052caa90d773f5e0365d709f12ea6970dbe2773729ca9066da0e092c01976a24

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01/07/2024, 19:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1c43b1995f0511b12e26d077fb114909_JaffaCakes118.exe
Size

79KB
MD5

1c43b1995f0511b12e26d077fb114909
SHA1

3250cc583664194f5313d14e0daf9da685daf9d6
SHA256

052caa90d773f5e0365d709f12ea6970dbe2773729ca9066da0e092c01976a24
SHA512

e8edeb6e55f7aec303b34d9cc8288d15635090c09f01a52a40a242fc779460bd76d13f693ff102a58c2af90f9b6a3dea5c5ac464614f0b98fe0aef9fc3727ecc
SSDEEP

768:52NtaxVWZKrTM+1Z6/25l6FxD90My9625y1uRpAo3X53MPWELTb5SQSgj8+kudKT:5ZVW2ToLXm/6q9ELH5SQPiQKyhQxgk

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
1996	explorer.exe
2692	explorer.exe
2636	explorer.exe
2648	explorer.exe
2660	explorer.exe
2024	explorer.exe
2900	explorer.exe
1900	explorer.exe
1464	smss.exe
1968	explorer.exe
2416	smss.exe
1580	explorer.exe
1856	explorer.exe
1028	smss.exe
868	explorer.exe
2796	explorer.exe
2328	smss.exe
2016	explorer.exe
2584	explorer.exe
1408	explorer.exe
1760	explorer.exe
2392	smss.exe
2100	explorer.exe
836	explorer.exe
2084	explorer.exe
676	explorer.exe
1928	smss.exe
1756	explorer.exe
292	explorer.exe
920	explorer.exe
688	explorer.exe
2232	explorer.exe
3044	smss.exe
1184	explorer.exe
1940	explorer.exe
2924	explorer.exe
1684	explorer.exe
1508	explorer.exe
2808	smss.exe
3032	explorer.exe
2240	explorer.exe
2708	explorer.exe
2756	explorer.exe
1984	explorer.exe
2688	explorer.exe
2676	explorer.exe
2504	explorer.exe
2188	explorer.exe
884	smss.exe
1908	explorer.exe
1692	explorer.exe
2140	explorer.exe
1516	explorer.exe
296	explorer.exe
1356	smss.exe
1696	explorer.exe
2788	explorer.exe
2432	explorer.exe
992	smss.exe
2456	explorer.exe
2668	explorer.exe
1316	explorer.exe
1144	explorer.exe
1088	smss.exe

Loads dropped DLL 64 IoCs

pid	Process
1560	1c43b1995f0511b12e26d077fb114909_JaffaCakes118.exe
1560	1c43b1995f0511b12e26d077fb114909_JaffaCakes118.exe
1996	explorer.exe
1996	explorer.exe
2692	explorer.exe
2692	explorer.exe
2636	explorer.exe
2636	explorer.exe
2648	explorer.exe
2648	explorer.exe
2660	explorer.exe
2660	explorer.exe
2024	explorer.exe
2024	explorer.exe
2900	explorer.exe
2900	explorer.exe
1560	1c43b1995f0511b12e26d077fb114909_JaffaCakes118.exe
1560	1c43b1995f0511b12e26d077fb114909_JaffaCakes118.exe
1900	explorer.exe
1900	explorer.exe
1996	explorer.exe
1996	explorer.exe
1464	smss.exe
1464	smss.exe
1968	explorer.exe
1968	explorer.exe
2692	explorer.exe
2692	explorer.exe
2416	smss.exe
2416	smss.exe
1580	explorer.exe
1580	explorer.exe
2636	explorer.exe
2636	explorer.exe
1856	explorer.exe
1856	explorer.exe
1028	smss.exe
1028	smss.exe
868	explorer.exe
868	explorer.exe
2796	explorer.exe
2796	explorer.exe
2648	explorer.exe
2648	explorer.exe
2328	smss.exe
2328	smss.exe
2016	explorer.exe
2016	explorer.exe
2584	explorer.exe
2584	explorer.exe
1408	explorer.exe
1408	explorer.exe
2660	explorer.exe
2660	explorer.exe
1760	explorer.exe
1760	explorer.exe
2392	smss.exe
2392	smss.exe
2100	explorer.exe
2100	explorer.exe
836	explorer.exe
836	explorer.exe
2084	explorer.exe
2084	explorer.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1560-0-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/files/0x0034000000015c8c-11.dat	upx
behavioral1/memory/2692-18-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2636-24-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1996-26-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1560-25-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2648-32-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2692-33-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2660-39-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2636-40-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2024-48-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2648-49-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2900-57-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2660-58-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1900-65-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1560-70-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2024-72-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1900-75-0x0000000000460000-0x00000000004B8000-memory.dmp	upx
behavioral1/memory/1968-78-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2900-83-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2416-84-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1580-88-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1856-98-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1900-95-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/868-103-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1996-105-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1464-109-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2328-116-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1968-115-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2416-121-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2016-122-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2584-125-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1580-124-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2692-126-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1408-130-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1856-129-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1760-132-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1028-134-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2392-135-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/868-136-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2100-137-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2084-143-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2636-138-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/836-142-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/676-147-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2796-146-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1928-153-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2328-152-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2016-154-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2584-155-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1756-156-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1408-157-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/292-158-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/920-162-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1760-161-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2648-159-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2392-166-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2100-167-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/688-171-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2084-170-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/836-169-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/3044-176-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1184-177-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1940-181-0x0000000000400000-0x0000000000458000-memory.dmp	upx

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\o:	explorer.exe
File opened (read-only)	\??\l:	explorer.exe
File opened (read-only)	\??\x:	explorer.exe
File opened (read-only)	\??\h:	explorer.exe
File opened (read-only)	\??\i:	smss.exe
File opened (read-only)	\??\o:	explorer.exe
File opened (read-only)	\??\w:	explorer.exe
File opened (read-only)	\??\l:	smss.exe
File opened (read-only)	\??\l:	smss.exe
File opened (read-only)	\??\y:	explorer.exe
File opened (read-only)	\??\q:	explorer.exe
File opened (read-only)	\??\t:	smss.exe
File opened (read-only)	\??\y:	smss.exe
File opened (read-only)	\??\r:	explorer.exe
File opened (read-only)	\??\n:	explorer.exe
File opened (read-only)	\??\m:	explorer.exe
File opened (read-only)	\??\v:	explorer.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\e:	explorer.exe
File opened (read-only)	\??\r:	explorer.exe
File opened (read-only)	\??\k:	smss.exe
File opened (read-only)	\??\y:	explorer.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\n:	explorer.exe
File opened (read-only)	\??\x:	explorer.exe
File opened (read-only)	\??\n:	explorer.exe
File opened (read-only)	\??\t:	explorer.exe
File opened (read-only)	\??\e:	explorer.exe
File opened (read-only)	\??\l:	explorer.exe
File opened (read-only)	\??\x:	explorer.exe
File opened (read-only)	\??\t:	explorer.exe
File opened (read-only)	\??\z:	explorer.exe
File opened (read-only)	\??\h:	explorer.exe
File opened (read-only)	\??\z:	explorer.exe
File opened (read-only)	\??\k:	smss.exe
File opened (read-only)	\??\g:	explorer.exe
File opened (read-only)	\??\v:	explorer.exe
File opened (read-only)	\??\o:	explorer.exe
File opened (read-only)	\??\m:	smss.exe
File opened (read-only)	\??\n:	explorer.exe
File opened (read-only)	\??\k:	explorer.exe
File opened (read-only)	\??\k:	explorer.exe
File opened (read-only)	\??\t:	explorer.exe
File opened (read-only)	\??\h:	smss.exe
File opened (read-only)	\??\m:	explorer.exe
File opened (read-only)	\??\t:	explorer.exe
File opened (read-only)	\??\h:	explorer.exe
File opened (read-only)	\??\t:	smss.exe
File opened (read-only)	\??\n:	explorer.exe
File opened (read-only)	\??\h:	explorer.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\k:	smss.exe
File opened (read-only)	\??\k:	explorer.exe
File opened (read-only)	\??\x:	explorer.exe
File opened (read-only)	\??\x:	explorer.exe
File opened (read-only)	\??\r:	explorer.exe
File opened (read-only)	\??\l:	explorer.exe
File opened (read-only)	\??\e:	explorer.exe
File opened (read-only)	\??\e:	explorer.exe
File opened (read-only)	\??\l:	explorer.exe
File opened (read-only)	\??\t:	explorer.exe
File opened (read-only)	\??\r:	explorer.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wpqamqtlju\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wpqamqtlju\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\fwwaoufpya\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wpqamqtlju\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\fwwaoufpya\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\fwwaoufpya\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\fwwaoufpya\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\fwwaoufpya\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\fwwaoufpya\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\fwwaoufpya\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\wpqamqtlju\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wpqamqtlju\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\fwwaoufpya\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wpqamqtlju\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wpqamqtlju\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wpqamqtlju\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\fwwaoufpya\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\wpqamqtlju\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\fwwaoufpya\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\fwwaoufpya\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\wpqamqtlju\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\fwwaoufpya\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\wpqamqtlju\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\fwwaoufpya\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\fwwaoufpya\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wpqamqtlju\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\fwwaoufpya\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\wpqamqtlju\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wpqamqtlju\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\wpqamqtlju\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\fwwaoufpya\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\fwwaoufpya\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\fwwaoufpya\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\fwwaoufpya\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\fwwaoufpya\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\fwwaoufpya\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\fwwaoufpya\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\fwwaoufpya\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\wpqamqtlju\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\fwwaoufpya\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\fwwaoufpya\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\fwwaoufpya\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wpqamqtlju\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\fwwaoufpya\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\fwwaoufpya\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\fwwaoufpya\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\fwwaoufpya\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\wpqamqtlju\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\fwwaoufpya\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\wpqamqtlju\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wpqamqtlju\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\fwwaoufpya\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\fwwaoufpya\explorer.exe	1c43b1995f0511b12e26d077fb114909_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\fwwaoufpya\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\fwwaoufpya\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wpqamqtlju\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\fwwaoufpya\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\fwwaoufpya\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\wpqamqtlju\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\fwwaoufpya\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wpqamqtlju\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\wpqamqtlju\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wpqamqtlju\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\wpqamqtlju\smss.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1560	1c43b1995f0511b12e26d077fb114909_JaffaCakes118.exe
1996	explorer.exe
2692	explorer.exe
2636	explorer.exe
2648	explorer.exe
2660	explorer.exe
2024	explorer.exe
2900	explorer.exe
1900	explorer.exe
1464	smss.exe
1968	explorer.exe
2416	smss.exe
1580	explorer.exe
1856	explorer.exe
1028	smss.exe
868	explorer.exe
2796	explorer.exe
2328	smss.exe
2016	explorer.exe
2584	explorer.exe
1408	explorer.exe
1760	explorer.exe
2392	smss.exe
2100	explorer.exe
836	explorer.exe
2084	explorer.exe
676	explorer.exe
1928	smss.exe
1756	explorer.exe
292	explorer.exe
920	explorer.exe
2232	explorer.exe
688	explorer.exe
3044	smss.exe
1184	explorer.exe
1940	explorer.exe
2924	explorer.exe
1684	explorer.exe
1508	explorer.exe
2808	smss.exe
3032	explorer.exe
2240	explorer.exe
2708	explorer.exe
2756	explorer.exe
1984	explorer.exe
2688	explorer.exe
2676	explorer.exe
2504	explorer.exe
2188	explorer.exe
884	smss.exe
1908	explorer.exe
1692	explorer.exe
2140	explorer.exe
1516	explorer.exe
296	explorer.exe
1356	smss.exe
1696	explorer.exe
2788	explorer.exe
2432	explorer.exe
992	smss.exe
2456	explorer.exe
2668	explorer.exe
1316	explorer.exe
1144	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	1560	1c43b1995f0511b12e26d077fb114909_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	1996	explorer.exe
Token: SeLoadDriverPrivilege	2692	explorer.exe
Token: SeLoadDriverPrivilege	2636	explorer.exe
Token: SeLoadDriverPrivilege	2648	explorer.exe
Token: SeLoadDriverPrivilege	2660	explorer.exe
Token: SeLoadDriverPrivilege	2024	explorer.exe
Token: SeLoadDriverPrivilege	2900	explorer.exe
Token: SeLoadDriverPrivilege	1900	explorer.exe
Token: SeLoadDriverPrivilege	1464	smss.exe
Token: SeLoadDriverPrivilege	1968	explorer.exe
Token: SeLoadDriverPrivilege	2416	smss.exe
Token: SeLoadDriverPrivilege	1580	explorer.exe
Token: SeLoadDriverPrivilege	1856	explorer.exe
Token: SeLoadDriverPrivilege	1028	smss.exe
Token: SeLoadDriverPrivilege	868	explorer.exe
Token: SeLoadDriverPrivilege	2796	explorer.exe
Token: SeLoadDriverPrivilege	2328	smss.exe
Token: SeLoadDriverPrivilege	2016	explorer.exe
Token: SeLoadDriverPrivilege	2584	explorer.exe
Token: SeLoadDriverPrivilege	1408	explorer.exe
Token: SeLoadDriverPrivilege	1760	explorer.exe
Token: SeLoadDriverPrivilege	2392	smss.exe
Token: SeLoadDriverPrivilege	2100	explorer.exe
Token: SeLoadDriverPrivilege	836	explorer.exe
Token: SeLoadDriverPrivilege	2084	explorer.exe
Token: SeLoadDriverPrivilege	676	explorer.exe
Token: SeLoadDriverPrivilege	1928	smss.exe
Token: SeLoadDriverPrivilege	1756	explorer.exe
Token: SeLoadDriverPrivilege	292	explorer.exe
Token: SeLoadDriverPrivilege	920	explorer.exe
Token: SeLoadDriverPrivilege	2232	explorer.exe
Token: SeLoadDriverPrivilege	688	explorer.exe
Token: SeLoadDriverPrivilege	3044	smss.exe
Token: SeLoadDriverPrivilege	1184	explorer.exe
Token: SeLoadDriverPrivilege	1940	explorer.exe
Token: SeLoadDriverPrivilege	2924	explorer.exe
Token: SeLoadDriverPrivilege	1684	explorer.exe
Token: SeLoadDriverPrivilege	1508	explorer.exe
Token: SeLoadDriverPrivilege	2808	smss.exe
Token: SeLoadDriverPrivilege	3032	explorer.exe
Token: SeLoadDriverPrivilege	2240	explorer.exe
Token: SeLoadDriverPrivilege	2708	explorer.exe
Token: SeLoadDriverPrivilege	2756	explorer.exe
Token: SeLoadDriverPrivilege	1984	explorer.exe
Token: SeLoadDriverPrivilege	2688	explorer.exe
Token: SeLoadDriverPrivilege	2676	explorer.exe
Token: SeLoadDriverPrivilege	2504	explorer.exe
Token: SeLoadDriverPrivilege	2188	explorer.exe
Token: SeLoadDriverPrivilege	884	smss.exe
Token: SeLoadDriverPrivilege	1908	explorer.exe
Token: SeLoadDriverPrivilege	1692	explorer.exe
Token: SeLoadDriverPrivilege	2140	explorer.exe
Token: SeLoadDriverPrivilege	1516	explorer.exe
Token: SeLoadDriverPrivilege	296	explorer.exe
Token: SeLoadDriverPrivilege	1356	smss.exe
Token: SeLoadDriverPrivilege	1696	explorer.exe
Token: SeLoadDriverPrivilege	2788	explorer.exe
Token: SeLoadDriverPrivilege	2432	explorer.exe
Token: SeLoadDriverPrivilege	992	smss.exe
Token: SeLoadDriverPrivilege	2456	explorer.exe
Token: SeLoadDriverPrivilege	2668	explorer.exe
Token: SeLoadDriverPrivilege	1316	explorer.exe
Token: SeLoadDriverPrivilege	1144	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 1996	1560	1c43b1995f0511b12e26d077fb114909_JaffaCakes118.exe	28
PID 1560 wrote to memory of 1996	1560	1c43b1995f0511b12e26d077fb114909_JaffaCakes118.exe	28
PID 1560 wrote to memory of 1996	1560	1c43b1995f0511b12e26d077fb114909_JaffaCakes118.exe	28
PID 1560 wrote to memory of 1996	1560	1c43b1995f0511b12e26d077fb114909_JaffaCakes118.exe	28
PID 1996 wrote to memory of 2692	1996	explorer.exe	29
PID 1996 wrote to memory of 2692	1996	explorer.exe	29
PID 1996 wrote to memory of 2692	1996	explorer.exe	29
PID 1996 wrote to memory of 2692	1996	explorer.exe	29
PID 2692 wrote to memory of 2636	2692	explorer.exe	30
PID 2692 wrote to memory of 2636	2692	explorer.exe	30
PID 2692 wrote to memory of 2636	2692	explorer.exe	30
PID 2692 wrote to memory of 2636	2692	explorer.exe	30
PID 2636 wrote to memory of 2648	2636	explorer.exe	31
PID 2636 wrote to memory of 2648	2636	explorer.exe	31
PID 2636 wrote to memory of 2648	2636	explorer.exe	31
PID 2636 wrote to memory of 2648	2636	explorer.exe	31
PID 2648 wrote to memory of 2660	2648	explorer.exe	32
PID 2648 wrote to memory of 2660	2648	explorer.exe	32
PID 2648 wrote to memory of 2660	2648	explorer.exe	32
PID 2648 wrote to memory of 2660	2648	explorer.exe	32
PID 2660 wrote to memory of 2024	2660	explorer.exe	33
PID 2660 wrote to memory of 2024	2660	explorer.exe	33
PID 2660 wrote to memory of 2024	2660	explorer.exe	33
PID 2660 wrote to memory of 2024	2660	explorer.exe	33
PID 2024 wrote to memory of 2900	2024	explorer.exe	34
PID 2024 wrote to memory of 2900	2024	explorer.exe	34
PID 2024 wrote to memory of 2900	2024	explorer.exe	34
PID 2024 wrote to memory of 2900	2024	explorer.exe	34
PID 2900 wrote to memory of 1900	2900	explorer.exe	35
PID 2900 wrote to memory of 1900	2900	explorer.exe	35
PID 2900 wrote to memory of 1900	2900	explorer.exe	35
PID 2900 wrote to memory of 1900	2900	explorer.exe	35
PID 1560 wrote to memory of 1464	1560	1c43b1995f0511b12e26d077fb114909_JaffaCakes118.exe	36
PID 1560 wrote to memory of 1464	1560	1c43b1995f0511b12e26d077fb114909_JaffaCakes118.exe	36
PID 1560 wrote to memory of 1464	1560	1c43b1995f0511b12e26d077fb114909_JaffaCakes118.exe	36
PID 1560 wrote to memory of 1464	1560	1c43b1995f0511b12e26d077fb114909_JaffaCakes118.exe	36
PID 1900 wrote to memory of 1968	1900	explorer.exe	37
PID 1900 wrote to memory of 1968	1900	explorer.exe	37
PID 1900 wrote to memory of 1968	1900	explorer.exe	37
PID 1900 wrote to memory of 1968	1900	explorer.exe	37
PID 1996 wrote to memory of 2416	1996	explorer.exe	38
PID 1996 wrote to memory of 2416	1996	explorer.exe	38
PID 1996 wrote to memory of 2416	1996	explorer.exe	38
PID 1996 wrote to memory of 2416	1996	explorer.exe	38
PID 1464 wrote to memory of 1580	1464	smss.exe	39
PID 1464 wrote to memory of 1580	1464	smss.exe	39
PID 1464 wrote to memory of 1580	1464	smss.exe	39
PID 1464 wrote to memory of 1580	1464	smss.exe	39
PID 1968 wrote to memory of 1856	1968	explorer.exe	40
PID 1968 wrote to memory of 1856	1968	explorer.exe	40
PID 1968 wrote to memory of 1856	1968	explorer.exe	40
PID 1968 wrote to memory of 1856	1968	explorer.exe	40
PID 2692 wrote to memory of 1028	2692	explorer.exe	41
PID 2692 wrote to memory of 1028	2692	explorer.exe	41
PID 2692 wrote to memory of 1028	2692	explorer.exe	41
PID 2692 wrote to memory of 1028	2692	explorer.exe	41
PID 2416 wrote to memory of 868	2416	smss.exe	42
PID 2416 wrote to memory of 868	2416	smss.exe	42
PID 2416 wrote to memory of 868	2416	smss.exe	42
PID 2416 wrote to memory of 868	2416	smss.exe	42
PID 1580 wrote to memory of 2796	1580	explorer.exe	43
PID 1580 wrote to memory of 2796	1580	explorer.exe	43
PID 1580 wrote to memory of 2796	1580	explorer.exe	43
PID 1580 wrote to memory of 2796	1580	explorer.exe	43

C:\Users\Admin\AppData\Local\Temp\1c43b1995f0511b12e26d077fb114909_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1c43b1995f0511b12e26d077fb114909_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
  C:\Windows\system32\fwwaoufpya\explorer.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
    C:\Windows\system32\fwwaoufpya\explorer.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
      C:\Windows\system32\fwwaoufpya\explorer.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2648
      - C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1856
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:836
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:688
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1908
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1316
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        18⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        19⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        20⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        21⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        22⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        23⤵
        Enumerates connected drives
        
        PID:4516
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        24⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        25⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        26⤵
        
        PID:8476
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        27⤵
        
        PID:10288
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        28⤵
        
        PID:12792
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        23⤵
        
        PID:14760
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        22⤵
        
        PID:11944
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        23⤵
        
        PID:15092
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        21⤵
        
        PID:10032
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        22⤵
        
        PID:12188
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        23⤵
        
        PID:15064
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        20⤵
        
        PID:772
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        21⤵
        Enumerates connected drives
        
        PID:10132
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        22⤵
        
        PID:12268
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        23⤵
        
        PID:15820
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        19⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        20⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        21⤵
        
        PID:936
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        22⤵
        
        PID:12348
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        23⤵
        
        PID:15552
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        18⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        19⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        20⤵
        Drops file in System32 directory
        
        PID:8276
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        21⤵
        
        PID:9852
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        22⤵
        
        PID:12584
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        17⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        18⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        19⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        20⤵
        Drops file in System32 directory
        
        PID:8432
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        21⤵
        
        PID:9972
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        22⤵
        
        PID:12668
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        16⤵
        Enumerates connected drives
        
        PID:4264
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        17⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        18⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        19⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        20⤵
        
        PID:8384
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        21⤵
        
        PID:9956
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        22⤵
        
        PID:12660
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        17⤵
        
        PID:14708
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        15⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        17⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        18⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        19⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        20⤵
        
        PID:8468
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        21⤵
        
        PID:10280
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        22⤵
        
        PID:13104
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        17⤵
        
        PID:14700
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        16⤵
        
        PID:11972
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        17⤵
        
        PID:15016
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        14⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        Enumerates connected drives
        
        PID:3740
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        17⤵
        Drops file in System32 directory
        
        PID:5012
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        18⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        19⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        20⤵
        
        PID:7736
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        21⤵
        
        PID:9432
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        22⤵
        
        PID:12340
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        23⤵
        
        PID:15516
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        17⤵
        
        PID:14556
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        16⤵
        
        PID:11860
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        17⤵
        
        PID:15008
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        15⤵
        
        PID:9856
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:11996
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        17⤵
        
        PID:15100
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        13⤵
        
        PID:1016
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        17⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        18⤵
        Drops file in System32 directory
        
        PID:5880
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        19⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        20⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        21⤵
        
        PID:10156
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        22⤵
        
        PID:12232
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        23⤵
        
        PID:15128
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        17⤵
        
        PID:14588
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        16⤵
        
        PID:11896
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        17⤵
        
        PID:14652
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        15⤵
        
        PID:10000
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:12156
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        17⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        14⤵
        Drops file in System32 directory
        
        PID:1760
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:9976
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:12092
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        17⤵
        
        PID:15000
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        12⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        Enumerates connected drives
        
        PID:4164
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        17⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        18⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        19⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        20⤵
        
        PID:8284
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        21⤵
        
        PID:9932
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        22⤵
        
        PID:12592
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        23⤵
        
        PID:15488
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        17⤵
        
        PID:14620
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        16⤵
        
        PID:11880
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        17⤵
        
        PID:14920
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        15⤵
        
        PID:10008
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:12100
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        17⤵
        
        PID:15308
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        14⤵
        
        PID:7728
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:10084
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:12196
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        17⤵
        
        PID:15844
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        13⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:10188
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:12296
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        17⤵
        
        PID:15536
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:992
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        17⤵
        Enumerates connected drives
        
        PID:5000
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        18⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        19⤵
        Drops file in System32 directory
        
        PID:6816
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        20⤵
        
        PID:8180
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        21⤵
        
        PID:9820
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        22⤵
        
        PID:11988
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        23⤵
        
        PID:14960
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        17⤵
        
        PID:14544
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        16⤵
        
        PID:11848
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        17⤵
        
        PID:14568
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        15⤵
        
        PID:9828
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:12040
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        17⤵
        
        PID:15072
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        14⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:9884
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:12052
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        17⤵
        
        PID:14968
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        13⤵
        
        PID:6840
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:10204
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:12248
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        17⤵
        
        PID:15376
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        12⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:7892
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:10228
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        17⤵
        
        PID:15504
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:884
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        17⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        18⤵
        Drops file in System32 directory
        
        PID:5964
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        19⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        20⤵
        Drops file in System32 directory
        
        PID:8268
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        21⤵
        Enumerates connected drives
        
        PID:9912
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        22⤵
        
        PID:12600
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        17⤵
        
        PID:14684
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        16⤵
        
        PID:11928
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        17⤵
        
        PID:15056
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        15⤵
        
        PID:9984
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:12108
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        17⤵
        
        PID:14992
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        14⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:10180
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        17⤵
        
        PID:15496
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        13⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:10140
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:12240
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        17⤵
        
        PID:15448
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        12⤵
        Enumerates connected drives
        
        PID:5872
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:8220
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:9504
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        17⤵
        
        PID:15592
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        11⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:8244
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:9844
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:12428
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        17⤵
        
        PID:15600
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:3788
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        17⤵
        Drops file in System32 directory
        
        PID:5116
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        18⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        19⤵
        
        PID:996
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        20⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:8424
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        21⤵
        
        PID:9964
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        22⤵
        
        PID:12636
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        17⤵
        
        PID:14720
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        16⤵
        
        PID:11904
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        17⤵
        
        PID:14928
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        15⤵
        
        PID:9992
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:12072
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        17⤵
        
        PID:15136
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        14⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:10108
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:12176
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        17⤵
        
        PID:15836
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        13⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        Enumerates connected drives
        
        PID:10220
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:11964
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        17⤵
        
        PID:15464
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        12⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:12456
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        17⤵
        
        PID:15560
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        11⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        Drops file in System32 directory
        
        PID:8236
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:9868
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:12356
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        17⤵
        
        PID:15584
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        10⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        11⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:6824
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:9808
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:12032
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        17⤵
        
        PID:14976
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        11⤵
        
        PID:14532
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        11⤵
        
        PID:904
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:768
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:408
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        17⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        18⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        19⤵
        Drops file in System32 directory
        
        PID:7244
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        20⤵
        Enumerates connected drives
        
        PID:8776
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        21⤵
        
        PID:10616
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        22⤵
        
        PID:12932
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        17⤵
        
        PID:15288
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        16⤵
        
        PID:12748
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        17⤵
        
        PID:15400
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        15⤵
        
        PID:10400
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:13040
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        14⤵
        Enumerates connected drives
        
        PID:8588
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:10448
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:13048
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        13⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:8604
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:10488
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:13096
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        12⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:7172
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:8704
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:10608
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:12560
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        11⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:5536
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:8620
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:10544
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:13136
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        10⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        11⤵
        
        PID:108
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:8804
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:10820
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:13352
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        11⤵
        
        PID:15224
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        9⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        11⤵
        
        PID:324
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:7200
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:8728
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:10592
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:12540
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        11⤵
        
        PID:15176
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        10⤵
        
        PID:12828
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        11⤵
        
        PID:15392
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1928
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:296
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        11⤵
        
        PID:572
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:2056
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        17⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        18⤵
        Enumerates connected drives
        
        PID:6256
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        19⤵
        Enumerates connected drives
        
        PID:7580
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        20⤵
        
        PID:9204
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        21⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        22⤵
        
        PID:13860
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        17⤵
        
        PID:15624
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        16⤵
        
        PID:13244
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        15⤵
        
        PID:10892
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:13328
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        14⤵
        
        PID:8960
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:11036
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:13424
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        13⤵
        
        PID:7408
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:8976
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:10988
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:13400
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        12⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:7420
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:8988
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:10980
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:13392
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        11⤵
        Enumerates connected drives
        
        PID:5268
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:6276
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:7504
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:9124
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:11076
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:13476
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        10⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        11⤵
        Enumerates connected drives
        
        PID:5240
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:6200
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:8924
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:10864
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:13376
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        11⤵
        
        PID:15544
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        9⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        11⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:9108
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:11100
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:13636
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        11⤵
        
        PID:15608
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        10⤵
        
        PID:13228
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        8⤵
        Enumerates connected drives
        
        PID:3380
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:4092
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        11⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:7548
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:9176
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:11164
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:13736
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        11⤵
        
        PID:15576
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        10⤵
        
        PID:13204
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        9⤵
        
        PID:10848
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        
        PID:1736
      - C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:292
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        11⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:2976
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        Enumerates connected drives
        
        PID:4796
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        17⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        18⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        19⤵
        
        PID:7856
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        20⤵
        
        PID:9420
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        21⤵
        
        PID:11360
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        22⤵
        
        PID:13980
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        16⤵
        
        PID:13556
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        15⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:13812
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        14⤵
        
        PID:9336
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:11268
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:13928
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        13⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:9368
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:11296
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:13960
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        12⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:9356
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:11304
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:13944
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        11⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:9396
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:11340
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:13968
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        10⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        11⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:7812
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        Drops file in System32 directory
        
        PID:9404
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:11328
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:13988
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        9⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        11⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:7764
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:9320
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:13904
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        11⤵
        
        PID:15908
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        10⤵
        
        PID:13504
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        8⤵
        Enumerates connected drives
        
        PID:3540
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        11⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:9348
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:11284
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:13920
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        11⤵
        
        PID:15932
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        10⤵
        
        PID:13532
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        9⤵
        
        PID:11260
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        
        PID:13828
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        7⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        8⤵
        Enumerates connected drives
        
        PID:3548
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:5456
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:7824
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:9376
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:11312
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:13952
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        11⤵
        
        PID:15924
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        10⤵
        
        PID:13516
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        9⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        
        PID:13820
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        8⤵
        
        PID:9312
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        
        PID:13936
    - - C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
      - C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:920
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        11⤵
        Enumerates connected drives
        
        PID:2704
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        
        PID:552
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:2008
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        Drops file in System32 directory
        
        PID:3600
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        Enumerates connected drives
        
        PID:4032
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        17⤵
        Drops file in System32 directory
        
        PID:5608
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        18⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        19⤵
        Enumerates connected drives
        
        PID:7916
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        20⤵
        
        PID:9484
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        21⤵
        
        PID:11476
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        22⤵
        
        PID:14252
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        16⤵
        
        PID:14028
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        15⤵
        
        PID:11432
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:14188
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        14⤵
        
        PID:9496
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:11440
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:14240
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        13⤵
        Drops file in System32 directory
        
        PID:7908
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:9516
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:11488
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:14224
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        12⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:9592
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:11584
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:14292
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        11⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:7956
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:9612
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:11624
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:14204
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        10⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        11⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:8020
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:9636
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:11604
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:14268
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        9⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        11⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:9604
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:11592
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        10⤵
        
        PID:14044
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        8⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        Drops file in System32 directory
        
        PID:2900
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        Enumerates connected drives
        
        PID:4864
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        11⤵
        Enumerates connected drives
        
        PID:5616
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:9584
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:11612
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:14276
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        10⤵
        
        PID:14036
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        9⤵
        
        PID:11448
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        
        PID:14212
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        7⤵
        Drops file in System32 directory
        
        PID:1276
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        8⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        11⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:7964
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:9560
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:11548
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:14172
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        10⤵
        
        PID:14052
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        9⤵
        
        PID:11464
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        
        PID:14196
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        8⤵
        
        PID:9524
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:11504
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        
        PID:14260
      - C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        6⤵
        
        PID:780
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        7⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        8⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        11⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:8012
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:9552
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:11560
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:14152
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        10⤵
        
        PID:14092
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        9⤵
        
        PID:11532
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        8⤵
        
        PID:9540
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:11524
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        
        PID:14232
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        7⤵
        
        PID:7948
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        8⤵
        
        PID:9576
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:11572
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        
        PID:14220
  - - C:\Windows\SysWOW64\wpqamqtlju\smss.exe
      C:\Windows\system32\wpqamqtlju\smss.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1028
    - - C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
      - C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        8⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3032
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1144
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        11⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        17⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        18⤵
        Enumerates connected drives
        
        PID:6476
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        19⤵
        Drops file in System32 directory
        
        PID:8484
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        20⤵
        
        PID:10272
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        21⤵
        
        PID:12700
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        16⤵
        
        PID:14840
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        15⤵
        
        PID:12024
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:15084
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        14⤵
        
        PID:10040
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:12168
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:15048
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        13⤵
        
        PID:7780
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:10196
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:15424
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        12⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:836
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:10148
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:12256
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:15456
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        11⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:8260
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:9924
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:12396
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        10⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        11⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:8416
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:10244
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:12616
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        9⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        11⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:2796
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:8448
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:10260
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:12648
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:15472
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        10⤵
        
        PID:14692
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        8⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        Drops file in System32 directory
        
        PID:5056
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        11⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        Enumerates connected drives
        
        PID:7052
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:8252
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:9840
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:12420
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        10⤵
        
        PID:14596
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        9⤵
        
        PID:11916
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        
        PID:14744
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        7⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        8⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        11⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:8292
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:9920
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:12388
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:15568
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        10⤵
        
        PID:14604
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        9⤵
        
        PID:11868
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        
        PID:14628
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        8⤵
        
        PID:9892
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:12008
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        
        PID:14984
      - C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        6⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        7⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        8⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        Drops file in System32 directory
        
        PID:4244
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        11⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:6460
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:8456
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:10296
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:13112
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        10⤵
        
        PID:14736
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        9⤵
        
        PID:11956
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        
        PID:14912
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        8⤵
        
        PID:10024
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:12208
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        
        PID:14728
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        7⤵
        
        PID:7744
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        8⤵
        
        PID:10120
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:12224
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        
        PID:2140
    - - C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        5⤵
        
        PID:2604
      - C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        6⤵
        Enumerates connected drives
        
        PID:2072
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        7⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        8⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:6012
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:8440
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:10252
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:12676
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        10⤵
        
        PID:14660
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        9⤵
        
        PID:11936
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        
        PID:14752
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        8⤵
        
        PID:10016
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:12144
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        
        PID:15120
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        7⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        8⤵
        
        PID:10092
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:12216
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        
        PID:15828
      - C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        6⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        7⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        8⤵
        
        PID:10212
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        
        PID:15480
- - C:\Windows\SysWOW64\wpqamqtlju\smss.exe
    C:\Windows\system32\wpqamqtlju\smss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
      C:\Windows\system32\fwwaoufpya\explorer.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:868
    - - C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1408
      - C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:676
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1184
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        11⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:960
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        17⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        18⤵
        
        PID:7232
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        19⤵
        
        PID:8764
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        20⤵
        
        PID:10696
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        21⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        16⤵
        
        PID:15208
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        15⤵
        
        PID:12808
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:15432
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        14⤵
        
        PID:10384
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:12692
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        13⤵
        
        PID:8572
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:10464
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:13064
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        12⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:8628
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:10528
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:13080
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        11⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:8664
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:10536
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:13144
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        10⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        11⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:2036
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:8652
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:10552
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:12520
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        9⤵
        Enumerates connected drives
        
        PID:4372
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        11⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:8684
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:10600
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        10⤵
        
        PID:15188
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        8⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        11⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        
        PID:7192
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:8720
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:10576
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        10⤵
        
        PID:15196
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        9⤵
        
        PID:12836
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        
        PID:15524
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        7⤵
        Drops file in System32 directory
        
        PID:3272
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        8⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:5188
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        
        PID:7256
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:8812
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:10812
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:13368
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        10⤵
        
        PID:15232
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        9⤵
        
        PID:12684
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        
        PID:15384
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        8⤵
        
        PID:10328
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:12724
      - C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        6⤵
        Drops file in System32 directory
        
        PID:1804
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        7⤵
        Drops file in System32 directory
        
        PID:3288
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        8⤵
        Enumerates connected drives
        
        PID:3932
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        11⤵
        
        PID:592
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:7208
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:8752
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:10624
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:12552
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        10⤵
        
        PID:15216
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        9⤵
        
        PID:12716
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        
        PID:15416
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        8⤵
        
        PID:10352
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:13024
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        7⤵
        
        PID:8540
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        8⤵
        
        PID:10440
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:13128
    - - C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        5⤵
        
        PID:2444
      - C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        6⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        7⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        8⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        11⤵
        Enumerates connected drives
        
        PID:1520
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        
        PID:7216
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:8744
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:10568
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:12512
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        10⤵
        
        PID:15240
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        9⤵
        
        PID:12740
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        
        PID:15440
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        8⤵
        
        PID:10372
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:13032
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        7⤵
        
        PID:8564
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        8⤵
        
        PID:10472
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:13120
      - C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        6⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        7⤵
        Drops file in System32 directory
        
        PID:8548
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        8⤵
        
        PID:10480
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:13056
  - - C:\Windows\SysWOW64\wpqamqtlju\smss.exe
      C:\Windows\system32\wpqamqtlju\smss.exe
      4⤵
      Executes dropped EXE
      PID:1088
    - - C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        5⤵
        
        PID:2460
      - C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        6⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        7⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        8⤵
        Enumerates connected drives
        
        PID:3948
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        11⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        
        PID:7224
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:8784
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:10680
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:12736
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        10⤵
        
        PID:15248
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        9⤵
        
        PID:12800
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        
        PID:15408
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        8⤵
        
        PID:10364
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:12708
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        7⤵
        
        PID:8580
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        8⤵
        
        PID:10456
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:13088
      - C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        6⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        7⤵
        
        PID:8596
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        8⤵
        
        PID:10432
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:13072
    - - C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        5⤵
        
        PID:5552
      - C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        6⤵
        
        PID:7184
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        7⤵
        
        PID:8696
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        8⤵
        
        PID:10560
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:12532
- C:\Windows\SysWOW64\wpqamqtlju\smss.exe
  C:\Windows\system32\wpqamqtlju\smss.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
    C:\Windows\system32\fwwaoufpya\explorer.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1580
  - - C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
      C:\Windows\system32\fwwaoufpya\explorer.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2796
    - - C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
      - C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        Drops file in System32 directory
        
        PID:1576
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        11⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        16⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        17⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        18⤵
        Drops file in System32 directory
        
        PID:7600
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        19⤵
        
        PID:9212
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        20⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        21⤵
        
        PID:13844
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        16⤵
        
        PID:15676
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        15⤵
        
        PID:13296
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        14⤵
        
        PID:10924
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        13⤵
        
        PID:9056
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:11092
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:13468
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        12⤵
        
        PID:7512
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:9100
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:11140
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:13716
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        11⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        
        PID:7540
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:9136
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:11172
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:13752
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        10⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        11⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:13804
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        9⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        11⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:7644
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:10268
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:13868
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        10⤵
        
        PID:15668
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        8⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        Drops file in System32 directory
        
        PID:4720
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:6380
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:8932
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:13876
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        10⤵
        
        PID:15708
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        9⤵
        
        PID:11692
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        7⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        8⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        11⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:9196
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:13852
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        10⤵
        
        PID:15656
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        9⤵
        
        PID:13268
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        8⤵
        
        PID:10932
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:13344
      - C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        6⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        7⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        8⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        11⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        Enumerates connected drives
        
        PID:7608
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:8536
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:10428
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:13912
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        10⤵
        
        PID:15696
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        9⤵
        
        PID:13276
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        8⤵
        
        PID:10940
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:13320
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        7⤵
        
        PID:9040
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        8⤵
        
        PID:11108
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:13568
    - - C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        5⤵
        Enumerates connected drives
        
        PID:2960
      - C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        6⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        7⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        8⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        11⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        
        PID:7652
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:13884
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        10⤵
        
        PID:15720
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        9⤵
        
        PID:13288
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        8⤵
        
        PID:10968
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:13360
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        7⤵
        
        PID:9032
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        8⤵
        
        PID:11044
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:13416
      - C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        6⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        7⤵
        
        PID:9088
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        8⤵
        
        PID:11084
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:13620
  - - C:\Windows\SysWOW64\wpqamqtlju\smss.exe
      C:\Windows\system32\wpqamqtlju\smss.exe
      4⤵
      Drops file in System32 directory
      PID:2860
    - - C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        5⤵
        
        PID:2736
      - C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        6⤵
        Drops file in System32 directory
        
        PID:2184
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        7⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        8⤵
        Drops file in System32 directory
        
        PID:2248
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        11⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        
        PID:7592
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:10336
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:13892
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        10⤵
        
        PID:15688
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        9⤵
        
        PID:13256
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        8⤵
        
        PID:10912
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:13336
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        7⤵
        
        PID:9004
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        8⤵
        
        PID:11012
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:13408
      - C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        6⤵
        Enumerates connected drives
        
        PID:7452
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        7⤵
        
        PID:8996
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        8⤵
        
        PID:11068
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:13628
    - - C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        5⤵
        
        PID:6304
      - C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        6⤵
        
        PID:7476
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        7⤵
        
        PID:9116
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        8⤵
        
        PID:11148
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:13744
- - C:\Windows\SysWOW64\wpqamqtlju\smss.exe
    C:\Windows\system32\wpqamqtlju\smss.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1356
  - - C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
      C:\Windows\system32\fwwaoufpya\explorer.exe
      4⤵
      PID:484
    - - C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        5⤵
        
        PID:1420
      - C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        6⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        7⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        8⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        10⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        11⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        12⤵
        
        PID:7432
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        13⤵
        
        PID:9024
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        14⤵
        
        PID:11028
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        15⤵
        
        PID:13460
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        10⤵
        
        PID:15616
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        9⤵
        
        PID:13220
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        8⤵
        
        PID:10876
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        7⤵
        
        PID:8940
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        8⤵
        
        PID:10884
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:13384
      - C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        6⤵
        
        PID:7400
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        7⤵
        
        PID:8952
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        8⤵
        
        PID:11004
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:13452
    - - C:\Windows\SysWOW64\wpqamqtlju\smss.exe
        
        C:\Windows\system32\wpqamqtlju\smss.exe
        5⤵
        
        PID:6248
      - C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        6⤵
        
        PID:7440
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        7⤵
        
        PID:9080
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        8⤵
        
        PID:11156
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:13764
  - - C:\Windows\SysWOW64\wpqamqtlju\smss.exe
      C:\Windows\system32\wpqamqtlju\smss.exe
      4⤵
      PID:5304
    - - C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        5⤵
        
        PID:6284
      - C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        6⤵
        
        PID:7556
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        7⤵
        
        PID:9144
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        8⤵
        
        PID:11116
        
        C:\Windows\SysWOW64\fwwaoufpya\explorer.exe
        
        C:\Windows\system32\fwwaoufpya\explorer.exe
        9⤵
        
        PID:13644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\fwwaoufpya\explorer.exe

Filesize
79KB

MD5
1c43b1995f0511b12e26d077fb114909

SHA1
3250cc583664194f5313d14e0daf9da685daf9d6

SHA256
052caa90d773f5e0365d709f12ea6970dbe2773729ca9066da0e092c01976a24

SHA512
e8edeb6e55f7aec303b34d9cc8288d15635090c09f01a52a40a242fc779460bd76d13f693ff102a58c2af90f9b6a3dea5c5ac464614f0b98fe0aef9fc3727ecc

Download Submit
memory/292-197-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/292-158-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/676-147-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/676-180-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/688-209-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/688-171-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/836-142-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/836-169-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/868-103-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/868-136-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/884-242-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/920-162-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/920-200-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1028-134-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1184-177-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1184-217-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1408-157-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1408-130-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1464-109-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1508-232-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1508-189-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1516-256-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1560-220-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1560-25-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1560-0-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1560-70-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1560-10-0x0000000000310000-0x0000000000368000-memory.dmp

Filesize
352KB

Download
memory/1580-88-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1580-124-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1684-186-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1684-230-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1692-246-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1756-156-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1756-188-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1760-132-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1760-161-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1856-98-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1856-129-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1900-95-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1900-65-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1900-75-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/1908-245-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1928-182-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1928-153-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1940-223-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1940-181-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1968-78-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1968-115-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1984-254-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1984-218-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1996-105-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1996-56-0x0000000000300000-0x0000000000358000-memory.dmp

Filesize
352KB

Download
memory/1996-26-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1996-17-0x0000000000300000-0x0000000000358000-memory.dmp

Filesize
352KB

Download
memory/1996-249-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2016-154-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2016-122-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2024-48-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2024-72-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2084-143-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2084-168-0x0000000000560000-0x00000000005B8000-memory.dmp

Filesize
352KB

Download
memory/2084-205-0x0000000000560000-0x00000000005B8000-memory.dmp

Filesize
352KB

Download
memory/2084-170-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2084-196-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2100-137-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2100-167-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2140-255-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2188-240-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2232-206-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2240-201-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2240-243-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2328-152-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2328-116-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2392-135-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2392-166-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2416-121-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2416-84-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2504-231-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2584-125-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2584-155-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2636-138-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2636-40-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2636-24-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2648-159-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2648-49-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2648-32-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2660-58-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2660-184-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2660-39-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2676-226-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2688-259-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2688-222-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2692-33-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2692-18-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2692-126-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2708-244-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2708-208-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2756-210-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2756-247-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2796-146-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2808-198-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2808-238-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2900-57-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2900-83-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2924-225-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2924-221-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2924-183-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3032-239-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3032-199-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3044-216-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3044-207-0x00000000002A0000-0x00000000002F8000-memory.dmp

Filesize
352KB

Download
memory/3044-176-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download