤵
        
        PID:9128
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        20⤵
        
        PID:10652
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        21⤵
        
        PID:12744
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        22⤵
        
        PID:15632
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        17⤵
        
        PID:17096
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        16⤵
        
        PID:13644
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        17⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        15⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:14556
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        17⤵
        
        PID:17908
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        14⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:14620
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        17⤵
        
        PID:17848
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        13⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:12152
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:14716
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        17⤵
        
        PID:18124
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        12⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:8340
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:10320
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:12324
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:14940
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        17⤵
        
        PID:18348
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3416
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:3932
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:4324
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        17⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        18⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        19⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        20⤵
        
        PID:10660
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        21⤵
        
        PID:12688
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        22⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        17⤵
        
        PID:17080
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        16⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        17⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        15⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:14524
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        17⤵
        
        PID:17900
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        14⤵
        
        PID:9552
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:14668
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        17⤵
        
        PID:17888
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        13⤵
        
        PID:8320
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:10264
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:15192
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        12⤵
        
        PID:7312
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:8348
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:10336
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:14888
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        17⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        11⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:8412
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:10424
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:12312
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:14948
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        17⤵
        
        PID:7636
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:868
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1328
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:112
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:396
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        Drops file in System32 directory
        
        PID:5164
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        17⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        18⤵
        
        PID:7952
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        19⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        20⤵
        
        PID:10644
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        21⤵
        
        PID:12728
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        22⤵
        
        PID:15532
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        17⤵
        
        PID:17104
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        16⤵
        
        PID:14352
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        17⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        15⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:14860
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        17⤵
        
        PID:17456
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        14⤵
        
        PID:10256
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:15084
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        13⤵
        
        PID:8404
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:10404
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:12052
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:15184
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        12⤵
        
        PID:884
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:8464
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:10556
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:12488
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:15200
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        17⤵
        
        PID:18656
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        11⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:7508
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:8692
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:10520
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:12440
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:15176
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        10⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:6740
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:1432
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:8660
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:10496
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:12456
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:15032
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        17⤵
        
        PID:18356
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        11⤵
        
        PID:16788
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:912
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        
        PID:1236
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3112
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        11⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:4484
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        17⤵
        Enumerates connected drives
        
        PID:7352
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        18⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        19⤵
        
        PID:9452
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        20⤵
        
        PID:11152
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        21⤵
        
        PID:13244
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        22⤵
        
        PID:15856
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        17⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        16⤵
        
        PID:14928
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        17⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        15⤵
        
        PID:12816
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        14⤵
        
        PID:10892
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:12984
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:15588
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        13⤵
        
        PID:9276
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:10940
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:12872
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:15364
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        12⤵
        
        PID:8048
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:9344
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:11040
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:12864
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:15380
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        11⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:9408
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:11136
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:13236
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:15764
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        10⤵
        Drops file in System32 directory
        
        PID:6560
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        11⤵
        Enumerates connected drives
        
        PID:7228
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:9460
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:11192
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:13172
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:15796
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        11⤵
        
        PID:844
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        9⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        11⤵
        
        PID:7272
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:9384
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:11100
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:13100
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:15824
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        11⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        10⤵
        
        PID:14832
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        11⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1196
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3908
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4928
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        11⤵
        Enumerates connected drives
        
        PID:3456
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        Enumerates connected drives
        
        PID:5404
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        17⤵
        Enumerates connected drives
        
        PID:7464
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        18⤵
        
        PID:8296
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        19⤵
        Enumerates connected drives
        
        PID:9808
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        20⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        21⤵
        
        PID:13392
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        22⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        17⤵
        
        PID:17644
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        16⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        15⤵
        
        PID:13224
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:15772
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        14⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:12396
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:15804
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        13⤵
        
        PID:9612
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:15840
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        12⤵
        
        PID:8208
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:9644
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:10880
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:16132
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        11⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        
        PID:8240
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:9676
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:11172
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:16040
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        10⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        11⤵
        
        PID:7408
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:9592
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:10816
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:15888
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        11⤵
        
        PID:17600
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        9⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:7400
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:8200
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:9636
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:11020
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:13252
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:16048
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        11⤵
        
        PID:17592
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        10⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        8⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        11⤵
        
        PID:7448
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        
        PID:8256
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:9732
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:15912
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        11⤵
        
        PID:17608
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        10⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        9⤵
        
        PID:13132
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        
        PID:15552
      - C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        6⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4012
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        11⤵
        Enumerates connected drives
        
        PID:2436
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:2696
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:5224
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        17⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        18⤵
        
        PID:8772
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        19⤵
        
        PID:9220
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        20⤵
        
        PID:11724
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        21⤵
        
        PID:14052
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        22⤵
        
        PID:17088
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        17⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        16⤵
        
        PID:16120
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        15⤵
        
        PID:13472
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        14⤵
        
        PID:11368
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:13656
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:16404
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        13⤵
        
        PID:9968
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:11392
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:13724
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:16580
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        12⤵
        
        PID:8520
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:10008
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:11444
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:13772
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:16820
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        11⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        
        PID:8540
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:10096
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:11600
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:13900
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:16868
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        10⤵
        Enumerates connected drives
        
        PID:6848
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        11⤵
        
        PID:7652
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        
        PID:8568
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:10044
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:11524
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:13672
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:16604
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        11⤵
        
        PID:18184
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        9⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        11⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        Enumerates connected drives
        
        PID:8496
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:10016
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:11432
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:13680
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:16612
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        11⤵
        
        PID:18036
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        10⤵
        
        PID:15704
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        8⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        11⤵
        
        PID:7660
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        
        PID:8548
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:10104
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:11584
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:13908
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:16828
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        11⤵
        
        PID:18200
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        10⤵
        
        PID:15756
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        9⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        
        PID:6840
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        7⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        8⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        11⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        Enumerates connected drives
        
        PID:8504
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:10064
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:11552
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:13808
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:16780
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        11⤵
        
        PID:18044
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        10⤵
        
        PID:15712
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        9⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        
        PID:16096
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        8⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:13436
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        
        PID:16276
    - - C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4728
      - C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:544
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3108
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        11⤵
        Enumerates connected drives
        
        PID:2188
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        Enumerates connected drives
        
        PID:4284
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:4944
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        Drops file in System32 directory
        
        PID:5752
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        17⤵
        Drops file in System32 directory
        
        PID:8072
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        18⤵
        
        PID:8968
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        19⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        20⤵
        
        PID:12060
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        21⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        22⤵
        
        PID:17512
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        17⤵
        
        PID:18452
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        16⤵
        
        PID:15272
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        15⤵
        
        PID:13996
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:16852
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        14⤵
        
        PID:11848
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:14232
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:17328
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        13⤵
        
        PID:9720
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:11872
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:14224
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:17660
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        12⤵
        Enumerates connected drives
        
        PID:8852
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:9704
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:11880
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:14216
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:16932
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        11⤵
        
        PID:7944
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        Enumerates connected drives
        
        PID:8888
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:9776
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:12000
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:17528
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        10⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:7968
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        
        PID:8896
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:11924
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:14272
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:17504
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        11⤵
        
        PID:18412
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        9⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        11⤵
        
        PID:8000
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        
        PID:8904
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:9824
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:11992
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:14112
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:17868
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        10⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        8⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        11⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:8840
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:9692
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:11864
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:14264
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:17536
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        11⤵
        
        PID:18404
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        10⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        9⤵
        
        PID:13816
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        
        PID:16756
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        7⤵
        Drops file in System32 directory
        
        PID:3972
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        8⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        11⤵
        
        PID:7936
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        
        PID:8872
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:9672
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:11888
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:14256
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:17352
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        11⤵
        
        PID:7804
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        10⤵
        
        PID:7144
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        9⤵
        
        PID:13848
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        
        PID:16572
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        8⤵
        
        PID:11776
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:14240
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        
        PID:17344
      - C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        6⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        7⤵
        Drops file in System32 directory
        
        PID:1740
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        8⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        11⤵
        Enumerates connected drives
        
        PID:8024
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:8936
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:12068
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:17544
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        10⤵
        
        PID:16352
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        9⤵
        
        PID:13916
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        
        PID:16908
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        8⤵
        
        PID:11792
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:14100
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        
        PID:16860
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        7⤵
        
        PID:9560
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        8⤵
        
        PID:11824
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:14092
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        
        PID:16916
  - - C:\Windows\SysWOW64\roqjfowjbv\smss.exe
      C:\Windows\system32\roqjfowjbv\smss.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2036
    - - C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3916
      - C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4784
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3880
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4504
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        11⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:4776
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:5140
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:6328
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        17⤵
        
        PID:312
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        18⤵
        Enumerates connected drives
        
        PID:9092
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        19⤵
        
        PID:10620
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        20⤵
        
        PID:12584
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        21⤵
        
        PID:15232
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        16⤵
        
        PID:17164
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        15⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:7416
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        14⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:14544
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:17796
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        13⤵
        
        PID:9620
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:14676
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:18156
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        12⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:10272
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:12372
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:15060
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:17640
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        11⤵
        
        PID:7360
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        
        PID:8388
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:10396
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:15040
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:18396
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        10⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:2296
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:10472
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:12400
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:15068
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        9⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        Drops file in System32 directory
        
        PID:6668
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:3328
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        
        PID:8440
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:10456
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:12388
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:15144
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        10⤵
        
        PID:16724
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        8⤵
        Drops file in System32 directory
        
        PID:5864
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        11⤵
        Enumerates connected drives
        
        PID:3876
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        
        PID:8372
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:10416
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:12348
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:15076
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        10⤵
        
        PID:16716
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        9⤵
        
        PID:13932
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        7⤵
        
        PID:488
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        8⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:8172
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        
        PID:9188
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:14708
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:18148
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        10⤵
        
        PID:16692
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        9⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        8⤵
        
        PID:12236
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        
        PID:17552
      - C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        6⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        7⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        8⤵
        Drops file in System32 directory
        
        PID:5848
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        Drops file in System32 directory
        
        PID:1992
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        11⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        
        PID:8308
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:10332
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:15216
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:18664
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        10⤵
        
        PID:16704
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        9⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        8⤵
        
        PID:12212
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        
        PID:17052
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        7⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        8⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:14460
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        
        PID:17804
    - - C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        5⤵
        
        PID:4164
      - C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        6⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        7⤵
        Drops file in System32 directory
        
        PID:1624
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        8⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        11⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        
        PID:9140
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:14564
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:18164
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        10⤵
        
        PID:16532
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        9⤵
        
        PID:13796
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        
        PID:17520
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        8⤵
        
        PID:12180
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:14388
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        
        PID:17812
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        7⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        8⤵
        
        PID:12276
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        
        PID:17764
      - C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        6⤵
        Drops file in System32 directory
        
        PID:9076
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        7⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        8⤵
        
        PID:12268
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:14344
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        
        PID:17788
- - C:\Windows\SysWOW64\roqjfowjbv\smss.exe
    C:\Windows\system32\roqjfowjbv\smss.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4556
  - - C:\Windows\SysWOW64\ghlptlryem\explorer.exe
      C:\Windows\system32\ghlptlryem\explorer.exe
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4420
    - - C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1280
      - C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3428
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        8⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        
        PID:4736
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5104
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        11⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        Enumerates connected drives
        
        PID:7320
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        17⤵
        Enumerates connected drives
        
        PID:3988
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        18⤵
        
        PID:9472
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        19⤵
        
        PID:11176
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        20⤵
        
        PID:13212
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        21⤵
        
        PID:15876
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        16⤵
        
        PID:7184
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        15⤵
        
        PID:14876
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        14⤵
        
        PID:12784
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:14448
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        13⤵
        
        PID:10864
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:12800
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:14840
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        12⤵
        Enumerates connected drives
        
        PID:9252
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:10916
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:12976
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:15596
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        11⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        Enumerates connected drives
        
        PID:9292
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:10988
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:12880
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:15848
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        10⤵
        
        PID:7172
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        11⤵
        Enumerates connected drives
        
        PID:7576
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        
        PID:9284
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:10948
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:12888
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:15636
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        9⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        11⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        
        PID:9300
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:11012
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:12856
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:15372
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        10⤵
        
        PID:7040
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        8⤵
        Drops file in System32 directory
        
        PID:6100
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        Enumerates connected drives
        
        PID:7192
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        11⤵
        
        PID:8032
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        Enumerates connected drives
        
        PID:9360
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:11084
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:13108
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:15832
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        10⤵
        
        PID:524
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        9⤵
        
        PID:14700
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        
        PID:18060
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        7⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        8⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        
        PID:7208
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        11⤵
        
        PID:7908
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        
        PID:9372
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:11092
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:13180
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:15788
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        10⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        9⤵
        
        PID:14784
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        
        PID:18084
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        8⤵
        
        PID:12632
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:15308
      - C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        6⤵
        Drops file in System32 directory
        
        PID:4684
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        7⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        8⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        Enumerates connected drives
        
        PID:6468
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        Drops file in System32 directory
        
        PID:1628
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        11⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:10900
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:12960
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:15572
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        10⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        9⤵
        
        PID:14600
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        
        PID:17756
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        8⤵
        
        PID:12516
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:15112
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        
        PID:18952
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        7⤵
        
        PID:10708
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        8⤵
        
        PID:12668
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:15280
    - - C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        5⤵
        Drops file in System32 directory
        
        PID:3632
      - C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        6⤵
        Enumerates connected drives
        
        PID:2896
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        7⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        8⤵
        Drops file in System32 directory
        
        PID:6076
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        
        PID:7240
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        11⤵
        
        PID:820
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        
        PID:9436
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:11184
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:13188
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:15816
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        10⤵
        
        PID:7224
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        9⤵
        
        PID:14804
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        
        PID:18052
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        8⤵
        
        PID:12508
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:15104
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        
        PID:7700
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        7⤵
        
        PID:10788
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        8⤵
        
        PID:12736
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:15580
      - C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        6⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        7⤵
        
        PID:10752
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        8⤵
        
        PID:12904
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:15648
  - - C:\Windows\SysWOW64\roqjfowjbv\smss.exe
      C:\Windows\system32\roqjfowjbv\smss.exe
      4⤵
      Executes dropped EXE
      PID:4528
    - - C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        5⤵
        Drops file in System32 directory
        
        PID:3992
      - C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        6⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        7⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        8⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        11⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        
        PID:9228
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:10924
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:12848
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:15564
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        10⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        9⤵
        
        PID:14736
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        
        PID:17924
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        8⤵
        
        PID:12524
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:15124
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        7⤵
        
        PID:10780
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        8⤵
        
        PID:12676
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:6716
      - C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        6⤵
        Drops file in System32 directory
        
        PID:344
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        7⤵
        
        PID:10764
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        8⤵
        
        PID:12768
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:6720
    - - C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        5⤵
        
        PID:8068
      - C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        6⤵
        Enumerates connected drives
        
        PID:4876
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        7⤵
        
        PID:10908
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        8⤵
        
        PID:12968
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:6780
- C:\Windows\SysWOW64\roqjfowjbv\smss.exe
  C:\Windows\system32\roqjfowjbv\smss.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\SysWOW64\ghlptlryem\explorer.exe
    C:\Windows\system32\ghlptlryem\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5016
  - - C:\Windows\SysWOW64\ghlptlryem\explorer.exe
      C:\Windows\system32\ghlptlryem\explorer.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2396
    - - C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
      - C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1292
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3240
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:3048
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        11⤵
        
        PID:1120
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        Enumerates connected drives
        
        PID:2488
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:5624
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        Enumerates connected drives
        
        PID:7056
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        16⤵
        
        PID:7836
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        17⤵
        Enumerates connected drives
        
        PID:8820
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        18⤵
        
        PID:9524
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        19⤵
        
        PID:11816
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        20⤵
        
        PID:14084
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        21⤵
        
        PID:16892
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        16⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        15⤵
        
        PID:16164
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        14⤵
        
        PID:13520
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        13⤵
        
        PID:11472
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:13780
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:16764
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        12⤵
        
        PID:10000
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:11504
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:13664
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:16588
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        11⤵
        
        PID:8612
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        
        PID:10116
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:11588
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:13976
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:16844
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        10⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        11⤵
        
        PID:8604
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        
        PID:10076
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:11544
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:13832
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:16748
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        9⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        
        PID:7720
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        11⤵
        
        PID:8680
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        
        PID:10156
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:11624
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:13936
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:16812
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        10⤵
        
        PID:18332
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        8⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        
        PID:7776
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        11⤵
        
        PID:8724
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        
        PID:10200
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:11652
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:13944
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:16900
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        10⤵
        
        PID:18324
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        9⤵
        
        PID:15968
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        7⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        8⤵
        Drops file in System32 directory
        
        PID:2624
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:6944
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        
        PID:7728
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        11⤵
        
        PID:8708
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        
        PID:10192
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:11640
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:13960
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:16924
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        10⤵
        
        PID:18340
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        9⤵
        
        PID:16004
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        8⤵
        
        PID:13376
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:16360
      - C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        6⤵
        Enumerates connected drives
        
        PID:4872
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        7⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        8⤵
        Drops file in System32 directory
        
        PID:5828
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        
        PID:7740
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        11⤵
        
        PID:8732
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        
        PID:10208
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:11660
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:13952
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:16836
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        10⤵
        
        PID:18372
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        9⤵
        
        PID:16056
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        8⤵
        
        PID:13368
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:16368
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        7⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        8⤵
        
        PID:13580
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:6868
    - - C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        5⤵
        Drops file in System32 directory
        
        PID:1228
      - C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        6⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        7⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        8⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        11⤵
        
        PID:8780
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        
        PID:9448
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:11752
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:14044
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:16876
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        10⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        9⤵
        
        PID:16020
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        8⤵
        
        PID:13384
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        7⤵
        
        PID:11324
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        8⤵
        
        PID:13564
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:16376
      - C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        6⤵
        
        PID:9924
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        7⤵
        
        PID:11376
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        8⤵
        
        PID:13696
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:16388
  - - C:\Windows\SysWOW64\roqjfowjbv\smss.exe
      C:\Windows\system32\roqjfowjbv\smss.exe
      4⤵
      Drops file in System32 directory
      PID:2384
    - - C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        5⤵
        
        PID:2184
      - C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        6⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        7⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        8⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        
        PID:7760
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:8764
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        
        PID:9352
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:11732
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:14060
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:16884
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        10⤵
        
        PID:18380
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        9⤵
        
        PID:15996
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        8⤵
        
        PID:13356
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:15432
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        7⤵
        
        PID:11268
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        8⤵
        
        PID:13572
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:16344
      - C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        6⤵
        Enumerates connected drives
        
        PID:9916
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        7⤵
        
        PID:11344
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        8⤵
        
        PID:13464
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:16284
    - - C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        5⤵
        
        PID:8468
      - C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        6⤵
        
        PID:9944
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        7⤵
        
        PID:11384
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        8⤵
        
        PID:13708
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:16396
- - C:\Windows\SysWOW64\roqjfowjbv\smss.exe
    C:\Windows\system32\roqjfowjbv\smss.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5028
  - - C:\Windows\SysWOW64\ghlptlryem\explorer.exe
      C:\Windows\system32\ghlptlryem\explorer.exe
      4⤵
      Drops file in System32 directory
      PID:4688
    - - C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        5⤵
        
        PID:2472
      - C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        6⤵
        
        PID:8
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        7⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        8⤵
        Enumerates connected drives
        
        PID:4972
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        10⤵
        Enumerates connected drives
        
        PID:7704
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        11⤵
        Enumerates connected drives
        
        PID:8664
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        12⤵
        Enumerates connected drives
        
        PID:10176
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        13⤵
        
        PID:11668
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        14⤵
        
        PID:13968
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        15⤵
        
        PID:16940
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        10⤵
        
        PID:18208
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        9⤵
        
        PID:15940
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        8⤵
        
        PID:13336
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:15988
        
        C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        7⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        8⤵
        
        PID:13456
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:16268
      - C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        6⤵
        
        PID:9892
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        7⤵
        
        PID:11280
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        8⤵
        
        PID:13596
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:7160
    - - C:\Windows\SysWOW64\roqjfowjbv\smss.exe
        
        C:\Windows\system32\roqjfowjbv\smss.exe
        5⤵
        
        PID:8444
      - C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        6⤵
        
        PID:9884
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        7⤵
        
        PID:11288
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        8⤵
        
        PID:13588
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:4000
  - - C:\Windows\SysWOW64\roqjfowjbv\smss.exe
      C:\Windows\system32\roqjfowjbv\smss.exe
      4⤵
      PID:7588
    - - C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        5⤵
        
        PID:8488
      - C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        6⤵
        
        PID:9984
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        7⤵
        
        PID:11416
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        8⤵
        
        PID:13840
        
        C:\Windows\SysWOW64\ghlptlryem\explorer.exe
        
        C:\Windows\system32\ghlptlryem\explorer.exe
        9⤵
        
        PID:16772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ghlptlryem\explorer.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\ghlptlryem\explorer.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\ghlptlryem\explorer.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\ghlptlryem\explorer.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\ghlptlryem\explorer.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\ghlptlryem\explorer.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\ghlptlryem\explorer.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\ghlptlryem\explorer.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\ghlptlryem\explorer.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\ghlptlryem\explorer.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\ghlptlryem\explorer.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\ghlptlryem\explorer.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\ghlptlryem\explorer.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\ghlptlryem\explorer.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\ghlptlryem\explorer.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\ghlptlryem\explorer.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\ghlptlryem\explorer.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\ghlptlryem\explorer.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\ghlptlryem\explorer.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\ghlptlryem\explorer.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\ghlptlryem\explorer.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\ghlptlryem\explorer.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\ghlptlryem\explorer.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\ghlptlryem\explorer.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\ghlptlryem\explorer.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\ghlptlryem\explorer.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\ghlptlryem\explorer.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\ghlptlryem\explorer.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\ghlptlryem\explorer.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\ghlptlryem\explorer.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\ghlptlryem\explorer.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\ghlptlryem\explorer.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\ghlptlryem\explorer.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\ghlptlryem\explorer.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\ghlptlryem\explorer.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\ghlptlryem\explorer.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\ghlptlryem\explorer.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\ghlptlryem\explorer.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\ghlptlryem\explorer.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\ghlptlryem\explorer.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\ghlptlryem\explorer.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\ghlptlryem\explorer.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\ghlptlryem\explorer.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\ghlptlryem\explorer.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\ghlptlryem\explorer.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\ghlptlryem\explorer.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\roqjfowjbv\smss.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\roqjfowjbv\smss.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\roqjfowjbv\smss.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\roqjfowjbv\smss.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\roqjfowjbv\smss.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\roqjfowjbv\smss.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\roqjfowjbv\smss.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\roqjfowjbv\smss.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\roqjfowjbv\smss.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\roqjfowjbv\smss.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\roqjfowjbv\smss.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\roqjfowjbv\smss.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\roqjfowjbv\smss.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\roqjfowjbv\smss.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\roqjfowjbv\smss.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\roqjfowjbv\smss.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\roqjfowjbv\smss.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
C:\Windows\SysWOW64\roqjfowjbv\smss.exe

Filesize
84KB

MD5
36173eb61bdf83a0a96855d26f5f5160

SHA1
a0e4faa8e7e3ef98f9cc1785755a0ebf907779e4

SHA256
e324f33f0b85773c3ec4be90102d92c11ab946b4b96eee294cde9df9a2eaa5c6

SHA512
f890d35e427ec6c80b0f0574b4976d63118abea4b2db5cdd458d5a6c8ef51314714a6b7f2675f9ce57b039ee608053a1d1d48329d41b6b93c7a34388a0a480bf

Download Submit
memory/544-278-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/912-263-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1112-288-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1112-230-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1196-266-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1280-261-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1280-212-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1484-271-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1484-218-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1500-234-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1732-195-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1828-150-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1828-161-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1956-145-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1956-156-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2036-190-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2036-227-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2068-274-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2272-243-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2288-273-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2332-272-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2332-219-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2340-277-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2340-222-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2396-242-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2396-198-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2424-248-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2644-255-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2752-237-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2920-244-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3120-208-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3120-254-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3184-155-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3184-166-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3348-132-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3348-137-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3428-262-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3512-189-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3512-170-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3612-256-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3916-253-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3916-207-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4084-146-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4084-136-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4248-206-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4248-177-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4420-233-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4420-194-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4556-181-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4556-211-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4608-228-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4608-191-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4728-247-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4728-201-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4740-180-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4740-165-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4784-229-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4784-285-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4864-160-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4864-173-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4888-151-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4888-141-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/5016-217-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/5016-184-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download