c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

Analysis

max time kernel
168s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4.exe
Size

82KB
MD5

9fbb613605be090393434411bc8f6316
SHA1

8ab9f60554332d206f9836c69eb2eac1d4ed6ef8
SHA256

c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4
SHA512

f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852
SSDEEP

768:52NtaxVWZKrTM+1Z6/25l6FxD90My9625y1uRpAo3X53MPWELTb5SQSgj8+kudKm:5ZVW2ToLXm/6q9ELH5SQPiQKyhQxgN

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
768	explorer.exe
3856	explorer.exe
4892	explorer.exe
1740	explorer.exe
620	explorer.exe
1952	explorer.exe
3384	explorer.exe
1504	explorer.exe
4752	smss.exe
692	explorer.exe
3460	smss.exe
212	explorer.exe
2592	smss.exe
2228	explorer.exe
3716	explorer.exe
1384	explorer.exe
3240	smss.exe
3592	explorer.exe
3924	explorer.exe
2752	explorer.exe
3564	explorer.exe
1040	smss.exe
4464	explorer.exe
3988	explorer.exe
1048	explorer.exe
1620	explorer.exe
2192	smss.exe
3956	explorer.exe
3340	explorer.exe
2088	explorer.exe
648	explorer.exe
2312	explorer.exe
1376	explorer.exe
2700	smss.exe
1100	explorer.exe
3560	explorer.exe
4424	explorer.exe
2264	explorer.exe
4560	smss.exe
3920	explorer.exe
3008	explorer.exe
3404	explorer.exe
3832	explorer.exe
3476	explorer.exe
2036	explorer.exe
1268	explorer.exe
4368	explorer.exe
3868	smss.exe
4712	explorer.exe
2116	explorer.exe
2040	explorer.exe
5116	explorer.exe
4776	explorer.exe
4084	smss.exe
1844	explorer.exe
4280	explorer.exe
776	explorer.exe
844	explorer.exe
4884	smss.exe
4192	explorer.exe
1856	explorer.exe
4976	explorer.exe
4972	explorer.exe
384	smss.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4364-132-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x0008000000022e13-134.dat	upx
behavioral2/files/0x0008000000022e13-135.dat	upx
behavioral2/memory/768-136-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x0006000000022e1a-137.dat	upx
behavioral2/files/0x0008000000022e13-139.dat	upx
behavioral2/memory/3856-140-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x0007000000022e1a-141.dat	upx
behavioral2/files/0x0008000000022e13-143.dat	upx
behavioral2/memory/4892-144-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/4364-145-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/768-146-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x0008000000022e1a-147.dat	upx
behavioral2/files/0x0008000000022e13-149.dat	upx
behavioral2/memory/1740-150-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/3856-151-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x0009000000022e1a-152.dat	upx
behavioral2/files/0x0008000000022e13-154.dat	upx
behavioral2/memory/620-155-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/4892-156-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x000a000000022e1a-157.dat	upx
behavioral2/files/0x0008000000022e13-159.dat	upx
behavioral2/memory/1952-160-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/1740-161-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x000b000000022e1a-162.dat	upx
behavioral2/files/0x0008000000022e13-164.dat	upx
behavioral2/memory/3384-165-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/620-166-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x000c000000022e1a-167.dat	upx
behavioral2/files/0x0008000000022e13-169.dat	upx
behavioral2/memory/1504-170-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x000d000000022e1a-172.dat	upx
behavioral2/files/0x000d000000022e1a-173.dat	upx
behavioral2/memory/1952-174-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/4752-175-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x0008000000022e13-177.dat	upx
behavioral2/memory/692-178-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x000d000000022e1a-180.dat	upx
behavioral2/memory/3384-181-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/3460-182-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x0008000000022e13-184.dat	upx
behavioral2/memory/212-185-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x000d000000022e1a-187.dat	upx
behavioral2/files/0x0008000000022e13-189.dat	upx
behavioral2/memory/1504-190-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/2592-191-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/2228-192-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x0008000000022e13-194.dat	upx
behavioral2/memory/3716-195-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x0008000000022e13-197.dat	upx
behavioral2/memory/4752-198-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/1384-199-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x000d000000022e1a-201.dat	upx
behavioral2/memory/3240-202-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x0008000000022e13-204.dat	upx
behavioral2/files/0x0008000000022e13-206.dat	upx
behavioral2/memory/692-207-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/3592-208-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/3924-209-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x0008000000022e13-211.dat	upx
behavioral2/memory/3460-212-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/2752-213-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x0008000000022e13-215.dat	upx
behavioral2/memory/212-216-0x0000000000400000-0x0000000000458000-memory.dmp	upx

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	smss.exe
File opened (read-only)	\??\x:	smss.exe
File opened (read-only)	\??\w:	smss.exe
File opened (read-only)	\??\n:	explorer.exe
File opened (read-only)	\??\n:	explorer.exe
File opened (read-only)	\??\g:	explorer.exe
File opened (read-only)	\??\i:	explorer.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\t:	smss.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\f:	explorer.exe
File opened (read-only)	\??\e:	explorer.exe
File opened (read-only)	\??\y:	explorer.exe
File opened (read-only)	\??\l:	explorer.exe
File opened (read-only)	\??\w:	smss.exe
File opened (read-only)	\??\e:	explorer.exe
File opened (read-only)	\??\y:	smss.exe
File opened (read-only)	\??\n:	explorer.exe
File opened (read-only)	\??\v:	explorer.exe
File opened (read-only)	\??\y:	explorer.exe
File opened (read-only)	\??\w:	explorer.exe
File opened (read-only)	\??\i:	smss.exe
File opened (read-only)	\??\i:	explorer.exe
File opened (read-only)	\??\y:	explorer.exe
File opened (read-only)	\??\k:	explorer.exe
File opened (read-only)	\??\g:	explorer.exe
File opened (read-only)	\??\z:	explorer.exe
File opened (read-only)	\??\k:	explorer.exe
File opened (read-only)	\??\j:	explorer.exe
File opened (read-only)	\??\q:	explorer.exe
File opened (read-only)	\??\q:	smss.exe
File opened (read-only)	\??\u:	explorer.exe
File opened (read-only)	\??\z:	explorer.exe
File opened (read-only)	\??\t:	explorer.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\g:	smss.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\w:	smss.exe
File opened (read-only)	\??\m:	explorer.exe
File opened (read-only)	\??\t:	explorer.exe
File opened (read-only)	\??\z:	explorer.exe
File opened (read-only)	\??\x:	explorer.exe
File opened (read-only)	\??\s:	explorer.exe
File opened (read-only)	\??\k:	smss.exe
File opened (read-only)	\??\o:	explorer.exe
File opened (read-only)	\??\m:	explorer.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\z:	smss.exe
File opened (read-only)	\??\w:	explorer.exe
File opened (read-only)	\??\m:	explorer.exe
File opened (read-only)	\??\y:	smss.exe
File opened (read-only)	\??\z:	smss.exe
File opened (read-only)	\??\m:	explorer.exe
File opened (read-only)	\??\z:	explorer.exe
File opened (read-only)	\??\h:	smss.exe
File opened (read-only)	\??\w:	explorer.exe
File opened (read-only)	\??\j:	smss.exe
File opened (read-only)	\??\m:	explorer.exe
File opened (read-only)	\??\o:	smss.exe
File opened (read-only)	\??\m:	explorer.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\s:	smss.exe
File opened (read-only)	\??\p:	explorer.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\bkvlawoswe\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\kwumqktekv\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\kwumqktekv\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\bkvlawoswe\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\kwumqktekv\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\kwumqktekv\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\bkvlawoswe\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\bkvlawoswe\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\bkvlawoswe\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\bkvlawoswe\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\kwumqktekv\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\kwumqktekv\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\bkvlawoswe\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\bkvlawoswe\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\kwumqktekv\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\kwumqktekv\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\kwumqktekv\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\kwumqktekv\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\bkvlawoswe\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\bkvlawoswe\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\bkvlawoswe\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\bkvlawoswe\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\kwumqktekv\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\kwumqktekv\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\kwumqktekv\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\kwumqktekv\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\kwumqktekv\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\kwumqktekv\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\bkvlawoswe\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\kwumqktekv\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\kwumqktekv\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\kwumqktekv\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\kwumqktekv\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\kwumqktekv\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\kwumqktekv\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\bkvlawoswe\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\kwumqktekv\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\kwumqktekv\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\bkvlawoswe\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\kwumqktekv\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\bkvlawoswe\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\kwumqktekv\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\bkvlawoswe\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\bkvlawoswe\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\kwumqktekv\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\bkvlawoswe\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\kwumqktekv\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\kwumqktekv\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\kwumqktekv\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\bkvlawoswe\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\bkvlawoswe\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\bkvlawoswe\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\bkvlawoswe\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\bkvlawoswe\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\kwumqktekv\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\kwumqktekv\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\kwumqktekv\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\kwumqktekv\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\bkvlawoswe\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\kwumqktekv\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\bkvlawoswe\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\kwumqktekv\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\bkvlawoswe\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\kwumqktekv\smss.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4364	c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4.exe
4364	c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4.exe
768	explorer.exe
768	explorer.exe
3856	explorer.exe
3856	explorer.exe
4892	explorer.exe
4892	explorer.exe
1740	explorer.exe
1740	explorer.exe
620	explorer.exe
620	explorer.exe
1952	explorer.exe
1952	explorer.exe
3384	explorer.exe
3384	explorer.exe
1504	explorer.exe
1504	explorer.exe
4752	smss.exe
4752	smss.exe
692	explorer.exe
692	explorer.exe
3460	smss.exe
3460	smss.exe
212	explorer.exe
212	explorer.exe
2592	smss.exe
2592	smss.exe
2228	explorer.exe
2228	explorer.exe
3716	explorer.exe
3716	explorer.exe
1384	explorer.exe
1384	explorer.exe
3240	smss.exe
3240	smss.exe
3592	explorer.exe
3592	explorer.exe
3924	explorer.exe
3924	explorer.exe
2752	explorer.exe
2752	explorer.exe
3564	explorer.exe
3564	explorer.exe
1040	smss.exe
1040	smss.exe
4464	explorer.exe
4464	explorer.exe
3988	explorer.exe
3988	explorer.exe
1048	explorer.exe
1048	explorer.exe
1620	explorer.exe
1620	explorer.exe
2192	smss.exe
2192	smss.exe
3956	explorer.exe
3956	explorer.exe
3340	explorer.exe
3340	explorer.exe
2088	explorer.exe
2088	explorer.exe
648	explorer.exe
648	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	4364	c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4.exe
Token: SeLoadDriverPrivilege	768	explorer.exe
Token: SeLoadDriverPrivilege	3856	explorer.exe
Token: SeLoadDriverPrivilege	4892	explorer.exe
Token: SeLoadDriverPrivilege	1740	explorer.exe
Token: SeLoadDriverPrivilege	620	explorer.exe
Token: SeLoadDriverPrivilege	1952	explorer.exe
Token: SeLoadDriverPrivilege	3384	explorer.exe
Token: SeLoadDriverPrivilege	1504	explorer.exe
Token: SeLoadDriverPrivilege	4752	smss.exe
Token: SeLoadDriverPrivilege	692	explorer.exe
Token: SeLoadDriverPrivilege	3460	smss.exe
Token: SeLoadDriverPrivilege	212	explorer.exe
Token: SeLoadDriverPrivilege	2592	smss.exe
Token: SeLoadDriverPrivilege	2228	explorer.exe
Token: SeLoadDriverPrivilege	3716	explorer.exe
Token: SeLoadDriverPrivilege	1384	explorer.exe
Token: SeLoadDriverPrivilege	3240	smss.exe
Token: SeLoadDriverPrivilege	3592	explorer.exe
Token: SeLoadDriverPrivilege	3924	explorer.exe
Token: SeLoadDriverPrivilege	2752	explorer.exe
Token: SeLoadDriverPrivilege	3564	explorer.exe
Token: SeLoadDriverPrivilege	1040	smss.exe
Token: SeLoadDriverPrivilege	4464	explorer.exe
Token: SeLoadDriverPrivilege	3988	explorer.exe
Token: SeLoadDriverPrivilege	1048	explorer.exe
Token: SeLoadDriverPrivilege	1620	explorer.exe
Token: SeLoadDriverPrivilege	2192	smss.exe
Token: SeLoadDriverPrivilege	3956	explorer.exe
Token: SeLoadDriverPrivilege	3340	explorer.exe
Token: SeLoadDriverPrivilege	2088	explorer.exe
Token: SeLoadDriverPrivilege	648	explorer.exe
Token: SeLoadDriverPrivilege	2312	explorer.exe
Token: SeLoadDriverPrivilege	1376	explorer.exe
Token: SeLoadDriverPrivilege	2700	smss.exe
Token: SeLoadDriverPrivilege	1100	explorer.exe
Token: SeLoadDriverPrivilege	3560	explorer.exe
Token: SeLoadDriverPrivilege	4424	explorer.exe
Token: SeLoadDriverPrivilege	2264	explorer.exe
Token: SeLoadDriverPrivilege	4560	smss.exe
Token: SeLoadDriverPrivilege	3920	explorer.exe
Token: SeLoadDriverPrivilege	3008	explorer.exe
Token: SeLoadDriverPrivilege	3404	explorer.exe
Token: SeLoadDriverPrivilege	3832	explorer.exe
Token: SeLoadDriverPrivilege	3476	explorer.exe
Token: SeLoadDriverPrivilege	2036	explorer.exe
Token: SeLoadDriverPrivilege	1268	explorer.exe
Token: SeLoadDriverPrivilege	4368	explorer.exe
Token: SeLoadDriverPrivilege	3868	smss.exe
Token: SeLoadDriverPrivilege	4712	explorer.exe
Token: SeLoadDriverPrivilege	2116	explorer.exe
Token: SeLoadDriverPrivilege	2040	explorer.exe
Token: SeLoadDriverPrivilege	5116	explorer.exe
Token: SeLoadDriverPrivilege	4776	explorer.exe
Token: SeLoadDriverPrivilege	4084	smss.exe
Token: SeLoadDriverPrivilege	1844	explorer.exe
Token: SeLoadDriverPrivilege	4280	explorer.exe
Token: SeLoadDriverPrivilege	776	explorer.exe
Token: SeLoadDriverPrivilege	844	explorer.exe
Token: SeLoadDriverPrivilege	4884	smss.exe
Token: SeLoadDriverPrivilege	4192	explorer.exe
Token: SeLoadDriverPrivilege	1856	explorer.exe
Token: SeLoadDriverPrivilege	4976	explorer.exe
Token: SeLoadDriverPrivilege	4972	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4364 wrote to memory of 768	4364	c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4.exe	80
PID 4364 wrote to memory of 768	4364	c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4.exe	80
PID 4364 wrote to memory of 768	4364	c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4.exe	80
PID 768 wrote to memory of 3856	768	explorer.exe	81
PID 768 wrote to memory of 3856	768	explorer.exe	81
PID 768 wrote to memory of 3856	768	explorer.exe	81
PID 3856 wrote to memory of 4892	3856	explorer.exe	84
PID 3856 wrote to memory of 4892	3856	explorer.exe	84
PID 3856 wrote to memory of 4892	3856	explorer.exe	84
PID 4892 wrote to memory of 1740	4892	explorer.exe	85
PID 4892 wrote to memory of 1740	4892	explorer.exe	85
PID 4892 wrote to memory of 1740	4892	explorer.exe	85
PID 1740 wrote to memory of 620	1740	explorer.exe	86
PID 1740 wrote to memory of 620	1740	explorer.exe	86
PID 1740 wrote to memory of 620	1740	explorer.exe	86
PID 620 wrote to memory of 1952	620	explorer.exe	87
PID 620 wrote to memory of 1952	620	explorer.exe	87
PID 620 wrote to memory of 1952	620	explorer.exe	87
PID 1952 wrote to memory of 3384	1952	explorer.exe	88
PID 1952 wrote to memory of 3384	1952	explorer.exe	88
PID 1952 wrote to memory of 3384	1952	explorer.exe	88
PID 3384 wrote to memory of 1504	3384	explorer.exe	89
PID 3384 wrote to memory of 1504	3384	explorer.exe	89
PID 3384 wrote to memory of 1504	3384	explorer.exe	89
PID 4364 wrote to memory of 4752	4364	c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4.exe	90
PID 4364 wrote to memory of 4752	4364	c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4.exe	90
PID 4364 wrote to memory of 4752	4364	c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4.exe	90
PID 1504 wrote to memory of 692	1504	explorer.exe	91
PID 1504 wrote to memory of 692	1504	explorer.exe	91
PID 1504 wrote to memory of 692	1504	explorer.exe	91
PID 768 wrote to memory of 3460	768	explorer.exe	92
PID 768 wrote to memory of 3460	768	explorer.exe	92
PID 768 wrote to memory of 3460	768	explorer.exe	92
PID 4752 wrote to memory of 212	4752	smss.exe	93
PID 4752 wrote to memory of 212	4752	smss.exe	93
PID 4752 wrote to memory of 212	4752	smss.exe	93
PID 3856 wrote to memory of 2592	3856	explorer.exe	94
PID 3856 wrote to memory of 2592	3856	explorer.exe	94
PID 3856 wrote to memory of 2592	3856	explorer.exe	94
PID 692 wrote to memory of 2228	692	explorer.exe	95
PID 692 wrote to memory of 2228	692	explorer.exe	95
PID 692 wrote to memory of 2228	692	explorer.exe	95
PID 3460 wrote to memory of 3716	3460	smss.exe	96
PID 3460 wrote to memory of 3716	3460	smss.exe	96
PID 3460 wrote to memory of 3716	3460	smss.exe	96
PID 212 wrote to memory of 1384	212	explorer.exe	97
PID 212 wrote to memory of 1384	212	explorer.exe	97
PID 212 wrote to memory of 1384	212	explorer.exe	97
PID 4892 wrote to memory of 3240	4892	explorer.exe	98
PID 4892 wrote to memory of 3240	4892	explorer.exe	98
PID 4892 wrote to memory of 3240	4892	explorer.exe	98
PID 2592 wrote to memory of 3592	2592	smss.exe	99
PID 2592 wrote to memory of 3592	2592	smss.exe	99
PID 2592 wrote to memory of 3592	2592	smss.exe	99
PID 2228 wrote to memory of 3924	2228	explorer.exe	100
PID 2228 wrote to memory of 3924	2228	explorer.exe	100
PID 2228 wrote to memory of 3924	2228	explorer.exe	100
PID 3716 wrote to memory of 2752	3716	explorer.exe	101
PID 3716 wrote to memory of 2752	3716	explorer.exe	101
PID 3716 wrote to memory of 2752	3716	explorer.exe	101
PID 1384 wrote to memory of 3564	1384	explorer.exe	102
PID 1384 wrote to memory of 3564	1384	explorer.exe	102
PID 1384 wrote to memory of 3564	1384	explorer.exe	102
PID 1740 wrote to memory of 1040	1740	explorer.exe	103

C:\Users\Admin\AppData\Local\Temp\c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4.exe
"C:\Users\Admin\AppData\Local\Temp\c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4364
- C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
  C:\Windows\system32\bkvlawoswe\explorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:768
- - C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
    C:\Windows\system32\bkvlawoswe\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3856
  - - C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
      C:\Windows\system32\bkvlawoswe\explorer.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4892
    - - C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1740
      - C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:692
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3924
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4972
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        18⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        19⤵
        
        PID:660
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        20⤵
        Drops file in System32 directory
        
        PID:5272
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        21⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        22⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        23⤵
        Drops file in System32 directory
        
        PID:7268
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        24⤵
        
        PID:8264
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        25⤵
        
        PID:9576
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        26⤵
        Drops file in System32 directory
        
        PID:11152
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        27⤵
        
        PID:12940
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        28⤵
        
        PID:15216
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        29⤵
        
        PID:19252
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        22⤵
        
        PID:15108
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        21⤵
        
        PID:12576
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        22⤵
        
        PID:15156
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        20⤵
        
        PID:10708
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        21⤵
        
        PID:12456
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        22⤵
        
        PID:14956
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        19⤵
        
        PID:9336
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        20⤵
        
        PID:10940
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        21⤵
        
        PID:12740
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        22⤵
        
        PID:15300
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        18⤵
        Drops file in System32 directory
        
        PID:4792
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        19⤵
        
        PID:9280
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        20⤵
        
        PID:10988
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        21⤵
        
        PID:12764
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        22⤵
        
        PID:15320
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        23⤵
        
        PID:7600
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        17⤵
        
        PID:64
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        18⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        19⤵
        Enumerates connected drives
        
        PID:9256
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        20⤵
        Drops file in System32 directory
        
        PID:10980
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        21⤵
        
        PID:12832
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        22⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        23⤵
        
        PID:18436
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        16⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        17⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        18⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        19⤵
        Enumerates connected drives
        
        PID:9316
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        20⤵
        
        PID:11004
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        21⤵
        
        PID:12824
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        22⤵
        
        PID:15356
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        23⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        17⤵
        
        PID:17376
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        15⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        17⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        18⤵
        Enumerates connected drives
        
        PID:4148
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        19⤵
        
        PID:9228
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        20⤵
        
        PID:11040
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        21⤵
        
        PID:12896
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        22⤵
        
        PID:15508
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        23⤵
        
        PID:18996
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        17⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        16⤵
        
        PID:14612
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        14⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:6476
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        17⤵
        
        PID:692
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        18⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        19⤵
        
        PID:9328
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        20⤵
        
        PID:11012
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        21⤵
        
        PID:12816
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        22⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        17⤵
        
        PID:17420
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        16⤵
        
        PID:14656
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        15⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:14752
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        17⤵
        
        PID:17912
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        13⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        17⤵
        Drops file in System32 directory
        
        PID:1652
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        18⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        19⤵
        Drops file in System32 directory
        
        PID:9248
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        20⤵
        
        PID:10896
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        21⤵
        
        PID:12680
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        22⤵
        
        PID:15276
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        23⤵
        
        PID:18472
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        17⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        16⤵
        
        PID:14604
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        17⤵
        
        PID:17696
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        15⤵
        
        PID:11820
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:14684
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        14⤵
        
        PID:10496
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:14760
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        12⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        Drops file in System32 directory
        
        PID:6072
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        17⤵
        
        PID:7184
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        18⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        19⤵
        Enumerates connected drives
        
        PID:9360
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        20⤵
        
        PID:11100
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        21⤵
        
        PID:12920
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        22⤵
        
        PID:15496
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        23⤵
        
        PID:18764
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        17⤵
        
        PID:17440
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        16⤵
        
        PID:14664
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        15⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:14804
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        14⤵
        
        PID:10536
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:12300
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:14860
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        13⤵
        
        PID:8468
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:10600
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:12476
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:15008
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4884
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        Drops file in System32 directory
        
        PID:5156
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        Drops file in System32 directory
        
        PID:5992
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        17⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        18⤵
        
        PID:8184
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        19⤵
        Drops file in System32 directory
        
        PID:9220
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        20⤵
        
        PID:10912
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        21⤵
        
        PID:12756
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        22⤵
        
        PID:15332
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        23⤵
        
        PID:7636
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        17⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        16⤵
        
        PID:14588
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        15⤵
        
        PID:11608
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:14624
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        14⤵
        
        PID:10488
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:14740
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        13⤵
        
        PID:8328
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:10524
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:14796
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        12⤵
        Enumerates connected drives
        
        PID:7868
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:8500
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:10572
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:12396
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:14992
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3868
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        11⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        
        PID:4192
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        17⤵
        
        PID:7200
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        18⤵
        Drops file in System32 directory
        
        PID:7896
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        19⤵
        
        PID:9372
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        20⤵
        
        PID:11068
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        21⤵
        
        PID:12848
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        22⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        17⤵
        
        PID:17432
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        16⤵
        
        PID:14696
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        15⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:14812
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        14⤵
        
        PID:10544
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:12292
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:14820
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        13⤵
        Enumerates connected drives
        
        PID:8420
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:10584
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:12340
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:14984
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        12⤵
        
        PID:7904
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:8592
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:10684
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:12524
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:15100
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        11⤵
        
        PID:7144
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:7884
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:8352
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:10592
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:12416
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:14940
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4560
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        
        PID:4712
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1856
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:240
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        Enumerates connected drives
        
        PID:6088
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        17⤵
        
        PID:7228
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        18⤵
        
        PID:8208
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        19⤵
        Drops file in System32 directory
        
        PID:9480
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        20⤵
        
        PID:11116
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        21⤵
        
        PID:12904
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        22⤵
        
        PID:15516
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        23⤵
        
        PID:18820
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        17⤵
        
        PID:17484
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        16⤵
        
        PID:14732
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        17⤵
        
        PID:17848
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        15⤵
        
        PID:12360
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:14904
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        14⤵
        
        PID:10644
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:12660
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:15188
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        13⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:10728
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:12652
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:15260
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        12⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:10668
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:12500
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:15092
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        11⤵
        Drops file in System32 directory
        
        PID:3704
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:8112
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:2144
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:10752
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:12548
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:15076
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        10⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        11⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:8152
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:8300
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:10888
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:12688
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:15196
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        11⤵
        
        PID:16512
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3832
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4776
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:4120
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        Enumerates connected drives
        
        PID:4852
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        17⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        18⤵
        Enumerates connected drives
        
        PID:8632
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        19⤵
        
        PID:9960
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        20⤵
        
        PID:11448
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        21⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        22⤵
        
        PID:16016
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        23⤵
        
        PID:19272
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        17⤵
        
        PID:18492
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        16⤵
        
        PID:15692
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        17⤵
        
        PID:18952
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        15⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:15812
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        17⤵
        
        PID:19296
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        14⤵
        
        PID:11276
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:15920
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        17⤵
        
        PID:19280
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        13⤵
        
        PID:9844
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:2668
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:15788
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        17⤵
        
        PID:19336
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        12⤵
        
        PID:8512
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:9856
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:15952
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        17⤵
        
        PID:19328
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        11⤵
        
        PID:7520
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        
        PID:8548
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:9872
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:15932
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        17⤵
        
        PID:19312
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        10⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        11⤵
        
        PID:7512
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        
        PID:8540
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:9880
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:11296
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:15944
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        17⤵
        
        PID:19320
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        9⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        11⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        
        PID:8596
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:9928
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:11488
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:16000
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        17⤵
        
        PID:19288
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        10⤵
        
        PID:15400
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        11⤵
        
        PID:18612
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        8⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4280
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:2084
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        
        PID:424
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:5644
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        17⤵
        
        PID:7928
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        18⤵
        
        PID:9016
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        19⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        20⤵
        
        PID:12136
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        21⤵
        
        PID:13976
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        22⤵
        
        PID:16516
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        17⤵
        
        PID:19224
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        16⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        15⤵
        
        PID:13692
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        14⤵
        
        PID:11916
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:13780
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:16404
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        13⤵
        Enumerates connected drives
        
        PID:9452
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:11964
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:13840
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:16504
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        12⤵
        
        PID:8844
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:9560
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:12004
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:13940
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:16620
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        11⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:8884
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:9640
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:12052
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:13892
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:16484
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        10⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        11⤵
        
        PID:7812
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:8916
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:9648
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:12040
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:13900
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:16496
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        11⤵
        
        PID:19060
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        9⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:5316
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:7780
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        
        PID:8924
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:12108
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:13968
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:16532
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        11⤵
        
        PID:19036
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        10⤵
        
        PID:16296
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        8⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        11⤵
        
        PID:7684
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        
        PID:8768
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:11932
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:13860
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:16444
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        11⤵
        
        PID:18896
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        10⤵
        
        PID:16156
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        11⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        9⤵
        
        PID:13476
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:16188
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        11⤵
        
        PID:7948
      - C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3340
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4424
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1268
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:776
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:1520
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        17⤵
        
        PID:8088
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        18⤵
        
        PID:8260
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        19⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        20⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        21⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        22⤵
        
        PID:17056
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        16⤵
        
        PID:16768
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        15⤵
        
        PID:14180
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:16856
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        14⤵
        
        PID:12200
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:14236
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:16908
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        13⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:12220
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:14224
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:16900
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        12⤵
        Enumerates connected drives
        
        PID:9144
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:12212
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:14244
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:16884
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        11⤵
        
        PID:8008
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        
        PID:9160
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:12284
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:14276
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:16944
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        10⤵
        Enumerates connected drives
        
        PID:4532
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        11⤵
        
        PID:8032
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        
        PID:9184
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:3484
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:14308
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:16988
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        9⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        11⤵
        
        PID:8056
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        Enumerates connected drives
        
        PID:9208
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:11424
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:13340
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:17004
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        10⤵
        
        PID:16644
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        8⤵
        Enumerates connected drives
        
        PID:5720
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        11⤵
        
        PID:8024
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        
        PID:9176
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:14284
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:16964
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        10⤵
        
        PID:16636
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        9⤵
        
        PID:14128
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:16740
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        7⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        8⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        Enumerates connected drives
        
        PID:6316
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        11⤵
        
        PID:8072
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:564
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:11568
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:868
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:17012
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        10⤵
        
        PID:16668
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        9⤵
        
        PID:14152
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:16760
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        8⤵
        
        PID:12184
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        
        PID:14192
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:16864
    - - C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3240
      - C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4464
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4368
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:844
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        11⤵
        Enumerates connected drives
        
        PID:1460
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:204
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        17⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        18⤵
        
        PID:9080
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        19⤵
        
        PID:10372
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        20⤵
        
        PID:11556
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        21⤵
        
        PID:14400
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        22⤵
        
        PID:7256
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        16⤵
        
        PID:17120
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        15⤵
        
        PID:14060
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:17312
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        14⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:14112
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:16676
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        13⤵
        
        PID:224
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:14120
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:6840
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        12⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:11832
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:14084
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:17360
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        11⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        
        PID:8980
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:10268
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:12276
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        10⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        11⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        
        PID:8968
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:10276
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:12268
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        9⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        11⤵
        
        PID:7328
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        
        PID:9060
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:10336
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:11416
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:14344
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        10⤵
        
        PID:17104
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        8⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        11⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        
        PID:9032
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:10324
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:11420
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:14172
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:17280
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        10⤵
        
        PID:17072
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        9⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:17152
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        7⤵
        Drops file in System32 directory
        
        PID:4112
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        8⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        11⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        Enumerates connected drives
        
        PID:4164
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:540
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:11824
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:14076
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:17368
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        10⤵
        
        PID:17036
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        9⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:17136
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        8⤵
        
        PID:11772
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:17164
      - C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        6⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        7⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        8⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        11⤵
        
        PID:7296
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:1384
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:2924
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        10⤵
        
        PID:17080
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        9⤵
        
        PID:13380
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:17144
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        8⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:17180
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        7⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        8⤵
        Enumerates connected drives
        
        PID:2236
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        
        PID:13640
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:17172
  - - C:\Windows\SysWOW64\kwumqktekv\smss.exe
      C:\Windows\system32\kwumqktekv\smss.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3592
      - C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3988
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:648
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        8⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        
        PID:3920
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4976
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        11⤵
        
        PID:972
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:6096
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        Drops file in System32 directory
        
        PID:6580
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:7240
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        17⤵
        
        PID:8216
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        18⤵
        
        PID:9464
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        19⤵
        Enumerates connected drives
        
        PID:11092
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        20⤵
        
        PID:12880
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        21⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        22⤵
        
        PID:18796
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        16⤵
        
        PID:17576
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        15⤵
        
        PID:14788
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        14⤵
        
        PID:12368
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:14948
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        13⤵
        
        PID:10636
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:12492
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:15024
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        12⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:10720
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:12632
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:15268
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        11⤵
        Enumerates connected drives
        
        PID:8120
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:10676
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:12484
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:15016
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        10⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:7508
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        
        PID:9308
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:10996
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:12840
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:18456
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        9⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:2136
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        11⤵
        
        PID:8160
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        
        PID:8528
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:10904
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:12748
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:15308
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        10⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        8⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        11⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        Enumerates connected drives
        
        PID:2168
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:10760
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:12608
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:15180
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        10⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        9⤵
        
        PID:14496
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        7⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        8⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        11⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        
        PID:720
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:10744
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:12556
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:15084
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        10⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        9⤵
        
        PID:14460
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:17584
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        8⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        
        PID:14444
      - C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        6⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:1584
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        7⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        8⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        11⤵
        
        PID:8144
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        
        PID:816
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:10920
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:12808
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:18544
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        10⤵
        
        PID:7196
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        9⤵
        
        PID:14512
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        8⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        
        PID:14544
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        7⤵
        Drops file in System32 directory
        
        PID:10460
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        8⤵
        
        PID:840
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        
        PID:14640
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:17728
    - - C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        5⤵
        
        PID:3232
      - C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        6⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        7⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        8⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        11⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:1540
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:10768
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:12596
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:15164
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        10⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        9⤵
        
        PID:14452
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        8⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        
        PID:14432
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:17508
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        7⤵
        
        PID:10428
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        8⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        
        PID:14528
      - C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        6⤵
        Drops file in System32 directory
        
        PID:4828
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        7⤵
        
        PID:10440
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        8⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        
        PID:14536
- - C:\Windows\SysWOW64\kwumqktekv\smss.exe
    C:\Windows\system32\kwumqktekv\smss.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3460
  - - C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
      C:\Windows\system32\bkvlawoswe\explorer.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3716
    - - C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
      - C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        8⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        
        PID:3404
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        
        PID:5116
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        11⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        17⤵
        
        PID:8628
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        18⤵
        
        PID:9968
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        19⤵
        Enumerates connected drives
        
        PID:11468
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        20⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        21⤵
        
        PID:15972
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        22⤵
        
        PID:19304
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        16⤵
        
        PID:18480
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        15⤵
        
        PID:15552
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:18780
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        14⤵
        
        PID:13152
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:15432
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:18772
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        13⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:13192
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:15628
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:19004
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        12⤵
        
        PID:9760
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:13248
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:15660
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:19108
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        11⤵
        Enumerates connected drives
        
        PID:8376
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        
        PID:9720
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:13160
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:15584
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:18988
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        10⤵
        
        PID:7384
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        11⤵
        
        PID:8384
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        
        PID:9728
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:10468
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:13168
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:15568
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:19408
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        9⤵
        Enumerates connected drives
        
        PID:6664
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        11⤵
        
        PID:8448
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        
        PID:9800
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:13240
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:15648
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:19132
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        8⤵
        Enumerates connected drives
        
        PID:4672
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:7376
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        11⤵
        
        PID:8356
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:9696
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:1840
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:13128
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:15604
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        10⤵
        
        PID:18088
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        9⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:18604
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        7⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        8⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        11⤵
        
        PID:8456
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        
        PID:9816
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:11228
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:13272
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:15764
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:18752
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        9⤵
        
        PID:15384
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:18620
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        8⤵
        
        PID:13040
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        
        PID:15416
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:18812
      - C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        6⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        7⤵
        Drops file in System32 directory
        
        PID:5396
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        8⤵
        Drops file in System32 directory
        
        PID:5516
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:7464
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        11⤵
        
        PID:8492
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        
        PID:9832
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:11268
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:15912
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:19124
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        9⤵
        
        PID:15376
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:18464
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        8⤵
        
        PID:12984
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:18788
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        7⤵
        
        PID:11220
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        8⤵
        
        PID:13060
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        
        PID:15440
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:19096
    - - C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        5⤵
        
        PID:3664
      - C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        6⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        7⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        8⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:7420
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        11⤵
        
        PID:8424
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        
        PID:9772
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:10928
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:13280
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:15716
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:19116
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        9⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        8⤵
        
        PID:13016
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        
        PID:15424
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:18804
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        7⤵
        
        PID:11192
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        8⤵
        
        PID:13000
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        
        PID:15488
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:18644
      - C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        6⤵
        
        PID:9664
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        7⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        8⤵
        
        PID:13144
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        
        PID:15460
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:19360
  - - C:\Windows\SysWOW64\kwumqktekv\smss.exe
      C:\Windows\system32\kwumqktekv\smss.exe
      4⤵
      Executes dropped EXE
      PID:384
    - - C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        5⤵
        
        PID:992
      - C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        6⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        7⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        8⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        Drops file in System32 directory
        
        PID:6640
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        Enumerates connected drives
        
        PID:7396
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        11⤵
        Enumerates connected drives
        
        PID:8404
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        Enumerates connected drives
        
        PID:9752
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:10580
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:13256
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:15668
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:18972
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        9⤵
        
        PID:14596
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        8⤵
        
        PID:12992
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        
        PID:15328
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:18552
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        7⤵
        Drops file in System32 directory
        
        PID:11204
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        8⤵
        
        PID:13068
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        
        PID:15472
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:19260
      - C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        6⤵
        
        PID:9684
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        7⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        8⤵
        
        PID:13136
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        
        PID:15576
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:18980
    - - C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        5⤵
        
        PID:8292
      - C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        6⤵
        
        PID:9652
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        7⤵
        
        PID:11260
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        8⤵
        
        PID:13076
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        
        PID:15480
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:18940
- C:\Windows\SysWOW64\kwumqktekv\smss.exe
  C:\Windows\system32\kwumqktekv\smss.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
    C:\Windows\system32\bkvlawoswe\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:212
  - - C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
      C:\Windows\system32\bkvlawoswe\explorer.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1384
    - - C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3564
      - C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3956
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3560
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3476
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1844
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        11⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:5628
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        16⤵
        
        PID:7920
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        17⤵
        
        PID:9000
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        18⤵
        Drops file in System32 directory
        
        PID:10076
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        19⤵
        
        PID:12144
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        20⤵
        
        PID:13984
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        21⤵
        
        PID:16524
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        16⤵
        
        PID:19200
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        15⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        14⤵
        
        PID:13676
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        13⤵
        
        PID:11868
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:13764
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:16412
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        12⤵
        
        PID:10212
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:11884
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:13772
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        11⤵
        Enumerates connected drives
        
        PID:8752
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        
        PID:10204
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:11836
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:13716
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        10⤵
        Drops file in System32 directory
        
        PID:7720
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        11⤵
        
        PID:8820
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        
        PID:9568
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:12028
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:13948
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:16568
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        9⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:7760
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        11⤵
        
        PID:8872
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        
        PID:9592
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:12020
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:13924
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:16540
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        10⤵
        
        PID:19012
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        8⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        Enumerates connected drives
        
        PID:7056
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        11⤵
        
        PID:8932
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:12100
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:13992
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:16580
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        10⤵
        
        PID:19028
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        9⤵
        
        PID:16360
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:19472
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        7⤵
        Enumerates connected drives
        
        PID:5612
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        8⤵
        
        PID:484
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        Drops file in System32 directory
        
        PID:7024
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:8780
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:11908
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:13788
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:16396
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        10⤵
        
        PID:18904
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        9⤵
        
        PID:16280
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        8⤵
        
        PID:13536
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        
        PID:16328
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:8052
      - C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        6⤵
        Enumerates connected drives
        
        PID:3896
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        7⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        8⤵
        Drops file in System32 directory
        
        PID:5920
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:7692
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        11⤵
        
        PID:8788
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:11892
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:13740
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        10⤵
        
        PID:18884
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        9⤵
        
        PID:16140
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:19444
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        8⤵
        
        PID:13484
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        
        PID:16204
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        7⤵
        
        PID:11728
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        8⤵
        
        PID:13588
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        
        PID:16344
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:18892
    - - C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        5⤵
        Enumerates connected drives
        
        PID:3416
      - C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        6⤵
        Enumerates connected drives
        
        PID:4964
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        7⤵
        Enumerates connected drives
        
        PID:5532
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        8⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        11⤵
        
        PID:8736
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        
        PID:10184
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:11844
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:13708
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        10⤵
        
        PID:18928
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        9⤵
        
        PID:16164
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:7708
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        8⤵
        
        PID:13404
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        
        PID:16116
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        7⤵
        
        PID:11620
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        8⤵
        
        PID:13460
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        
        PID:16196
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:7936
      - C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        6⤵
        Drops file in System32 directory
        
        PID:10008
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        7⤵
        
        PID:11672
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        8⤵
        
        PID:13544
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        
        PID:16304
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:6920
  - - C:\Windows\SysWOW64\kwumqktekv\smss.exe
      C:\Windows\system32\kwumqktekv\smss.exe
      4⤵
      PID:4880
    - - C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        5⤵
        
        PID:1548
      - C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        6⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        7⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        8⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:7660
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        11⤵
        
        PID:8796
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:11940
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:13756
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:16456
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        10⤵
        
        PID:18844
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        9⤵
        
        PID:16148
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        8⤵
        
        PID:13444
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        
        PID:16172
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        7⤵
        
        PID:11664
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        8⤵
        
        PID:13492
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        
        PID:16260
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:8048
      - C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        6⤵
        
        PID:10016
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        7⤵
        
        PID:11632
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        8⤵
        
        PID:13420
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        
        PID:16180
    - - C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        5⤵
        
        PID:8684
      - C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        6⤵
        
        PID:10040
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        7⤵
        
        PID:11680
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        8⤵
        
        PID:13552
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        
        PID:16320
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:8020
- - C:\Windows\SysWOW64\kwumqktekv\smss.exe
    C:\Windows\system32\kwumqktekv\smss.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4084
  - - C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
      C:\Windows\system32\bkvlawoswe\explorer.exe
      4⤵
      PID:4900
    - - C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        5⤵
        Drops file in System32 directory
        
        PID:4456
      - C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        6⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        7⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        8⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        Drops file in System32 directory
        
        PID:6992
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:7728
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        11⤵
        
        PID:8828
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        12⤵
        
        PID:9536
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        13⤵
        
        PID:12012
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        14⤵
        
        PID:13932
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        15⤵
        
        PID:16468
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        10⤵
        
        PID:18920
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        9⤵
        
        PID:16288
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:19464
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        8⤵
        
        PID:13520
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        
        PID:16312
        
        C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        7⤵
        
        PID:11708
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        8⤵
        
        PID:13596
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:8064
      - C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        6⤵
        
        PID:10092
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        7⤵
        
        PID:11752
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        8⤵
        
        PID:13628
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        
        PID:7012
    - - C:\Windows\SysWOW64\kwumqktekv\smss.exe
        
        C:\Windows\system32\kwumqktekv\smss.exe
        5⤵
        
        PID:8704
      - C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        6⤵
        Enumerates connected drives
        
        PID:10068
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        7⤵
        
        PID:11744
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        8⤵
        
        PID:13620
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        10⤵
        
        PID:4280
  - - C:\Windows\SysWOW64\kwumqktekv\smss.exe
      C:\Windows\system32\kwumqktekv\smss.exe
      4⤵
      Enumerates connected drives
      PID:7628
    - - C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        5⤵
        
        PID:8720
      - C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        6⤵
        
        PID:10140
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        7⤵
        
        PID:11784
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        8⤵
        
        PID:13652
        
        C:\Windows\SysWOW64\bkvlawoswe\explorer.exe
        
        C:\Windows\system32\bkvlawoswe\explorer.exe
        9⤵
        
        PID:15528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\bkvlawoswe\explorer.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\bkvlawoswe\explorer.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\bkvlawoswe\explorer.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\bkvlawoswe\explorer.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\bkvlawoswe\explorer.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\bkvlawoswe\explorer.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\bkvlawoswe\explorer.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\bkvlawoswe\explorer.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\bkvlawoswe\explorer.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\bkvlawoswe\explorer.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\bkvlawoswe\explorer.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\bkvlawoswe\explorer.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\bkvlawoswe\explorer.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\bkvlawoswe\explorer.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\bkvlawoswe\explorer.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\bkvlawoswe\explorer.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\bkvlawoswe\explorer.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\bkvlawoswe\explorer.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\bkvlawoswe\explorer.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\bkvlawoswe\explorer.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\bkvlawoswe\explorer.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\bkvlawoswe\explorer.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\bkvlawoswe\explorer.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\bkvlawoswe\explorer.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\bkvlawoswe\explorer.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\bkvlawoswe\explorer.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\bkvlawoswe\explorer.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\bkvlawoswe\explorer.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\bkvlawoswe\explorer.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\bkvlawoswe\explorer.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\bkvlawoswe\explorer.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\bkvlawoswe\explorer.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\bkvlawoswe\explorer.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\bkvlawoswe\explorer.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\bkvlawoswe\explorer.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\bkvlawoswe\explorer.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\bkvlawoswe\explorer.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\bkvlawoswe\explorer.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\bkvlawoswe\explorer.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\bkvlawoswe\explorer.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\bkvlawoswe\explorer.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\bkvlawoswe\explorer.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\bkvlawoswe\explorer.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\bkvlawoswe\explorer.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\bkvlawoswe\explorer.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\bkvlawoswe\explorer.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\kwumqktekv\smss.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\kwumqktekv\smss.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\kwumqktekv\smss.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\kwumqktekv\smss.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\kwumqktekv\smss.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\kwumqktekv\smss.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\kwumqktekv\smss.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\kwumqktekv\smss.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\kwumqktekv\smss.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\kwumqktekv\smss.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\kwumqktekv\smss.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\kwumqktekv\smss.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\kwumqktekv\smss.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\kwumqktekv\smss.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\kwumqktekv\smss.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\kwumqktekv\smss.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\kwumqktekv\smss.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
C:\Windows\SysWOW64\kwumqktekv\smss.exe

Filesize
82KB

MD5
9fbb613605be090393434411bc8f6316

SHA1
8ab9f60554332d206f9836c69eb2eac1d4ed6ef8

SHA256
c9f1960227abf1dd3c52633514c04f050c3b4c94b07fbe4b1d95826f2458cea4

SHA512
f6e4481bab772273808ca1d0f81e5851ea3bfea0cb7bcf132b6f8657752df2ff81517400c86e7b21a1928f338fe08b7ddc74f2ba09a25f51cfd28dde39ccf852

Download Submit
memory/212-185-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/212-216-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/620-166-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/620-155-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/648-256-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/692-207-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/692-178-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/768-146-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/768-136-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1040-274-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1040-220-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1048-231-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1100-270-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1376-263-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1384-240-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1384-199-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1504-190-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1504-170-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1620-235-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1740-161-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1740-150-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1952-160-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1952-174-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2088-249-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2192-241-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2228-192-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2228-229-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2264-279-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2312-257-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2592-191-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2592-228-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2700-264-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2752-262-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2752-213-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3240-202-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3240-248-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3340-245-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3384-165-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3384-181-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3460-182-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3460-212-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3560-271-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3564-269-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3564-217-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3592-254-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3592-208-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3716-195-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3716-234-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3856-140-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3856-151-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3924-255-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3924-209-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3956-242-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3988-230-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3988-288-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4364-132-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4364-145-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4424-275-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4464-278-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4464-223-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4752-175-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4752-198-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4892-144-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4892-156-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download