11408eaf3571b1974ac33c765eb5062da57d6b2e621fbe0753caa7a3f14a5cc3

Analysis

max time kernel
32s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 01:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0a47f48fdd5a79c6c9725ded935c0e7c.exe
Size

54KB
MD5

0a47f48fdd5a79c6c9725ded935c0e7c
SHA1

9eaed5e9e4fc98dbd41fa8d178cac722ca83b91b
SHA256

11408eaf3571b1974ac33c765eb5062da57d6b2e621fbe0753caa7a3f14a5cc3
SHA512

ecb8e69cf73c0e333908ac930a3313cfafe80221ffbf85e9795f920307495d2778d52352690dd49b7725d9bc4e7e3c2b75470ae128925791d88f8234135648a1
SSDEEP

1536:yOHFItPZDq3o7+2lDmVgf34LYHMkpoATvOhoof9Q7:yg6BqY7+Emgf3OkpRvYI

Score

8^/10

evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 64 IoCs

evasion

Windows Service

T1543.003

pid	Process
6412	netsh.exe
9488	netsh.exe
7952	netsh.exe
8572	netsh.exe
4368	netsh.exe
11528	netsh.exe
6280	netsh.exe
15104	netsh.exe
17032	netsh.exe
6040	netsh.exe
8500	netsh.exe
11428	netsh.exe
6920	netsh.exe
14324	netsh.exe
7504	netsh.exe
6800	netsh.exe
13148	netsh.exe
10284	netsh.exe
13924	netsh.exe
5684	netsh.exe
5312	netsh.exe
8308	netsh.exe
10208	netsh.exe
7344	netsh.exe
9708	netsh.exe
7876	netsh.exe
9296	netsh.exe
7136	netsh.exe
14220	netsh.exe
14484	netsh.exe
1656	netsh.exe
16452	netsh.exe
13572	netsh.exe
7864	netsh.exe
14364	netsh.exe
8152	netsh.exe
1688	netsh.exe
14412	netsh.exe
15484	netsh.exe
18388	netsh.exe
10152	netsh.exe
5512	netsh.exe
12592	netsh.exe
15432	netsh.exe
18348	netsh.exe
5188	netsh.exe
13492	netsh.exe
5248	netsh.exe
1704	netsh.exe
10124	netsh.exe
11084	netsh.exe
18048	netsh.exe
16888	netsh.exe
17468	netsh.exe
6204	netsh.exe
9092	netsh.exe
9788	netsh.exe
10720	netsh.exe
15724	netsh.exe
7244	netsh.exe
3172	netsh.exe
2696	netsh.exe
7712	netsh.exe
14020	netsh.exe

Executes dropped EXE 64 IoCs

pid	Process
4820	Windwn32.exe
4840	Windwn32.exe
5076	Windwn32.exe
2768	Windwn32.exe
3616	Windwn32.exe
5112	Windwn32.exe
4052	Conhost.exe
3352	Windwn32.exe
4244	Windwn32.exe
4232	Windwn32.exe
1804	Windwn32.exe
3128	Windwn32.exe
2812	Windwn32.exe
3236	Windwn32.exe
2128	Windwn32.exe
4508	Windwn32.exe
4180	Windwn32.exe
4864	Windwn32.exe
4308	Windwn32.exe
3132	Windwn32.exe
3708	Windwn32.exe
2620	Windwn32.exe
1720	Windwn32.exe
3684	Windwn32.exe
5212	Windwn32.exe
5256	Windwn32.exe
5320	Windwn32.exe
5384	Windwn32.exe
5456	Windwn32.exe
5552	Windwn32.exe
5624	Windwn32.exe
5732	Windwn32.exe
5864	Windwn32.exe
5948	Windwn32.exe
6008	Windwn32.exe
6096	Windwn32.exe
5288	Windwn32.exe
1768	Windwn32.exe
1316	Windwn32.exe
6212	Windwn32.exe
6304	Windwn32.exe
6420	Windwn32.exe
6504	Conhost.exe
6600	Windwn32.exe
6652	Windwn32.exe
6740	Windwn32.exe
6808	Windwn32.exe
6928	Windwn32.exe
7040	Windwn32.exe
7112	Conhost.exe
6344	Windwn32.exe
4468	Windwn32.exe
2796	Windwn32.exe
4160	Windwn32.exe
564	Windwn32.exe
3744	Conhost.exe
436	Windwn32.exe
3320	Windwn32.exe
3208	Windwn32.exe
4692	Windwn32.exe
4024	Windwn32.exe
7184	Windwn32.exe
7264	Windwn32.exe
7300	Conhost.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	netsh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Pcisys = "C:\\Windows\\system32\\Windwn32.exe"	Windwn32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File opened for modification	C:\Windows\SysWOW64\Windwn32.exe	0a47f48fdd5a79c6c9725ded935c0e7c.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Conhost.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe
File created	C:\Windows\SysWOW64\Windwn32.exe	Windwn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1568 wrote to memory of 3952	1568	0a47f48fdd5a79c6c9725ded935c0e7c.exe	88
PID 1568 wrote to memory of 3952	1568	0a47f48fdd5a79c6c9725ded935c0e7c.exe	88
PID 1568 wrote to memory of 3952	1568	0a47f48fdd5a79c6c9725ded935c0e7c.exe	88
PID 1568 wrote to memory of 4820	1568	0a47f48fdd5a79c6c9725ded935c0e7c.exe	243
PID 1568 wrote to memory of 4820	1568	0a47f48fdd5a79c6c9725ded935c0e7c.exe	243
PID 1568 wrote to memory of 4820	1568	0a47f48fdd5a79c6c9725ded935c0e7c.exe	243
PID 4820 wrote to memory of 5084	4820	Windwn32.exe	230
PID 4820 wrote to memory of 5084	4820	Windwn32.exe	230
PID 4820 wrote to memory of 5084	4820	Windwn32.exe	230
PID 4820 wrote to memory of 4840	4820	Windwn32.exe	242
PID 4820 wrote to memory of 4840	4820	Windwn32.exe	242
PID 4820 wrote to memory of 4840	4820	Windwn32.exe	242
PID 4840 wrote to memory of 4476	4840	Windwn32.exe	95
PID 4840 wrote to memory of 4476	4840	Windwn32.exe	95
PID 4840 wrote to memory of 4476	4840	Windwn32.exe	95
PID 4840 wrote to memory of 5076	4840	Windwn32.exe	92
PID 4840 wrote to memory of 5076	4840	Windwn32.exe	92
PID 4840 wrote to memory of 5076	4840	Windwn32.exe	92
PID 5076 wrote to memory of 4516	5076	Windwn32.exe	340
PID 5076 wrote to memory of 4516	5076	Windwn32.exe	340
PID 5076 wrote to memory of 4516	5076	Windwn32.exe	340
PID 5076 wrote to memory of 2768	5076	Windwn32.exe	94
PID 5076 wrote to memory of 2768	5076	Windwn32.exe	94
PID 5076 wrote to memory of 2768	5076	Windwn32.exe	94
PID 2768 wrote to memory of 2728	2768	Windwn32.exe	240
PID 2768 wrote to memory of 2728	2768	Windwn32.exe	240
PID 2768 wrote to memory of 2728	2768	Windwn32.exe	240
PID 2768 wrote to memory of 3616	2768	Windwn32.exe	239
PID 2768 wrote to memory of 3616	2768	Windwn32.exe	239
PID 2768 wrote to memory of 3616	2768	Windwn32.exe	239
PID 3616 wrote to memory of 2856	3616	Windwn32.exe	250
PID 3616 wrote to memory of 2856	3616	Windwn32.exe	250
PID 3616 wrote to memory of 2856	3616	Windwn32.exe	250
PID 3616 wrote to memory of 5112	3616	Windwn32.exe	235
PID 3616 wrote to memory of 5112	3616	Windwn32.exe	235
PID 3616 wrote to memory of 5112	3616	Windwn32.exe	235
PID 5112 wrote to memory of 892	5112	Windwn32.exe	232
PID 5112 wrote to memory of 892	5112	Windwn32.exe	232
PID 5112 wrote to memory of 892	5112	Windwn32.exe	232
PID 5112 wrote to memory of 4052	5112	Windwn32.exe	1191
PID 5112 wrote to memory of 4052	5112	Windwn32.exe	1191
PID 5112 wrote to memory of 4052	5112	Windwn32.exe	1191
PID 4052 wrote to memory of 2336	4052	Conhost.exe	1056
PID 4052 wrote to memory of 2336	4052	Conhost.exe	1056
PID 4052 wrote to memory of 2336	4052	Conhost.exe	1056
PID 4052 wrote to memory of 3352	4052	Conhost.exe	228
PID 4052 wrote to memory of 3352	4052	Conhost.exe	228
PID 4052 wrote to memory of 3352	4052	Conhost.exe	228
PID 3352 wrote to memory of 564	3352	Windwn32.exe	247
PID 3352 wrote to memory of 564	3352	Windwn32.exe	247
PID 3352 wrote to memory of 564	3352	Windwn32.exe	247
PID 3352 wrote to memory of 4244	3352	Windwn32.exe	99
PID 3352 wrote to memory of 4244	3352	Windwn32.exe	99
PID 3352 wrote to memory of 4244	3352	Windwn32.exe	99
PID 4244 wrote to memory of 1608	4244	Windwn32.exe	226
PID 4244 wrote to memory of 1608	4244	Windwn32.exe	226
PID 4244 wrote to memory of 1608	4244	Windwn32.exe	226
PID 4244 wrote to memory of 4232	4244	Windwn32.exe	102
PID 4244 wrote to memory of 4232	4244	Windwn32.exe	102
PID 4244 wrote to memory of 4232	4244	Windwn32.exe	102
PID 4232 wrote to memory of 936	4232	Windwn32.exe	225
PID 4232 wrote to memory of 936	4232	Windwn32.exe	225
PID 4232 wrote to memory of 936	4232	Windwn32.exe	225
PID 4232 wrote to memory of 1804	4232	Windwn32.exe	105

C:\Users\Admin\AppData\Local\Temp\0a47f48fdd5a79c6c9725ded935c0e7c.exe
"C:\Users\Admin\AppData\Local\Temp\0a47f48fdd5a79c6c9725ded935c0e7c.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
  2⤵
  PID:3952
- C:\Windows\SysWOW64\Windwn32.exe
  C:\Windows\system32\Windwn32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4820

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
1⤵
PID:5084

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
1⤵
PID:4516

C:\Windows\SysWOW64\Windwn32.exe
C:\Windows\system32\Windwn32.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Windows\SysWOW64\Windwn32.exe
  C:\Windows\system32\Windwn32.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\SysWOW64\Windwn32.exe
    C:\Windows\system32\Windwn32.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3616
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
    3⤵
    PID:2728
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4052

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
1⤵
PID:4476

C:\Windows\SysWOW64\Windwn32.exe
C:\Windows\system32\Windwn32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4244
- C:\Windows\SysWOW64\Windwn32.exe
  C:\Windows\system32\Windwn32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4232
- - C:\Windows\SysWOW64\Windwn32.exe
    C:\Windows\system32\Windwn32.exe
    3⤵
    - Executes dropped EXE
    PID:1804
  - - C:\Windows\SysWOW64\Windwn32.exe
      C:\Windows\system32\Windwn32.exe
      4⤵
      Executes dropped EXE
      PID:3128
    - - C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        5⤵
        Executes dropped EXE
        
        PID:2812
      - C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3236
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        7⤵
        Executes dropped EXE
        
        PID:2128
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        8⤵
        Executes dropped EXE
        
        PID:4508
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        8⤵
        Modifies Windows Firewall
        
        PID:3172
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        7⤵
        
        PID:2932
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        6⤵
        
        PID:956
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        5⤵
        
        PID:2032
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
      4⤵
      PID:4352
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
    3⤵
    PID:936
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
  2⤵
  PID:1608

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
1⤵
PID:564

C:\Windows\SysWOW64\Windwn32.exe
C:\Windows\system32\Windwn32.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4308
- C:\Windows\SysWOW64\Windwn32.exe
  C:\Windows\system32\Windwn32.exe
  2⤵
  - Executes dropped EXE
  PID:3132
- - C:\Windows\SysWOW64\Windwn32.exe
    C:\Windows\system32\Windwn32.exe
    3⤵
    - Executes dropped EXE
    PID:3708
  - - C:\Windows\SysWOW64\Windwn32.exe
      C:\Windows\system32\Windwn32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:2620
    - - C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        5⤵
        Executes dropped EXE
        
        PID:1720
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        5⤵
        
        PID:4832
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
      4⤵
      PID:4700
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
    3⤵
    PID:3416
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
  2⤵
  PID:4408

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
1⤵
PID:676

C:\Windows\SysWOW64\Windwn32.exe
C:\Windows\system32\Windwn32.exe
1⤵
- Executes dropped EXE
PID:4864

C:\Windows\SysWOW64\Windwn32.exe
C:\Windows\system32\Windwn32.exe
1⤵
- Executes dropped EXE
PID:3684
- C:\Windows\SysWOW64\Windwn32.exe
  C:\Windows\system32\Windwn32.exe
  2⤵
  - Executes dropped EXE
  PID:5212
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
  2⤵
  PID:5204

C:\Windows\SysWOW64\Windwn32.exe
C:\Windows\system32\Windwn32.exe
1⤵
- Executes dropped EXE
PID:5256
- C:\Windows\SysWOW64\Windwn32.exe
  C:\Windows\system32\Windwn32.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5320
- - C:\Windows\SysWOW64\Windwn32.exe
    C:\Windows\system32\Windwn32.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:5384
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
    3⤵
    PID:5376
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
  2⤵
  - Modifies Windows Firewall
  PID:5312

C:\Windows\SysWOW64\Windwn32.exe
C:\Windows\system32\Windwn32.exe
1⤵
PID:5456
- C:\Windows\SysWOW64\Windwn32.exe
  C:\Windows\system32\Windwn32.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  PID:5552
- - C:\Windows\SysWOW64\Windwn32.exe
    C:\Windows\system32\Windwn32.exe
    3⤵
    - Executes dropped EXE
    PID:5624
  - - C:\Windows\SysWOW64\Windwn32.exe
      C:\Windows\system32\Windwn32.exe
      4⤵
      Executes dropped EXE
      PID:5732
    - - C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        5⤵
        Executes dropped EXE
        
        PID:5864
      - C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        6⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:6008
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        8⤵
        Executes dropped EXE
        
        PID:6096
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        9⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1768
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1316
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        12⤵
        Executes dropped EXE
        
        PID:6212
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:6304
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        14⤵
        Executes dropped EXE
        
        PID:6420
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        15⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        16⤵
        Executes dropped EXE
        
        PID:6600
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        17⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        17⤵
        Executes dropped EXE
        
        PID:6652
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        16⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        15⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        14⤵
        Modifies Windows Firewall
        
        PID:6412
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        13⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        12⤵
        Modifies Windows Firewall
        
        PID:6204
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        11⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        10⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        9⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        8⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        7⤵
        
        PID:6000
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        6⤵
        
        PID:5940
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        5⤵
        
        PID:5856
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
      4⤵
      PID:5724
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
    3⤵
    PID:5616
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
  2⤵
  PID:5544

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
1⤵
PID:5448

C:\Windows\SysWOW64\Windwn32.exe
C:\Windows\system32\Windwn32.exe
1⤵
- Executes dropped EXE
PID:6740
- C:\Windows\SysWOW64\Windwn32.exe
  C:\Windows\system32\Windwn32.exe
  2⤵
  - Executes dropped EXE
  PID:6808
- - C:\Windows\SysWOW64\Windwn32.exe
    C:\Windows\system32\Windwn32.exe
    3⤵
    PID:6928
  - - C:\Windows\SysWOW64\Windwn32.exe
      C:\Windows\system32\Windwn32.exe
      4⤵
      PID:7040
    - - C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        5⤵
        
        PID:7112
      - C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:6344
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        7⤵
        Executes dropped EXE
        
        PID:4468
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2796
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        9⤵
        Executes dropped EXE
        
        PID:4160
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        10⤵
        Executes dropped EXE
        
        PID:564
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        11⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        12⤵
        Executes dropped EXE
        
        PID:436
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        13⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3320
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3208
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        15⤵
        Executes dropped EXE
        
        PID:4692
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        16⤵
        Executes dropped EXE
        
        PID:4024
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        17⤵
        Executes dropped EXE
        
        PID:7184
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:7264
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        19⤵
        
        PID:7300
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        20⤵
        Adds Run key to start application
        
        PID:7348
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        21⤵
        
        PID:7456
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        22⤵
        Adds Run key to start application
        
        PID:7532
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        23⤵
        Drops file in System32 directory
        
        PID:7592
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        23⤵
        
        PID:7584
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        22⤵
        
        PID:7524
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        21⤵
        
        PID:7448
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        20⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        19⤵
        
        PID:7292
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        18⤵
        
        PID:7256
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        17⤵
        
        PID:7172
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        16⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        15⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        14⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        13⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        12⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        11⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        10⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        9⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        8⤵
        Modifies Windows Firewall
        
        PID:2696
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        7⤵
        
        PID:1888
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        6⤵
        
        PID:3632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:5084
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        5⤵
        
        PID:7100
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
      4⤵
      PID:7032
  - - C:\Windows\SysWOW64\Windwn32.exe
      C:\Windows\system32\Windwn32.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:7040
    - - C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        5⤵
        
        PID:5724
      - C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        6⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        7⤵
        
        PID:8584
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        8⤵
        
        PID:14304
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        9⤵
        
        PID:13872
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        9⤵
        Modifies Windows Firewall
        
        PID:13924
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        8⤵
        
        PID:14136
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:14220
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        7⤵
        Modifies Windows Firewall
        
        PID:8500
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        6⤵
        
        PID:2736
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        5⤵
        
        PID:8728
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:7112
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
      4⤵
      PID:9080
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
    3⤵
    - Modifies Windows Firewall
    PID:6920
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
  2⤵
  - Modifies Windows Firewall
  PID:6800

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
1⤵
PID:6732

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
1⤵
- Modifies Windows Firewall
PID:5248

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
1⤵
PID:4056

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
1⤵
PID:2776

C:\Windows\SysWOW64\Windwn32.exe
C:\Windows\system32\Windwn32.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4180

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
1⤵
PID:376

C:\Windows\SysWOW64\Windwn32.exe
C:\Windows\system32\Windwn32.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3352

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
1⤵
PID:2336

C:\Windows\SysWOW64\Windwn32.exe
C:\Windows\system32\Windwn32.exe
1⤵
PID:4052

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
1⤵
PID:892

C:\Windows\SysWOW64\Windwn32.exe
C:\Windows\system32\Windwn32.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5112

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
1⤵
PID:2856

C:\Windows\SysWOW64\Windwn32.exe
C:\Windows\system32\Windwn32.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4840

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2856

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
1⤵
PID:7648

C:\Windows\SysWOW64\Windwn32.exe
C:\Windows\system32\Windwn32.exe
1⤵
PID:7656
- C:\Windows\SysWOW64\Windwn32.exe
  C:\Windows\system32\Windwn32.exe
  2⤵
  - Adds Run key to start application
  PID:7760
- - C:\Windows\SysWOW64\Windwn32.exe
    C:\Windows\system32\Windwn32.exe
    3⤵
    PID:7808
  - - C:\Windows\SysWOW64\Windwn32.exe
      C:\Windows\system32\Windwn32.exe
      4⤵
      Drops file in System32 directory
      PID:7884
    - - C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        5⤵
        
        PID:7988
      - C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        6⤵
        
        PID:8040
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        7⤵
        
        PID:8120
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        8⤵
        Adds Run key to start application
        
        PID:8172
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        9⤵
        Adds Run key to start application
        
        PID:5364
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        10⤵
        
        PID:7328
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        11⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        12⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        13⤵
        Drops file in System32 directory
        
        PID:5664
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        14⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5132
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        15⤵
        Adds Run key to start application
        
        PID:2748
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        16⤵
        Drops file in System32 directory
        
        PID:8084
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        17⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        18⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        19⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        20⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        21⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        22⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        23⤵
        Adds Run key to start application
        
        PID:5484
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        24⤵
        Adds Run key to start application
        
        PID:6380
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        25⤵
        Drops file in System32 directory
        
        PID:6636
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        26⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        27⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        28⤵
        Adds Run key to start application
        
        PID:6392
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        29⤵
        Drops file in System32 directory
        
        PID:6548
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        30⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        30⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        31⤵
        
        PID:8280
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        32⤵
        
        PID:8316
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        33⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:8368
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        34⤵
        Drops file in System32 directory
        
        PID:8440
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        35⤵
        Adds Run key to start application
        
        PID:8484
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        36⤵
        
        PID:8540
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        37⤵
        
        PID:8616
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        38⤵
        
        PID:8676
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        39⤵
        Adds Run key to start application
        
        PID:8740
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        40⤵
        Drops file in System32 directory
        
        PID:8812
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        41⤵
        
        PID:8876
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        42⤵
        Adds Run key to start application
        
        PID:8984
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        43⤵
        Adds Run key to start application
        
        PID:9100
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        43⤵
        Modifies Windows Firewall
        
        PID:9092
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        42⤵
        
        PID:8976
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        41⤵
        
        PID:8868
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        40⤵
        
        PID:8804
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        39⤵
        
        PID:8720
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        38⤵
        
        PID:8668
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        37⤵
        
        PID:8608
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        36⤵
        
        PID:8532
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        35⤵
        
        PID:8476
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        34⤵
        
        PID:8424
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        33⤵
        
        PID:8360
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        32⤵
        Modifies Windows Firewall
        
        PID:8308
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        31⤵
        
        PID:8272
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        29⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        28⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        27⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        26⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        25⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        24⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        23⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        22⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        21⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        20⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        19⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        18⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        17⤵
        
        PID:5968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        18⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        16⤵
        
        PID:7216
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        15⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        14⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        13⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        12⤵
        Modifies Windows Firewall
        
        PID:1704
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        11⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        10⤵
        Modifies Windows Firewall
        
        PID:4368
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        9⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        8⤵
        
        PID:8164
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        7⤵
        
        PID:8112
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:14012
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        6⤵
        
        PID:8032
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        5⤵
        
        PID:7980
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
      4⤵
      PID:7876
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
    3⤵
    PID:7800
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
  2⤵
  PID:7752

C:\Windows\SysWOW64\Windwn32.exe
C:\Windows\system32\Windwn32.exe
1⤵
PID:9180
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
  2⤵
  PID:6316
- C:\Windows\SysWOW64\Windwn32.exe
  C:\Windows\system32\Windwn32.exe
  2⤵
  PID:5012
- - C:\Windows\SysWOW64\Windwn32.exe
    C:\Windows\system32\Windwn32.exe
    3⤵
    - Drops file in System32 directory
    PID:6300
  - - C:\Windows\SysWOW64\Windwn32.exe
      C:\Windows\system32\Windwn32.exe
      4⤵
      PID:5420
    - - C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        5⤵
        Adds Run key to start application
        
        PID:6912
      - C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        6⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        7⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        8⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        9⤵
        
        PID:9228
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        10⤵
        Adds Run key to start application
        
        PID:9288
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        11⤵
        
        PID:9344
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        12⤵
        Drops file in System32 directory
        
        PID:9440
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        13⤵
        
        PID:9500
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        14⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:9592
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        15⤵
        
        PID:9652
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        16⤵
        
        PID:9732
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        17⤵
        
        PID:9796
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        18⤵
        Adds Run key to start application
        
        PID:9912
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        19⤵
        
        PID:10008
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        20⤵
        Drops file in System32 directory
        
        PID:10080
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        21⤵
        
        PID:10216
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        22⤵
        
        PID:8524
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        22⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        21⤵
        Modifies Windows Firewall
        
        PID:10208
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        20⤵
        
        PID:10072
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        19⤵
        
        PID:9996
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        18⤵
        
        PID:9904
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        17⤵
        Modifies Windows Firewall
        
        PID:9788
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        16⤵
        
        PID:9724
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        15⤵
        
        PID:9644
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        14⤵
        
        PID:9584
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        13⤵
        Modifies Windows Firewall
        
        PID:9488
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        12⤵
        
        PID:9432
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        11⤵
        
        PID:9336
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        10⤵
        
        PID:9280
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        9⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        8⤵
        Modifies Windows Firewall
        
        PID:7136
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        7⤵
        
        PID:1544
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        6⤵
        
        PID:6880
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        5⤵
        
        PID:2180
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
      4⤵
      PID:6496
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
    3⤵
    - Modifies Windows Firewall
    PID:1688

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
1⤵
PID:9172

C:\Windows\SysWOW64\Windwn32.exe
C:\Windows\system32\Windwn32.exe
1⤵
PID:9136

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
1⤵
PID:9128

C:\Windows\SysWOW64\Windwn32.exe
C:\Windows\system32\Windwn32.exe
1⤵
PID:2432
- C:\Windows\SysWOW64\Windwn32.exe
  C:\Windows\system32\Windwn32.exe
  2⤵
  - Drops file in System32 directory
  PID:4960
- - C:\Windows\SysWOW64\Windwn32.exe
    C:\Windows\system32\Windwn32.exe
    3⤵
    - Drops file in System32 directory
    PID:1960
  - - C:\Windows\SysWOW64\Windwn32.exe
      C:\Windows\system32\Windwn32.exe
      4⤵
      PID:10244
    - - C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        5⤵
        Adds Run key to start application
        
        PID:10344
      - C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        6⤵
        
        PID:10408
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        7⤵
        
        PID:10460
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        8⤵
        
        PID:10540
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        9⤵
        Adds Run key to start application
        
        PID:10604
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        10⤵
        
        PID:10684
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        11⤵
        
        PID:10732
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        12⤵
        
        PID:10856
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        13⤵
        
        PID:10912
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        14⤵
        
        PID:10980
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        15⤵
        Drops file in System32 directory
        
        PID:11056
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        16⤵
        
        PID:11112
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        17⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:11240
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        18⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        19⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        19⤵
        Drops file in System32 directory
        
        PID:4880
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        20⤵
        Adds Run key to start application
        
        PID:11096
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        21⤵
        
        PID:7232
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        22⤵
        
        PID:7176
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        23⤵
        
        PID:7804
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        24⤵
        
        PID:11304
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        24⤵
        
        PID:11316
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        23⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        22⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        21⤵
        
        PID:7236
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        20⤵
        
        PID:7552
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        18⤵
        
        PID:10440
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        17⤵
        
        PID:11228
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        16⤵
        
        PID:11104
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        15⤵
        
        PID:11048
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        14⤵
        
        PID:10972
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        13⤵
        
        PID:10904
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        12⤵
        
        PID:10848
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        11⤵
        Modifies Windows Firewall
        
        PID:10720
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        10⤵
        
        PID:10676
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        9⤵
        
        PID:10596
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        8⤵
        
        PID:10528
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        7⤵
        
        PID:10452
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        6⤵
        
        PID:10400
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        5⤵
        
        PID:10332
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
      4⤵
      PID:3400
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
    3⤵
    PID:1572
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
  2⤵
  PID:4476

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
1⤵
PID:2732

C:\Windows\SysWOW64\Windwn32.exe
C:\Windows\system32\Windwn32.exe
1⤵
PID:11364
- C:\Windows\SysWOW64\Windwn32.exe
  C:\Windows\system32\Windwn32.exe
  2⤵
  PID:11436
- - C:\Windows\SysWOW64\Windwn32.exe
    C:\Windows\system32\Windwn32.exe
    3⤵
    PID:11512
  - - C:\Windows\SysWOW64\Windwn32.exe
      C:\Windows\system32\Windwn32.exe
      4⤵
      Drops file in System32 directory
      PID:11624
    - - C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        5⤵
        Drops file in System32 directory
        
        PID:11664
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        5⤵
        
        PID:11656
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
      4⤵
      PID:11612
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
    3⤵
    PID:11504
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
  2⤵
  - Modifies Windows Firewall
  PID:11428

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
1⤵
PID:11356

C:\Windows\SysWOW64\Windwn32.exe
C:\Windows\system32\Windwn32.exe
1⤵
PID:11708
- C:\Windows\SysWOW64\Windwn32.exe
  C:\Windows\system32\Windwn32.exe
  2⤵
  PID:11768
- - C:\Windows\SysWOW64\Windwn32.exe
    C:\Windows\system32\Windwn32.exe
    3⤵
    - Adds Run key to start application
    PID:11832
  - - C:\Windows\SysWOW64\Windwn32.exe
      C:\Windows\system32\Windwn32.exe
      4⤵
      PID:11892
    - - C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        5⤵
        Drops file in System32 directory
        
        PID:11988
      - C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        6⤵
        
        PID:12108
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        7⤵
        
        PID:12188
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        8⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:12256
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        8⤵
        
        PID:12248
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        7⤵
        
        PID:12180
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        6⤵
        
        PID:12100
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        5⤵
        
        PID:11980
      - C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        6⤵
        
        PID:11700
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        7⤵
        
        PID:11824
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        8⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        9⤵
        
        PID:11608
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        10⤵
        
        PID:12180
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        11⤵
        
        PID:17236
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        12⤵
        
        PID:12032
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        13⤵
        
        PID:7648
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        14⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        15⤵
        
        PID:12368
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        15⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        14⤵
        
        PID:12768
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        13⤵
        
        PID:416
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        12⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        11⤵
        
        PID:12128
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        10⤵
        
        PID:7948
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        9⤵
        
        PID:17008
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        8⤵
        
        PID:11504
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        7⤵
        
        PID:11960
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        6⤵
        
        PID:11844
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
      4⤵
      PID:11884
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
    3⤵
    PID:11824
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
  2⤵
  PID:11752

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
1⤵
PID:11700

C:\Windows\SysWOW64\Windwn32.exe
C:\Windows\system32\Windwn32.exe
1⤵
- Adds Run key to start application
PID:7940
- C:\Windows\SysWOW64\Windwn32.exe
  C:\Windows\system32\Windwn32.exe
  2⤵
  PID:5124
- - C:\Windows\SysWOW64\Windwn32.exe
    C:\Windows\system32\Windwn32.exe
    3⤵
    PID:7752
  - - C:\Windows\SysWOW64\Windwn32.exe
      C:\Windows\system32\Windwn32.exe
      4⤵
      PID:7956
    - - C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        5⤵
        
        PID:2188
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        5⤵
        
        PID:7584
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
      4⤵
      PID:7716
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
    3⤵
    - Modifies Windows Firewall
    PID:7864
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:7292
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
  2⤵
  PID:7728

C:\Windows\SysWOW64\Windwn32.exe
C:\Windows\system32\Windwn32.exe
1⤵
PID:1312
- C:\Windows\SysWOW64\Windwn32.exe
  C:\Windows\system32\Windwn32.exe
  2⤵
  PID:5572
- - C:\Windows\SysWOW64\Windwn32.exe
    C:\Windows\system32\Windwn32.exe
    3⤵
    PID:8088
  - - C:\Windows\SysWOW64\Windwn32.exe
      C:\Windows\system32\Windwn32.exe
      4⤵
      PID:4860
    - - C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        5⤵
        
        PID:3192
      - C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        6⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        7⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        8⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        9⤵
        Adds Run key to start application
        
        PID:5152
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        10⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        10⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        9⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        8⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        7⤵
        
        PID:4436
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        6⤵
        
        PID:5428
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        5⤵
        
        PID:11344
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
      4⤵
      PID:1516
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4408
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
    3⤵
    PID:5272
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
  2⤵
  PID:7504

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
1⤵
- Modifies Windows Firewall
PID:7952

C:\Windows\SysWOW64\Windwn32.exe
C:\Windows\system32\Windwn32.exe
1⤵
PID:4296
- C:\Windows\SysWOW64\Windwn32.exe
  C:\Windows\system32\Windwn32.exe
  2⤵
  - Adds Run key to start application
  PID:12352
- - C:\Windows\SysWOW64\Windwn32.exe
    C:\Windows\system32\Windwn32.exe
    3⤵
    - Adds Run key to start application
    PID:12416
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
    3⤵
    PID:12408
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
  2⤵
  PID:12344

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
1⤵
PID:5744

C:\Windows\SysWOW64\Windwn32.exe
C:\Windows\system32\Windwn32.exe
1⤵
PID:12504
- C:\Windows\SysWOW64\Windwn32.exe
  C:\Windows\system32\Windwn32.exe
  2⤵
  PID:12600
- - C:\Windows\SysWOW64\Windwn32.exe
    C:\Windows\system32\Windwn32.exe
    3⤵
    PID:12664
  - - C:\Windows\SysWOW64\Windwn32.exe
      C:\Windows\system32\Windwn32.exe
      4⤵
      Adds Run key to start application
      PID:12740
    - - C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        5⤵
        
        PID:12832
      - C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        6⤵
        Drops file in System32 directory
        
        PID:12924
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        7⤵
        
        PID:12988
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        8⤵
        Adds Run key to start application
        
        PID:13044
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        9⤵
        Adds Run key to start application
        
        PID:13096
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        10⤵
        
        PID:13156
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        11⤵
        Adds Run key to start application
        
        PID:13272
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        12⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        13⤵
        Drops file in System32 directory
        
        PID:7788
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        14⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        14⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        15⤵
        Adds Run key to start application
        
        PID:5668
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        16⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:6396
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        17⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        18⤵
        Adds Run key to start application
        
        PID:5884
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        19⤵
        Drops file in System32 directory
        
        PID:13080
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        20⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        21⤵
        Drops file in System32 directory
        
        PID:6332
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        22⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5680
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        23⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        23⤵
        
        PID:13328
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        24⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:13360
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        25⤵
        
        PID:13440
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        26⤵
        Drops file in System32 directory
        
        PID:13540
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        27⤵
        Drops file in System32 directory
        
        PID:13624
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        28⤵
        Adds Run key to start application
        
        PID:13664
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        29⤵
        
        PID:13748
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        30⤵
        Adds Run key to start application
        
        PID:13828
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        31⤵
        Adds Run key to start application
        
        PID:13864
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        32⤵
        
        PID:13964
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        33⤵
        Drops file in System32 directory
        
        PID:14060
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        34⤵
        
        PID:14100
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        35⤵
        
        PID:14156
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        36⤵
        Adds Run key to start application
        
        PID:14228
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        37⤵
        Drops file in System32 directory
        
        PID:14292
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        38⤵
        Drops file in System32 directory
        
        PID:6016
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        39⤵
        
        PID:8752
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        40⤵
        
        PID:9012
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        41⤵
        Adds Run key to start application
        
        PID:9020
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        42⤵
        
        PID:8768
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        43⤵
        
        PID:8480
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        44⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        45⤵
        
        PID:8404
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        46⤵
        Adds Run key to start application
        
        PID:6432
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        47⤵
        
        PID:8420
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        47⤵
        Modifies Windows Firewall
        
        PID:14324
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        46⤵
        
        PID:8724
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        45⤵
        
        PID:8672
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        44⤵
        
        PID:14012
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        43⤵
        Modifies Windows Firewall
        
        PID:8572
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        42⤵
        
        PID:9152
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        41⤵
        
        PID:6064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        42⤵
        
        PID:8360
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        40⤵
        
        PID:8364
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        39⤵
        
        PID:8940
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        38⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        37⤵
        
        PID:14284
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        36⤵
        Modifies Windows Firewall
        
        PID:14220
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        35⤵
        
        PID:14148
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        34⤵
        
        PID:14092
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        33⤵
        
        PID:14052
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        32⤵
        
        PID:13952
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        31⤵
        
        PID:13856
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        30⤵
        
        PID:13816
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        29⤵
        
        PID:13740
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        28⤵
        
        PID:13656
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        27⤵
        
        PID:13616
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        26⤵
        
        PID:13532
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        25⤵
        
        PID:13432
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        24⤵
        
        PID:13352
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        22⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        21⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        20⤵
        
        PID:8548
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        19⤵
        
        PID:12968
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        18⤵
        
        PID:12800
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        17⤵
        Modifies Windows Firewall
        
        PID:7344
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        18⤵
        
        PID:13228
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        19⤵
        Executes dropped EXE
        
        PID:5948
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        20⤵
        
        PID:8200
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        21⤵
        
        PID:13412
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        22⤵
        
        PID:13836
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        23⤵
        
        PID:13604
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        24⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        25⤵
        Executes dropped EXE
        
        PID:5288
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        26⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        27⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        28⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        29⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:6928
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        30⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        29⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        28⤵
        
        PID:13976
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        27⤵
        
        PID:6632
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        28⤵
        Executes dropped EXE
        
        PID:6504
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        26⤵
        
        PID:13388
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        25⤵
        
        PID:13584
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        24⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        23⤵
        
        PID:13632
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        22⤵
        Modifies Windows Firewall
        
        PID:14020
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        21⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        20⤵
        Modifies Windows Firewall
        
        PID:13492
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        19⤵
        Modifies Windows Firewall
        
        PID:6040
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        18⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        16⤵
        
        PID:6476
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        15⤵
        
        PID:12064
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        13⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        12⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        11⤵
        
        PID:13264
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        10⤵
        Modifies Windows Firewall
        
        PID:13148
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        9⤵
        
        PID:13088
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        8⤵
        
        PID:13036
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        7⤵
        
        PID:12980
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        6⤵
        
        PID:12916
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        5⤵
        
        PID:12824
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
      4⤵
      PID:12728
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
    3⤵
    PID:12656
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
  2⤵
  - Modifies Windows Firewall
  PID:12592

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
1⤵
PID:12496

C:\Windows\SysWOW64\Windwn32.exe
C:\Windows\system32\Windwn32.exe
1⤵
- Drops file in System32 directory
PID:7204

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
1⤵
PID:8028

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
1⤵
PID:8024

C:\Windows\SysWOW64\Windwn32.exe
C:\Windows\system32\Windwn32.exe
1⤵
PID:9384
- C:\Windows\SysWOW64\Windwn32.exe
  C:\Windows\system32\Windwn32.exe
  2⤵
  - Adds Run key to start application
  PID:9260
- - C:\Windows\SysWOW64\Windwn32.exe
    C:\Windows\system32\Windwn32.exe
    3⤵
    - Drops file in System32 directory
    PID:6772
  - - C:\Windows\SysWOW64\Windwn32.exe
      C:\Windows\system32\Windwn32.exe
      4⤵
      PID:8952
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        5⤵
        
        PID:7084
    - - C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        5⤵
        
        PID:9188
      - C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        6⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        7⤵
        
        PID:9840
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        8⤵
        Adds Run key to start application
        
        PID:9308
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        9⤵
        
        PID:9524
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        10⤵
        Drops file in System32 directory
        
        PID:6436
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        11⤵
        
        PID:9416
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        12⤵
        Adds Run key to start application
        
        PID:9548
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        13⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        14⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        15⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        15⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        16⤵
        
        PID:14376
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        16⤵
        Modifies Windows Firewall
        
        PID:14364
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        14⤵
        Modifies Windows Firewall
        
        PID:9708
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        13⤵
        
        PID:9812
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        12⤵
        
        PID:9252
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        11⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        10⤵
        
        PID:9648
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        9⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        8⤵
        
        PID:9536
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        7⤵
        
        PID:9456
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        6⤵
        
        PID:9448
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
      4⤵
      PID:9144
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
    3⤵
    PID:8664
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2180
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
  2⤵
  PID:8224
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:6800

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
1⤵
PID:8856

C:\Windows\SysWOW64\Windwn32.exe
C:\Windows\system32\Windwn32.exe
1⤵
PID:14420
- C:\Windows\SysWOW64\Windwn32.exe
  C:\Windows\system32\Windwn32.exe
  2⤵
  PID:14500
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
    3⤵
    PID:14564
- - C:\Windows\SysWOW64\Windwn32.exe
    C:\Windows\system32\Windwn32.exe
    3⤵
    PID:14572
  - - C:\Windows\SysWOW64\Windwn32.exe
      C:\Windows\system32\Windwn32.exe
      4⤵
      PID:14676
    - - C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        5⤵
        
        PID:14732
      - C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        6⤵
        
        PID:14888
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        7⤵
        
        PID:14928
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        8⤵
        
        PID:14972
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        9⤵
        
        PID:15044
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        10⤵
        Drops file in System32 directory
        
        PID:15136
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        11⤵
        
        PID:15176
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        12⤵
        Drops file in System32 directory
        
        PID:15308
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        13⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        14⤵
        
        PID:9956
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        15⤵
        
        PID:10116
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        16⤵
        
        PID:9432
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        17⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:10508
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        18⤵
        Drops file in System32 directory
        
        PID:10716
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        19⤵
        
        PID:10336
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        19⤵
        
        PID:11076
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        20⤵
        
        PID:10332
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        21⤵
        
        PID:10288
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        22⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        23⤵
        Drops file in System32 directory
        
        PID:15348
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        24⤵
        
        PID:10452
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        25⤵
        
        PID:9768
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        26⤵
        
        PID:10340
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        27⤵
        
        PID:10400
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        28⤵
        Drops file in System32 directory
        
        PID:15384
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        29⤵
        
        PID:15440
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        30⤵
        
        PID:15500
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        31⤵
        
        PID:15564
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        31⤵
        
        PID:15572
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        32⤵
        Drops file in System32 directory
        
        PID:15652
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        33⤵
        Drops file in System32 directory
        
        PID:15732
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        34⤵
        
        PID:15844
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        35⤵
        
        PID:15940
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        36⤵
        
        PID:15980
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        37⤵
        
        PID:16032
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        38⤵
        
        PID:16104
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        38⤵
        
        PID:16116
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        39⤵
        
        PID:16176
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        40⤵
        
        PID:16260
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        41⤵
        
        PID:16376
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        42⤵
        
        PID:15424
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        43⤵
        
        PID:9888
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        44⤵
        
        PID:11856
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        45⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:7844
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        46⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1888
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        47⤵
        
        PID:10988
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        48⤵
        
        PID:15868
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        49⤵
        
        PID:11648
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        50⤵
        Adds Run key to start application
        
        PID:4348
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        51⤵
        
        PID:11600
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        52⤵
        
        PID:7172
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        53⤵
        
        PID:11956
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        54⤵
        
        PID:12060
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        55⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        56⤵
        
        PID:16408
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        57⤵
        
        PID:16460
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        58⤵
        
        PID:16552
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        59⤵
        
        PID:16588
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        60⤵
        
        PID:16640
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        61⤵
        
        PID:16704
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        62⤵
        
        PID:16752
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        63⤵
        
        PID:16856
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        64⤵
        
        PID:16900
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        64⤵
        Modifies Windows Firewall
        
        PID:16888
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        63⤵
        
        PID:16848
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        62⤵
        
        PID:16744
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        61⤵
        
        PID:16696
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        60⤵
        
        PID:16632
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        59⤵
        
        PID:16580
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        58⤵
        
        PID:16544
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        57⤵
        Modifies Windows Firewall
        
        PID:16452
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        56⤵
        
        PID:16400
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        55⤵
        
        PID:11456
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        54⤵
        Modifies Windows Firewall
        
        PID:11084
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        53⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        52⤵
        
        PID:16308
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:7552
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        51⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        50⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        49⤵
        Modifies Windows Firewall
        
        PID:11528
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        48⤵
        
        PID:10800
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        47⤵
        
        PID:10904
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        46⤵
        
        PID:11260
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        45⤵
        
        PID:10724
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        44⤵
        Modifies Windows Firewall
        
        PID:7712
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        43⤵
        Modifies Windows Firewall
        
        PID:15484
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        42⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        41⤵
        
        PID:16368
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        40⤵
        
        PID:16252
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        39⤵
        
        PID:16168
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        37⤵
        
        PID:16024
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        36⤵
        
        PID:15972
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        35⤵
        
        PID:15932
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        34⤵
        
        PID:15836
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        33⤵
        Modifies Windows Firewall
        
        PID:15724
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        32⤵
        
        PID:15644
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        30⤵
        
        PID:15492
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        29⤵
        Modifies Windows Firewall
        
        PID:15432
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        28⤵
        
        PID:15376
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        27⤵
        
        PID:10808
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        26⤵
        Modifies Windows Firewall
        
        PID:10284
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:10528
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        25⤵
        
        PID:10488
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        24⤵
        
        PID:10672
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        23⤵
        
        PID:10768
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        22⤵
        
        PID:10600
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        21⤵
        
        PID:10472
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        20⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        18⤵
        
        PID:5036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        17⤵
        
        PID:10536
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        16⤵
        
        PID:14744
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        15⤵
        Modifies Windows Firewall
        
        PID:1656
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        14⤵
        Modifies Windows Firewall
        
        PID:10124
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        13⤵
        
        PID:10316
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        12⤵
        
        PID:15300
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        11⤵
        
        PID:15164
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        10⤵
        
        PID:15128
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        9⤵
        
        PID:15036
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        8⤵
        
        PID:14964
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        7⤵
        
        PID:14920
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        6⤵
        
        PID:14880
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        5⤵
        
        PID:14724
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
      4⤵
      PID:14664
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
  2⤵
  - Modifies Windows Firewall
  PID:14484

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
1⤵
- Modifies Windows Firewall
PID:14412

C:\Windows\SysWOW64\Windwn32.exe
C:\Windows\system32\Windwn32.exe
1⤵
PID:16980
- C:\Windows\SysWOW64\Windwn32.exe
  C:\Windows\system32\Windwn32.exe
  2⤵
  PID:17040
- - C:\Windows\SysWOW64\Windwn32.exe
    C:\Windows\system32\Windwn32.exe
    3⤵
    PID:17152
  - - C:\Windows\SysWOW64\Windwn32.exe
      C:\Windows\system32\Windwn32.exe
      4⤵
      PID:17360
    - - C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        5⤵
        
        PID:15688
      - C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        6⤵
        
        PID:11556
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        7⤵
        
        PID:11428
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        8⤵
        
        PID:11552
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        9⤵
        
        PID:11980
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        9⤵
        
        PID:11840
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        8⤵
        
        PID:12012
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        7⤵
        
        PID:11720
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        6⤵
        
        PID:12160
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        5⤵
        
        PID:12224
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
      4⤵
      PID:17348
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
    3⤵
    PID:17144
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
  2⤵
  - Modifies Windows Firewall
  PID:17032

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
1⤵
PID:16972

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:11752

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2336

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2776

C:\Windows\SysWOW64\Windwn32.exe
C:\Windows\system32\Windwn32.exe
1⤵
PID:4504
- C:\Windows\SysWOW64\Windwn32.exe
  C:\Windows\system32\Windwn32.exe
  2⤵
  PID:12156
- - C:\Windows\SysWOW64\Windwn32.exe
    C:\Windows\system32\Windwn32.exe
    3⤵
    PID:12376
  - - C:\Windows\SysWOW64\Windwn32.exe
      C:\Windows\system32\Windwn32.exe
      4⤵
      PID:12764
    - - C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        5⤵
        
        PID:7952
      - C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        6⤵
        
        PID:7408
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        7⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        8⤵
        
        PID:17424
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        9⤵
        
        PID:17476
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        10⤵
        
        PID:17564
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        11⤵
        
        PID:17616
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        12⤵
        
        PID:17664
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        13⤵
        
        PID:17748
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        14⤵
        
        PID:17828
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        15⤵
        
        PID:17900
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        16⤵
        
        PID:17980
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        17⤵
        
        PID:18056
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        18⤵
        
        PID:18184
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        19⤵
        
        PID:18232
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        20⤵
        
        PID:18356
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        20⤵
        Modifies Windows Firewall
        
        PID:18348
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        19⤵
        
        PID:18224
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        18⤵
        
        PID:18176
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        17⤵
        Modifies Windows Firewall
        
        PID:18048
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        16⤵
        
        PID:17972
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        15⤵
        
        PID:17888
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        14⤵
        
        PID:17820
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        13⤵
        
        PID:17740
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        12⤵
        
        PID:17656
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        11⤵
        
        PID:17604
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        10⤵
        
        PID:17556
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        9⤵
        Modifies Windows Firewall
        
        PID:17468
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        8⤵
        
        PID:17416
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        7⤵
        
        PID:12316
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        6⤵
        Modifies Windows Firewall
        
        PID:7504
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        5⤵
        Modifies Windows Firewall
        
        PID:7876
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
      4⤵
      PID:6556
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
    3⤵
    PID:7628
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
  2⤵
  PID:4572

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
1⤵
PID:12476

C:\Windows\SysWOW64\Windwn32.exe
C:\Windows\system32\Windwn32.exe
1⤵
PID:18396
- C:\Windows\SysWOW64\Windwn32.exe
  C:\Windows\system32\Windwn32.exe
  2⤵
  PID:6612
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
  2⤵
  PID:5032

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
1⤵
- Modifies Windows Firewall
PID:18388

C:\Windows\SysWOW64\Windwn32.exe
C:\Windows\system32\Windwn32.exe
1⤵
PID:6700
- C:\Windows\SysWOW64\Windwn32.exe
  C:\Windows\system32\Windwn32.exe
  2⤵
  PID:13112
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
  2⤵
  PID:12972

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
1⤵
PID:13220

C:\Windows\SysWOW64\Windwn32.exe
C:\Windows\system32\Windwn32.exe
1⤵
PID:13200
- C:\Windows\SysWOW64\Windwn32.exe
  C:\Windows\system32\Windwn32.exe
  2⤵
  PID:12472
- - C:\Windows\SysWOW64\Windwn32.exe
    C:\Windows\system32\Windwn32.exe
    3⤵
    PID:17844
  - - C:\Windows\SysWOW64\Windwn32.exe
      C:\Windows\system32\Windwn32.exe
      4⤵
      PID:2488
    - - C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        5⤵
        
        PID:13132
      - C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        6⤵
        
        PID:12984
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        6⤵
        
        PID:18160
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        5⤵
        
        PID:764
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
      4⤵
      PID:228
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
    3⤵
    PID:12852
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
  2⤵
  PID:12596

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
1⤵
- Modifies Windows Firewall
PID:5188

C:\Windows\SysWOW64\Windwn32.exe
C:\Windows\system32\Windwn32.exe
1⤵
PID:5976
- C:\Windows\SysWOW64\Windwn32.exe
  C:\Windows\system32\Windwn32.exe
  2⤵
  PID:13264
- - C:\Windows\SysWOW64\Windwn32.exe
    C:\Windows\system32\Windwn32.exe
    3⤵
    PID:12916
  - - C:\Windows\SysWOW64\Windwn32.exe
      C:\Windows\system32\Windwn32.exe
      4⤵
      PID:8052
    - - C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        5⤵
        
        PID:5340
      - C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        6⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        7⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        8⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        9⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        10⤵
        Executes dropped EXE
        
        PID:5456
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        11⤵
        
        PID:8220
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        12⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        12⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        11⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        10⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        9⤵
        
        PID:5444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        8⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        7⤵
        
        PID:2716
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        6⤵
        Modifies Windows Firewall
        
        PID:6280
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        5⤵
        
        PID:4828
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
      4⤵
      PID:4868
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
    3⤵
    PID:2768
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
  2⤵
  PID:12544

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
1⤵
PID:13188

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:6376

C:\Windows\SysWOW64\Windwn32.exe
C:\Windows\system32\Windwn32.exe
1⤵
PID:8384
- C:\Windows\SysWOW64\Windwn32.exe
  C:\Windows\system32\Windwn32.exe
  2⤵
  PID:5920
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
  2⤵
  PID:5592

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
1⤵
PID:4500
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - Executes dropped EXE
  PID:3744

C:\Windows\SysWOW64\Windwn32.exe
C:\Windows\system32\Windwn32.exe
1⤵
PID:14264
- C:\Windows\SysWOW64\Windwn32.exe
  C:\Windows\system32\Windwn32.exe
  2⤵
  PID:7508
- - C:\Windows\SysWOW64\Windwn32.exe
    C:\Windows\system32\Windwn32.exe
    3⤵
    PID:14108
  - - C:\Windows\SysWOW64\Windwn32.exe
      C:\Windows\system32\Windwn32.exe
      4⤵
      PID:7304
    - - C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        5⤵
        
        PID:7660
      - C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        6⤵
        
        PID:7832
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        7⤵
        
        PID:7808
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        8⤵
        
        PID:8016
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        9⤵
        
        PID:8908
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        10⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        11⤵
        
        PID:8176
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        12⤵
        
        PID:9056
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        13⤵
        
        PID:13512
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        14⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        15⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        16⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        17⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        17⤵
        Modifies Windows Firewall
        
        PID:8152
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        16⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        15⤵
        
        PID:9856
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        14⤵
        
        PID:9320
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        13⤵
        
        PID:9868
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        12⤵
        
        PID:8040
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        11⤵
        
        PID:9176
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        10⤵
        Modifies Windows Firewall
        
        PID:9296
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        9⤵
        
        PID:8572
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        8⤵
        
        PID:14288
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        7⤵
        
        PID:7868
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        6⤵
        
        PID:8332
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        5⤵
        Modifies Windows Firewall
        
        PID:13572
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
      4⤵
      Modifies Windows Firewall
      PID:7244
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
    3⤵
    PID:4724
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
  2⤵
  PID:8552

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
1⤵
PID:8096

C:\Windows\SysWOW64\Windwn32.exe
C:\Windows\system32\Windwn32.exe
1⤵
PID:8960

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
1⤵
PID:14024

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Executes dropped EXE
PID:7300

C:\Windows\SysWOW64\Windwn32.exe
C:\Windows\system32\Windwn32.exe
1⤵
PID:3988
- C:\Windows\SysWOW64\Windwn32.exe
  C:\Windows\system32\Windwn32.exe
  2⤵
  PID:9664
- - C:\Windows\SysWOW64\Windwn32.exe
    C:\Windows\system32\Windwn32.exe
    3⤵
    PID:5844
  - - C:\Windows\SysWOW64\Windwn32.exe
      C:\Windows\system32\Windwn32.exe
      4⤵
      PID:9704
    - - C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        5⤵
        
        PID:5252
      - C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        6⤵
        Adds Run key to start application
        
        PID:5852
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        7⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        8⤵
        
        PID:9092
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        9⤵
        
        PID:14664
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        10⤵
        
        PID:14384
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        11⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        12⤵
        
        PID:9096
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        13⤵
        
        PID:8260
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        14⤵
        
        PID:14768
        
        C:\Windows\SysWOW64\Windwn32.exe
        
        C:\Windows\system32\Windwn32.exe
        15⤵
        
        PID:14640
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        15⤵
        
        PID:8520
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        14⤵
        Modifies Windows Firewall
        
        PID:15104
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        13⤵
        
        PID:8288
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        12⤵
        
        PID:14848
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        11⤵
        Adds Run key to start application
        
        PID:5220
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        10⤵
        
        PID:14524
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        9⤵
        
        PID:15320
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        8⤵
        
        PID:15064
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        7⤵
        
        PID:14820
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        6⤵
        Modifies Windows Firewall
        
        PID:5512
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
        5⤵
        Modifies Windows Firewall
        
        PID:5684
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
      4⤵
      PID:3752
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
    3⤵
    PID:5756
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
  2⤵
  PID:9984

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
1⤵
PID:3604

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:8668

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5936

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:8976

C:\Windows\SysWOW64\Windwn32.exe
C:\Windows\system32\Windwn32.exe
1⤵
PID:15024
- C:\Windows\SysWOW64\Windwn32.exe
  C:\Windows\system32\Windwn32.exe
  2⤵
  PID:14436
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
  2⤵
  PID:9944
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:9584

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
1⤵
- Modifies Windows Firewall
PID:10152

C:\Windows\SysWOW64\Windwn32.exe
C:\Windows\system32\Windwn32.exe
1⤵
PID:14828

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram C:\Windows\system32\Windwn32.exe profile =all
1⤵
PID:9076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Adds Run key to start application
PID:5824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:9796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Windwn32.exe

Filesize
53KB

MD5
60313548f76225c09831f90749e817fd

SHA1
ffbdf10318c07eb94748d1c811a875fa12100a80

SHA256
70c4a5012f27c8c325ddd068a4942746d2dfbf3956283545b87df5117bd6c433

SHA512
8c3d07d78f276a10baab576bfe719bd7559311e6fa55d927be2a4ba8e2904817700b07fef2bbd575d4c0c964f2db99237601649b79fe7bfe6d5cdd147ce41401

Download Submit
C:\Windows\SysWOW64\Windwn32.exe

Filesize
53KB

MD5
4266983a3d9fbd5ebef006036e8d4c06

SHA1
4c59bfdc54fcd18322ab8d8df6c2b5b53573b6f6

SHA256
4e0838797f93024df22a4f7b9677ea3f139aca7ce859a11d2d7c6cb7516cf7fb

SHA512
1f0ff05a0518dc34c7fae0a8b3c6b35795cc7976090c34509135fb8700a9a066531661a4cf070d4aa0c529333e19c9ee23ca4348b5d92db024cf96e6999a8df9

Download Submit
C:\Windows\SysWOW64\Windwn32.exe

Filesize
52KB

MD5
f0105b192d1dfb127672b90a95f90c87

SHA1
813d0f3377e0b42e6618c3d80eda90e970db1903

SHA256
c9bbd55303b8c872ef9c6b31828458ae2135e282541c2e0f96f04def96dd31af

SHA512
58dd35ea896951c3c5a3e49c0031dca20bb7dc8b16395e8eaddecb7dfc81f9b1564abae60cc4a7b12f4432addb44a3410602c95d3fdd9b651ea2372d9e39a331

Download Submit
C:\Windows\SysWOW64\Windwn32.exe

Filesize
37KB

MD5
1f10b628f0784bfe5cb1aac53694e036

SHA1
c3d6e0799586ddaad231c583ad95c898b2efd3fa

SHA256
3c1e98cd8fc1a9b509e1117d6520a69f93b6c96d3dc3e8e99dc15bac0de417fc

SHA512
682d8527767012ffba4713d0530da473d69c9bd634c404bef0d90771a047281a30624e50287821db986512d7b35b2bf3ecad739b9e7363f419a39bfd99ef7fe5

Download Submit
C:\Windows\SysWOW64\Windwn32.exe

Filesize
54KB

MD5
0a47f48fdd5a79c6c9725ded935c0e7c

SHA1
9eaed5e9e4fc98dbd41fa8d178cac722ca83b91b

SHA256
11408eaf3571b1974ac33c765eb5062da57d6b2e621fbe0753caa7a3f14a5cc3

SHA512
ecb8e69cf73c0e333908ac930a3313cfafe80221ffbf85e9795f920307495d2778d52352690dd49b7725d9bc4e7e3c2b75470ae128925791d88f8234135648a1

Download Submit
memory/1568-66-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1720-89-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1804-77-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2128-81-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2620-88-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2768-70-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2812-79-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3128-78-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3132-86-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3236-80-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3352-74-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3616-71-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3684-90-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3708-87-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4052-73-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4180-83-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4232-76-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4244-75-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4308-85-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4508-82-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4820-67-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4840-68-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4864-84-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5076-69-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5112-72-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5212-91-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5256-92-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5320-93-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5384-94-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5456-95-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5552-96-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5624-97-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads