93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

Analysis

max time kernel
182s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 00:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f.exe
Size

81KB
MD5

1b44a7aabbacc14e1accde73b8fde0d6
SHA1

b39c2b947b47738959e7ee3cb6890d6364a86183
SHA256

93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f
SHA512

b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624
SSDEEP

1536:BnKZViWUC/JV16uXKTVXxs7djVBM5DPQ5gp:B0ViWhz161TE7dVeNPXp

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
5024	explorer.exe
4132	explorer.exe
4224	explorer.exe
4068	explorer.exe
1276	explorer.exe
1468	explorer.exe
3180	explorer.exe
112	explorer.exe
2284	explorer.exe
4284	explorer.exe
3500	explorer.exe
4588	explorer.exe
5096	explorer.exe
1768	explorer.exe
2256	smss.exe
1456	smss.exe
2300	smss.exe
1848	explorer.exe
984	smss.exe
4304	explorer.exe
2032	explorer.exe
4116	explorer.exe
3896	explorer.exe
1916	smss.exe
4648	explorer.exe
3960	explorer.exe
1044	explorer.exe
1180	explorer.exe
1476	explorer.exe
3724	smss.exe
1056	explorer.exe
3928	explorer.exe
4560	explorer.exe
5108	explorer.exe
2540	explorer.exe
5100	smss.exe
632	explorer.exe
5024	explorer.exe
2432	explorer.exe
2360	explorer.exe
1048	explorer.exe
4108	explorer.exe
3940	explorer.exe
932	explorer.exe
4152	explorer.exe
4068	explorer.exe
5052	explorer.exe
5076	explorer.exe
2392	explorer.exe
224	explorer.exe
3916	explorer.exe
1988	explorer.exe
4316	explorer.exe
2284	explorer.exe
2740	explorer.exe
4488	smss.exe
5068	explorer.exe
4744	explorer.exe
2292	explorer.exe
1612	explorer.exe
2924	explorer.exe
1296	explorer.exe
2520	explorer.exe
4976	explorer.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4972-132-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/files/0x0002000000021b43-134.dat	upx
behavioral2/files/0x0002000000021b43-135.dat	upx
behavioral2/memory/5024-136-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/files/0x000d000000022de9-137.dat	upx
behavioral2/files/0x0002000000021b43-139.dat	upx
behavioral2/memory/4132-140-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/files/0x000e000000022de9-141.dat	upx
behavioral2/memory/4972-142-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/files/0x0002000000021b43-144.dat	upx
behavioral2/memory/4224-145-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/5024-146-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/files/0x000f000000022de9-147.dat	upx
behavioral2/files/0x0002000000021b43-149.dat	upx
behavioral2/memory/4068-150-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/4132-151-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/files/0x0010000000022de9-152.dat	upx
behavioral2/files/0x0002000000021b43-154.dat	upx
behavioral2/memory/1276-155-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/4224-156-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/files/0x0011000000022de9-157.dat	upx
behavioral2/files/0x0002000000021b43-159.dat	upx
behavioral2/memory/1468-160-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/4068-161-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/files/0x0012000000022de9-162.dat	upx
behavioral2/files/0x0002000000021b43-164.dat	upx
behavioral2/memory/1276-165-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/3180-166-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/files/0x0008000000022e06-167.dat	upx
behavioral2/memory/4972-168-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/files/0x0002000000021b43-170.dat	upx
behavioral2/memory/1468-171-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/112-172-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/files/0x0009000000022e06-173.dat	upx
behavioral2/memory/5024-174-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/files/0x0002000000021b43-176.dat	upx
behavioral2/memory/2284-177-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/3180-178-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/files/0x000a000000022e06-179.dat	upx
behavioral2/memory/4132-180-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/files/0x0002000000021b43-182.dat	upx
behavioral2/memory/4284-183-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/112-184-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/files/0x000b000000022e06-185.dat	upx
behavioral2/memory/4224-186-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/files/0x0002000000021b43-188.dat	upx
behavioral2/memory/3500-189-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/2284-190-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/files/0x000c000000022e06-191.dat	upx
behavioral2/memory/4068-192-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/files/0x0002000000021b43-194.dat	upx
behavioral2/memory/4588-195-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/4284-196-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/files/0x000d000000022e06-197.dat	upx
behavioral2/memory/1276-198-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/files/0x0002000000021b43-200.dat	upx
behavioral2/memory/5096-201-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/3500-202-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/files/0x0006000000022e11-203.dat	upx
behavioral2/files/0x0002000000021b43-205.dat	upx
behavioral2/memory/4588-206-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/memory/5096-207-0x0000000000400000-0x000000000045A000-memory.dmp	upx
behavioral2/files/0x0007000000022e11-208.dat	upx
behavioral2/files/0x0007000000022e11-211.dat	upx

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\l:	explorer.exe
File opened (read-only)	\??\l:	explorer.exe
File opened (read-only)	\??\n:	explorer.exe
File opened (read-only)	\??\t:	smss.exe
File opened (read-only)	\??\z:	explorer.exe
File opened (read-only)	\??\z:	smss.exe
File opened (read-only)	\??\r:	explorer.exe
File opened (read-only)	\??\x:	smss.exe
File opened (read-only)	\??\g:	explorer.exe
File opened (read-only)	\??\k:	explorer.exe
File opened (read-only)	\??\k:	explorer.exe
File opened (read-only)	\??\j:	explorer.exe
File opened (read-only)	\??\s:	smss.exe
File opened (read-only)	\??\y:	explorer.exe
File opened (read-only)	\??\y:	explorer.exe
File opened (read-only)	\??\u:	explorer.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\x:	explorer.exe
File opened (read-only)	\??\z:	explorer.exe
File opened (read-only)	\??\s:	explorer.exe
File opened (read-only)	\??\z:	explorer.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\t:	explorer.exe
File opened (read-only)	\??\q:	explorer.exe
File opened (read-only)	\??\k:	smss.exe
File opened (read-only)	\??\v:	explorer.exe
File opened (read-only)	\??\f:	explorer.exe
File opened (read-only)	\??\q:	explorer.exe
File opened (read-only)	\??\e:	explorer.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\i:	explorer.exe
File opened (read-only)	\??\w:	explorer.exe
File opened (read-only)	\??\l:	explorer.exe
File opened (read-only)	\??\q:	explorer.exe
File opened (read-only)	\??\u:	explorer.exe
File opened (read-only)	\??\y:	explorer.exe
File opened (read-only)	\??\y:	explorer.exe
File opened (read-only)	\??\g:	explorer.exe
File opened (read-only)	\??\k:	explorer.exe
File opened (read-only)	\??\e:	explorer.exe
File opened (read-only)	\??\h:	explorer.exe
File opened (read-only)	\??\i:	smss.exe
File opened (read-only)	\??\u:	explorer.exe
File opened (read-only)	\??\s:	smss.exe
File opened (read-only)	\??\t:	explorer.exe
File opened (read-only)	\??\q:	explorer.exe
File opened (read-only)	\??\s:	explorer.exe
File opened (read-only)	\??\e:	smss.exe
File opened (read-only)	\??\r:	explorer.exe
File opened (read-only)	\??\e:	explorer.exe
File opened (read-only)	\??\j:	explorer.exe
File opened (read-only)	\??\t:	explorer.exe
File opened (read-only)	\??\x:	explorer.exe
File opened (read-only)	\??\u:	explorer.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\y:	explorer.exe
File opened (read-only)	\??\z:	explorer.exe
File opened (read-only)	\??\k:	explorer.exe
File opened (read-only)	\??\y:	explorer.exe
File opened (read-only)	\??\t:	explorer.exe
File opened (read-only)	\??\f:	explorer.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\o:	explorer.exe
File opened (read-only)	\??\m:	smss.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\yiagswwlgl\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\yiagswwlgl\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\yiagswwlgl\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\yiagswwlgl\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\yiagswwlgl\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\xoxjhhntol\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\yiagswwlgl\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\yiagswwlgl\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\yiagswwlgl\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\xoxjhhntol\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\yiagswwlgl\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\xoxjhhntol\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\xoxjhhntol\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\yiagswwlgl\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\xoxjhhntol\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\xoxjhhntol\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\xoxjhhntol\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\yiagswwlgl\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\xoxjhhntol\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\xoxjhhntol\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\xoxjhhntol\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\xoxjhhntol\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\xoxjhhntol\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\xoxjhhntol\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\xoxjhhntol\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\xoxjhhntol\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\yiagswwlgl\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\yiagswwlgl\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\xoxjhhntol\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\yiagswwlgl\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\yiagswwlgl\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\xoxjhhntol\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\yiagswwlgl\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\yiagswwlgl\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\yiagswwlgl\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\xoxjhhntol\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\yiagswwlgl\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\xoxjhhntol\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\yiagswwlgl\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\yiagswwlgl\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\yiagswwlgl\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\yiagswwlgl\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\xoxjhhntol\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\yiagswwlgl\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\xoxjhhntol\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\xoxjhhntol\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\xoxjhhntol\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\yiagswwlgl\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\yiagswwlgl\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\yiagswwlgl\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\xoxjhhntol\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\yiagswwlgl\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\yiagswwlgl\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\yiagswwlgl\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\xoxjhhntol\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\xoxjhhntol\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\yiagswwlgl\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\xoxjhhntol\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\xoxjhhntol\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\xoxjhhntol\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\xoxjhhntol\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\xoxjhhntol\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\yiagswwlgl\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\xoxjhhntol\smss.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4972	93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f.exe
4972	93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f.exe
5024	explorer.exe
5024	explorer.exe
4132	explorer.exe
4132	explorer.exe
4224	explorer.exe
4224	explorer.exe
4068	explorer.exe
4068	explorer.exe
1276	explorer.exe
1276	explorer.exe
1468	explorer.exe
1468	explorer.exe
3180	explorer.exe
3180	explorer.exe
112	explorer.exe
112	explorer.exe
2284	explorer.exe
2284	explorer.exe
4284	explorer.exe
4284	explorer.exe
3500	explorer.exe
3500	explorer.exe
4588	explorer.exe
4588	explorer.exe
5096	explorer.exe
5096	explorer.exe
1768	explorer.exe
1768	explorer.exe
1848	explorer.exe
1848	explorer.exe
1456	smss.exe
1456	smss.exe
2300	smss.exe
2300	smss.exe
2256	smss.exe
2256	smss.exe
984	smss.exe
984	smss.exe
2032	explorer.exe
4304	explorer.exe
4304	explorer.exe
2032	explorer.exe
3896	explorer.exe
3896	explorer.exe
4116	explorer.exe
4116	explorer.exe
1916	smss.exe
1916	smss.exe
4648	explorer.exe
4648	explorer.exe
1044	explorer.exe
1044	explorer.exe
3960	explorer.exe
3960	explorer.exe
1476	explorer.exe
1476	explorer.exe
1180	explorer.exe
1180	explorer.exe
3724	smss.exe
3724	smss.exe
1056	explorer.exe
1056	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	4972	93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f.exe
Token: SeLoadDriverPrivilege	5024	explorer.exe
Token: SeLoadDriverPrivilege	4132	explorer.exe
Token: SeLoadDriverPrivilege	4224	explorer.exe
Token: SeLoadDriverPrivilege	4068	explorer.exe
Token: SeLoadDriverPrivilege	1276	explorer.exe
Token: SeLoadDriverPrivilege	1468	explorer.exe
Token: SeLoadDriverPrivilege	3180	explorer.exe
Token: SeLoadDriverPrivilege	112	explorer.exe
Token: SeLoadDriverPrivilege	2284	explorer.exe
Token: SeLoadDriverPrivilege	4284	explorer.exe
Token: SeLoadDriverPrivilege	3500	explorer.exe
Token: SeLoadDriverPrivilege	4588	explorer.exe
Token: SeLoadDriverPrivilege	5096	explorer.exe
Token: SeLoadDriverPrivilege	1768	explorer.exe
Token: SeLoadDriverPrivilege	1848	explorer.exe
Token: SeLoadDriverPrivilege	1456	smss.exe
Token: SeLoadDriverPrivilege	2300	smss.exe
Token: SeLoadDriverPrivilege	2256	smss.exe
Token: SeLoadDriverPrivilege	984	smss.exe
Token: SeLoadDriverPrivilege	2032	explorer.exe
Token: SeLoadDriverPrivilege	4304	explorer.exe
Token: SeLoadDriverPrivilege	3896	explorer.exe
Token: SeLoadDriverPrivilege	4116	explorer.exe
Token: SeLoadDriverPrivilege	1916	smss.exe
Token: SeLoadDriverPrivilege	4648	explorer.exe
Token: SeLoadDriverPrivilege	1044	explorer.exe
Token: SeLoadDriverPrivilege	3960	explorer.exe
Token: SeLoadDriverPrivilege	1476	explorer.exe
Token: SeLoadDriverPrivilege	1180	explorer.exe
Token: SeLoadDriverPrivilege	3724	smss.exe
Token: SeLoadDriverPrivilege	1056	explorer.exe
Token: SeLoadDriverPrivilege	3928	explorer.exe
Token: SeLoadDriverPrivilege	5108	explorer.exe
Token: SeLoadDriverPrivilege	4560	explorer.exe
Token: SeLoadDriverPrivilege	5100	smss.exe
Token: SeLoadDriverPrivilege	2540	explorer.exe
Token: SeLoadDriverPrivilege	632	explorer.exe
Token: SeLoadDriverPrivilege	5024	explorer.exe
Token: SeLoadDriverPrivilege	2432	explorer.exe
Token: SeLoadDriverPrivilege	2360	explorer.exe
Token: SeLoadDriverPrivilege	1048	explorer.exe
Token: SeLoadDriverPrivilege	4108	explorer.exe
Token: SeLoadDriverPrivilege	3940	explorer.exe
Token: SeLoadDriverPrivilege	932	explorer.exe
Token: SeLoadDriverPrivilege	4152	explorer.exe
Token: SeLoadDriverPrivilege	4068	explorer.exe
Token: SeLoadDriverPrivilege	5052	explorer.exe
Token: SeLoadDriverPrivilege	5076	explorer.exe
Token: SeLoadDriverPrivilege	2392	explorer.exe
Token: SeLoadDriverPrivilege	224	explorer.exe
Token: SeLoadDriverPrivilege	3916	explorer.exe
Token: SeLoadDriverPrivilege	1988	explorer.exe
Token: SeLoadDriverPrivilege	4316	explorer.exe
Token: SeLoadDriverPrivilege	2284	explorer.exe
Token: SeLoadDriverPrivilege	2740	explorer.exe
Token: SeLoadDriverPrivilege	4488	smss.exe
Token: SeLoadDriverPrivilege	5068	explorer.exe
Token: SeLoadDriverPrivilege	4744	explorer.exe
Token: SeLoadDriverPrivilege	2292	explorer.exe
Token: SeLoadDriverPrivilege	2924	explorer.exe
Token: SeLoadDriverPrivilege	1612	explorer.exe
Token: SeLoadDriverPrivilege	1296	explorer.exe
Token: SeLoadDriverPrivilege	2520	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 5024	4972	93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f.exe	79
PID 4972 wrote to memory of 5024	4972	93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f.exe	79
PID 4972 wrote to memory of 5024	4972	93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f.exe	79
PID 5024 wrote to memory of 4132	5024	explorer.exe	80
PID 5024 wrote to memory of 4132	5024	explorer.exe	80
PID 5024 wrote to memory of 4132	5024	explorer.exe	80
PID 4132 wrote to memory of 4224	4132	explorer.exe	81
PID 4132 wrote to memory of 4224	4132	explorer.exe	81
PID 4132 wrote to memory of 4224	4132	explorer.exe	81
PID 4224 wrote to memory of 4068	4224	explorer.exe	82
PID 4224 wrote to memory of 4068	4224	explorer.exe	82
PID 4224 wrote to memory of 4068	4224	explorer.exe	82
PID 4068 wrote to memory of 1276	4068	explorer.exe	83
PID 4068 wrote to memory of 1276	4068	explorer.exe	83
PID 4068 wrote to memory of 1276	4068	explorer.exe	83
PID 1276 wrote to memory of 1468	1276	explorer.exe	84
PID 1276 wrote to memory of 1468	1276	explorer.exe	84
PID 1276 wrote to memory of 1468	1276	explorer.exe	84
PID 1468 wrote to memory of 3180	1468	explorer.exe	85
PID 1468 wrote to memory of 3180	1468	explorer.exe	85
PID 1468 wrote to memory of 3180	1468	explorer.exe	85
PID 3180 wrote to memory of 112	3180	explorer.exe	88
PID 3180 wrote to memory of 112	3180	explorer.exe	88
PID 3180 wrote to memory of 112	3180	explorer.exe	88
PID 112 wrote to memory of 2284	112	explorer.exe	89
PID 112 wrote to memory of 2284	112	explorer.exe	89
PID 112 wrote to memory of 2284	112	explorer.exe	89
PID 2284 wrote to memory of 4284	2284	explorer.exe	90
PID 2284 wrote to memory of 4284	2284	explorer.exe	90
PID 2284 wrote to memory of 4284	2284	explorer.exe	90
PID 4284 wrote to memory of 3500	4284	explorer.exe	91
PID 4284 wrote to memory of 3500	4284	explorer.exe	91
PID 4284 wrote to memory of 3500	4284	explorer.exe	91
PID 3500 wrote to memory of 4588	3500	explorer.exe	92
PID 3500 wrote to memory of 4588	3500	explorer.exe	92
PID 3500 wrote to memory of 4588	3500	explorer.exe	92
PID 4588 wrote to memory of 5096	4588	explorer.exe	93
PID 4588 wrote to memory of 5096	4588	explorer.exe	93
PID 4588 wrote to memory of 5096	4588	explorer.exe	93
PID 5096 wrote to memory of 1768	5096	explorer.exe	94
PID 5096 wrote to memory of 1768	5096	explorer.exe	94
PID 5096 wrote to memory of 1768	5096	explorer.exe	94
PID 1468 wrote to memory of 2256	1468	explorer.exe	96
PID 1468 wrote to memory of 2256	1468	explorer.exe	96
PID 1468 wrote to memory of 2256	1468	explorer.exe	96
PID 3180 wrote to memory of 1456	3180	explorer.exe	95
PID 3180 wrote to memory of 1456	3180	explorer.exe	95
PID 3180 wrote to memory of 1456	3180	explorer.exe	95
PID 112 wrote to memory of 2300	112	explorer.exe	97
PID 112 wrote to memory of 2300	112	explorer.exe	97
PID 112 wrote to memory of 2300	112	explorer.exe	97
PID 1768 wrote to memory of 1848	1768	explorer.exe	98
PID 1768 wrote to memory of 1848	1768	explorer.exe	98
PID 1768 wrote to memory of 1848	1768	explorer.exe	98
PID 4284 wrote to memory of 984	4284	explorer.exe	99
PID 4284 wrote to memory of 984	4284	explorer.exe	99
PID 4284 wrote to memory of 984	4284	explorer.exe	99
PID 1848 wrote to memory of 4304	1848	explorer.exe	103
PID 1848 wrote to memory of 4304	1848	explorer.exe	103
PID 1848 wrote to memory of 4304	1848	explorer.exe	103
PID 2300 wrote to memory of 2032	2300	smss.exe	101
PID 2300 wrote to memory of 2032	2300	smss.exe	101
PID 2300 wrote to memory of 2032	2300	smss.exe	101
PID 1456 wrote to memory of 3896	1456	smss.exe	100

C:\Users\Admin\AppData\Local\Temp\93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f.exe
"C:\Users\Admin\AppData\Local\Temp\93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
  C:\Windows\system32\yiagswwlgl\explorer.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5024
- - C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
    C:\Windows\system32\yiagswwlgl\explorer.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4132
  - - C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
      C:\Windows\system32\yiagswwlgl\explorer.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4224
    - - C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4068
      - C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:112
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        13⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        17⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4304
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3960
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4560
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4108
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:224
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        23⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        24⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        25⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        26⤵
        Enumerates connected drives
        
        PID:5760
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        27⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        28⤵
        Drops file in System32 directory
        
        PID:6504
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        29⤵
        
        PID:8176
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        30⤵
        
        PID:8808
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        24⤵
        
        PID:8516
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        23⤵
        
        PID:7852
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        24⤵
        Enumerates connected drives
        
        PID:8492
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        22⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        23⤵
        
        PID:7920
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        24⤵
        
        PID:8556
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        21⤵
        Enumerates connected drives
        
        PID:6140
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        22⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        23⤵
        
        PID:7928
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        24⤵
        
        PID:8540
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        20⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        21⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        22⤵
        Enumerates connected drives
        
        PID:7088
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        23⤵
        
        PID:7908
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        24⤵
        Drops file in System32 directory
        
        PID:8564
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        19⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        20⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        21⤵
        Enumerates connected drives
        
        PID:6124
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        22⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        23⤵
        
        PID:8056
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        24⤵
        
        PID:8636
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        18⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        19⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        20⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        21⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        22⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        23⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        24⤵
        
        PID:8604
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        19⤵
        
        PID:9540
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        17⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        18⤵
        Drops file in System32 directory
        
        PID:2808
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        19⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        20⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        21⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        22⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        23⤵
        Enumerates connected drives
        
        PID:7740
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        24⤵
        
        PID:8420
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        19⤵
        
        PID:9456
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        18⤵
        
        PID:8340
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        19⤵
        
        PID:9512
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4488
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        17⤵
        Enumerates connected drives
        
        PID:4120
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        18⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        19⤵
        
        PID:32
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        20⤵
        Enumerates connected drives
        
        PID:5328
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        21⤵
        Drops file in System32 directory
        
        PID:5200
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        22⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        23⤵
        
        PID:7444
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        24⤵
        Enumerates connected drives
        
        PID:8000
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        25⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        19⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        18⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        19⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        17⤵
        
        PID:7428
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        18⤵
        Drops file in System32 directory
        
        PID:7568
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        19⤵
        Enumerates connected drives
        
        PID:8252
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        15⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        
        PID:5100
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:932
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        19⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        20⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        21⤵
        Enumerates connected drives
        
        PID:1444
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        22⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:5816
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        23⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        24⤵
        Drops file in System32 directory
        
        PID:1588
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        25⤵
        Drops file in System32 directory
        
        PID:3720
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        26⤵
        
        PID:8776
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        20⤵
        Enumerates connected drives
        
        PID:8572
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        19⤵
        Drops file in System32 directory
        
        PID:7972
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        20⤵
        
        PID:8580
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        18⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        19⤵
        
        PID:8016
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        20⤵
        
        PID:8628
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        17⤵
        Drops file in System32 directory
        
        PID:6172
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        18⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        19⤵
        
        PID:8064
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        20⤵
        Enumerates connected drives
        
        PID:8652
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        16⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        17⤵
        
        PID:976
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        18⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        19⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:8132
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        20⤵
        
        PID:8760
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3724
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5024
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4068
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        19⤵
        Drops file in System32 directory
        
        PID:4360
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        20⤵
        Drops file in System32 directory
        
        PID:1240
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        21⤵
        Enumerates connected drives
        
        PID:5140
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        22⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        23⤵
        Enumerates connected drives
        
        PID:6480
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        24⤵
        Enumerates connected drives
        
        PID:1736
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        25⤵
        Drops file in System32 directory
        
        PID:4128
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        26⤵
        
        PID:8224
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        20⤵
        
        PID:9124
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        19⤵
        
        PID:7600
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        20⤵
        
        PID:9172
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        18⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        19⤵
        
        PID:7592
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        20⤵
        
        PID:9192
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        17⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        18⤵
        
        PID:432
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        19⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        20⤵
        
        PID:9156
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        16⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        17⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        18⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        19⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:5028
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        20⤵
        
        PID:9208
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        15⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        16⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        17⤵
        Enumerates connected drives
        
        PID:6436
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        18⤵
        Drops file in System32 directory
        
        PID:6968
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        19⤵
        Enumerates connected drives
        
        PID:4420
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        20⤵
        
        PID:9164
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1916
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5052
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2740
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4976
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        19⤵
        Drops file in System32 directory
        
        PID:3484
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        20⤵
        Drops file in System32 directory
        
        PID:3408
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        21⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        22⤵
        Drops file in System32 directory
        
        PID:5136
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        23⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        24⤵
        Drops file in System32 directory
        
        PID:7292
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        25⤵
        Drops file in System32 directory
        
        PID:7576
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        26⤵
        
        PID:872
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        20⤵
        Enumerates connected drives
        
        PID:8264
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        19⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        20⤵
        
        PID:8276
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        18⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        19⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        20⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        17⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        18⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        19⤵
        
        PID:7704
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        20⤵
        
        PID:8736
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        16⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        17⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        18⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        19⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        20⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        15⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        16⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        17⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        18⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        19⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        20⤵
        
        PID:8752
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        14⤵
        Drops file in System32 directory
        
        PID:3980
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        15⤵
        Enumerates connected drives
        
        PID:5224
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        16⤵
        Drops file in System32 directory
        
        PID:6060
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        17⤵
        Drops file in System32 directory
        
        PID:6576
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        18⤵
        Enumerates connected drives
        
        PID:2944
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        19⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        20⤵
        
        PID:8768
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:984
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4648
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        14⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        
        PID:3928
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5076
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5068
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        18⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        19⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        20⤵
        
        PID:424
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        21⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        22⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        23⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        24⤵
        
        PID:7652
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        25⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        26⤵
        
        PID:9256
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        20⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        19⤵
        
        PID:7400
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        20⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        18⤵
        
        PID:7476
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        19⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        20⤵
        
        PID:9224
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        17⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        18⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        19⤵
        Drops file in System32 directory
        
        PID:7556
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        20⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        16⤵
        Drops file in System32 directory
        
        PID:5416
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        17⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        18⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        19⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        20⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        15⤵
        Enumerates connected drives
        
        PID:5368
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        16⤵
        
        PID:780
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        17⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        18⤵
        
        PID:7484
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        19⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        20⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        14⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        15⤵
        Drops file in System32 directory
        
        PID:5360
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        16⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        17⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        18⤵
        
        PID:7524
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        19⤵
        Drops file in System32 directory
        
        PID:2060
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        20⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        13⤵
        
        PID:544
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        14⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        15⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        16⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        17⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        18⤵
        
        PID:7460
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        19⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        20⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        14⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:5108
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        14⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        15⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        16⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        
        PID:4744
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        17⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        18⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        19⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        20⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:5776
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        21⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        22⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        23⤵
        Enumerates connected drives
        
        PID:7248
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        24⤵
        
        PID:8728
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        18⤵
        Enumerates connected drives
        
        PID:8452
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        17⤵
        
        PID:7804
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        18⤵
        
        PID:8476
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        16⤵
        Enumerates connected drives
        
        PID:7000
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        17⤵
        Enumerates connected drives
        
        PID:7824
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        18⤵
        
        PID:8500
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        15⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        16⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        17⤵
        
        PID:7880
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        18⤵
        
        PID:8508
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        14⤵
        Enumerates connected drives
        
        PID:5624
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        15⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        16⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        17⤵
        
        PID:7896
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        18⤵
        Enumerates connected drives
        
        PID:8532
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        13⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        14⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        15⤵
        Enumerates connected drives
        
        PID:5180
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        16⤵
        Drops file in System32 directory
        
        PID:6372
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        17⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        18⤵
        
        PID:8744
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        12⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        13⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        14⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        15⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        16⤵
        Drops file in System32 directory
        
        PID:7012
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        17⤵
        Enumerates connected drives
        
        PID:7844
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        18⤵
        
        PID:8524
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        13⤵
        
        PID:9496
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        11⤵
        Drops file in System32 directory
        
        PID:1072
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:1452
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        13⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        14⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        15⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        16⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        17⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        18⤵
        Drops file in System32 directory
        
        PID:8460
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        13⤵
        
        PID:9464
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        12⤵
        
        PID:8348
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        13⤵
        
        PID:9560
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3896
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3940
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3916
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        15⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        16⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        17⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        18⤵
        Enumerates connected drives
        
        PID:4908
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        19⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        20⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        21⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        22⤵
        
        PID:7260
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        23⤵
        
        PID:8696
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        17⤵
        
        PID:8548
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        16⤵
        
        PID:7964
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        17⤵
        Drops file in System32 directory
        
        PID:8596
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        15⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        16⤵
        Drops file in System32 directory
        
        PID:8048
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        17⤵
        
        PID:8644
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        14⤵
        Drops file in System32 directory
        
        PID:6180
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        15⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        16⤵
        Enumerates connected drives
        
        PID:8104
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        17⤵
        
        PID:8684
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        13⤵
        Enumerates connected drives
        
        PID:5728
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        14⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        15⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:6516
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        16⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        17⤵
        
        PID:8668
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        12⤵
        Drops file in System32 directory
        
        PID:1424
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:5668
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        14⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        15⤵
        Drops file in System32 directory
        
        PID:7136
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        16⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:8088
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        17⤵
        Enumerates connected drives
        
        PID:8660
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        11⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        12⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        13⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        14⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        15⤵
        Enumerates connected drives
        
        PID:6984
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        16⤵
        Drops file in System32 directory
        
        PID:7796
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        17⤵
        
        PID:8484
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        12⤵
        
        PID:9532
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        10⤵
        
        PID:924
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        11⤵
        Enumerates connected drives
        
        PID:1448
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        12⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        13⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        14⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        15⤵
        Enumerates connected drives
        
        PID:6932
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        16⤵
        Drops file in System32 directory
        
        PID:7748
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        17⤵
        
        PID:8428
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        12⤵
        
        PID:9448
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        11⤵
        Drops file in System32 directory
        
        PID:8300
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        12⤵
        
        PID:9440
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4116
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1180
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:632
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4152
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4316
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1296
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        15⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        16⤵
        Enumerates connected drives
        
        PID:4772
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        17⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        18⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        19⤵
        Drops file in System32 directory
        
        PID:6404
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        20⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        21⤵
        Enumerates connected drives
        
        PID:7356
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        22⤵
        
        PID:8784
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        16⤵
        
        PID:8612
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        15⤵
        
        PID:8040
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        16⤵
        
        PID:8620
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        14⤵
        Drops file in System32 directory
        
        PID:6536
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        15⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:7228
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        16⤵
        
        PID:8712
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        13⤵
        Drops file in System32 directory
        
        PID:6260
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        14⤵
        Drops file in System32 directory
        
        PID:6548
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        15⤵
        Drops file in System32 directory
        
        PID:8168
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        16⤵
        
        PID:8676
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        12⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        13⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        14⤵
        Drops file in System32 directory
        
        PID:7128
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        15⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        16⤵
        
        PID:8588
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        11⤵
        
        PID:444
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        12⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:5176
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        14⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        15⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        16⤵
        
        PID:8720
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        10⤵
        Drops file in System32 directory
        
        PID:4204
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        11⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        12⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        13⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        14⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        15⤵
        Drops file in System32 directory
        
        PID:7788
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        16⤵
        
        PID:8468
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        11⤵
        
        PID:9504
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        9⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        10⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:4340
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:5488
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        13⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        14⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        15⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        16⤵
        
        PID:8404
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        11⤵
        
        PID:9408
        
        C:\Windows\SysWOW64\xoxjhhntol\smss.exe
        
        C:\Windows\system32\xoxjhhntol\smss.exe
        10⤵
        
        PID:8320
        
        C:\Windows\SysWOW64\yiagswwlgl\explorer.exe
        
        C:\Windows\system32\yiagswwlgl\explorer.exe
        11⤵
        
        PID:9524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\xoxjhhntol\smss.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\xoxjhhntol\smss.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\xoxjhhntol\smss.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\xoxjhhntol\smss.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\xoxjhhntol\smss.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\xoxjhhntol\smss.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\xoxjhhntol\smss.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\xoxjhhntol\smss.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\xoxjhhntol\smss.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\xoxjhhntol\smss.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\xoxjhhntol\smss.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\xoxjhhntol\smss.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\xoxjhhntol\smss.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\xoxjhhntol\smss.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\xoxjhhntol\smss.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\xoxjhhntol\smss.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\xoxjhhntol\smss.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\xoxjhhntol\smss.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\xoxjhhntol\smss.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\xoxjhhntol\smss.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\xoxjhhntol\smss.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\xoxjhhntol\smss.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\yiagswwlgl\explorer.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\yiagswwlgl\explorer.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\yiagswwlgl\explorer.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\yiagswwlgl\explorer.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\yiagswwlgl\explorer.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\yiagswwlgl\explorer.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\yiagswwlgl\explorer.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\yiagswwlgl\explorer.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\yiagswwlgl\explorer.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\yiagswwlgl\explorer.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\yiagswwlgl\explorer.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\yiagswwlgl\explorer.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\yiagswwlgl\explorer.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\yiagswwlgl\explorer.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\yiagswwlgl\explorer.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\yiagswwlgl\explorer.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\yiagswwlgl\explorer.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\yiagswwlgl\explorer.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\yiagswwlgl\explorer.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\yiagswwlgl\explorer.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\yiagswwlgl\explorer.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\yiagswwlgl\explorer.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\yiagswwlgl\explorer.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\yiagswwlgl\explorer.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\yiagswwlgl\explorer.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\yiagswwlgl\explorer.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\yiagswwlgl\explorer.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\yiagswwlgl\explorer.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\yiagswwlgl\explorer.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\yiagswwlgl\explorer.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\yiagswwlgl\explorer.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\yiagswwlgl\explorer.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\yiagswwlgl\explorer.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\yiagswwlgl\explorer.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\yiagswwlgl\explorer.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\yiagswwlgl\explorer.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\yiagswwlgl\explorer.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\yiagswwlgl\explorer.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\yiagswwlgl\explorer.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\yiagswwlgl\explorer.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\yiagswwlgl\explorer.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
C:\Windows\SysWOW64\yiagswwlgl\explorer.exe

Filesize
81KB

MD5
1b44a7aabbacc14e1accde73b8fde0d6

SHA1
b39c2b947b47738959e7ee3cb6890d6364a86183

SHA256
93b4bc76d16c76334a8349e129fd7606632c0a22f793648c2f9824d5a937c14f

SHA512
b276690cbd07ba389778982ddf00290b285fc8c571bbdf6fbec48c0da12182b376c12ad89799fd134fbd0d68de659103bde8dea1de5fec031223333cb2136624

Download Submit
memory/112-184-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/112-172-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/984-267-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/984-226-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1044-256-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1056-264-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1180-257-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1276-165-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1276-155-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1276-198-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1456-223-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1468-160-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1468-171-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1476-258-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1768-216-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1848-245-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1848-221-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1916-242-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2032-280-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2032-237-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2256-222-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2256-213-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2284-190-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2284-177-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2284-217-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2300-235-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2540-285-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3180-178-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3180-166-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3500-202-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3500-189-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3724-261-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3896-282-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3896-239-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3928-268-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3960-255-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4068-150-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4068-161-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4068-192-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4116-238-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4116-281-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4132-140-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4132-180-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4132-151-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4224-186-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4224-145-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4224-156-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4284-183-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4284-196-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4304-279-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4304-236-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4560-283-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4588-206-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4588-195-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4648-246-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4972-142-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4972-132-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4972-168-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/5024-146-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/5024-174-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/5024-136-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/5096-207-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/5096-201-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/5108-284-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download