floxif | b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03f

Analysis

max time kernel
118s
max time network
63s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
16/12/2024, 00:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe
Size

161KB
MD5

9be69bc4d9593e93ecb4660325ea3410
SHA1

ed85f4e22bca76ab33ec6fe8b62351b8f22c2913
SHA256

b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03f
SHA512

0fe7cd8275413b278499e2ccd2abbf068a69e87679c279fab1ed01dc0da3a51dc826ce80cb0fae1d56f14c5a8b356f3a8a325aa676499e15ea5dfd990f88942e
SSDEEP

3072:MQHcGUIUBz2+KWagSBUVfpHnpQuF4BOoTjcIDiFH7:7UK+niUVppQDTcXFH7

Score

10^/10

floxif backdoor discovery trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral1/files/0x000a00000001202c-2.dat	floxif

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000a00000001202c-2.dat	acprotect

Executes dropped EXE 64 IoCs

pid	Process
3004	explorer.exe
2644	explorer.exe
2124	explorer.exe
2924	explorer.exe
1800	explorer.exe
1924	explorer.exe
2596	explorer.exe
1520	explorer.exe
272	smss.exe
968	explorer.exe
684	smss.exe
1364	explorer.exe
556	smss.exe
1968	explorer.exe
804	explorer.exe
1716	explorer.exe
1752	smss.exe
2456	explorer.exe
344	explorer.exe
2316	explorer.exe
2600	explorer.exe
2724	smss.exe
2736	explorer.exe
2192	explorer.exe
1952	explorer.exe
2364	explorer.exe
2824	smss.exe
2452	explorer.exe
2908	explorer.exe
2880	explorer.exe
2632	explorer.exe
2696	explorer.exe
2012	explorer.exe
1816	smss.exe
988	explorer.exe
2592	explorer.exe
2892	explorer.exe
2956	explorer.exe
1552	smss.exe
1776	explorer.exe
2244	explorer.exe
2252	explorer.exe
2276	explorer.exe
1268	explorer.exe
1656	explorer.exe
912	explorer.exe
2064	explorer.exe
1580	explorer.exe
2516	explorer.exe
1508	smss.exe
1692	explorer.exe
2268	explorer.exe
2052	explorer.exe
2432	smss.exe
1572	explorer.exe
1248	explorer.exe
1040	explorer.exe
2340	explorer.exe
2876	explorer.exe
2264	explorer.exe
2660	smss.exe
2732	explorer.exe
2116	explorer.exe
2984	smss.exe

Loads dropped DLL 64 IoCs

pid	Process
2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe
2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe
2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe
3004	explorer.exe
3004	explorer.exe
2644	explorer.exe
2644	explorer.exe
2124	explorer.exe
2124	explorer.exe
2924	explorer.exe
2924	explorer.exe
1800	explorer.exe
1800	explorer.exe
1924	explorer.exe
1924	explorer.exe
2596	explorer.exe
2596	explorer.exe
2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe
2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe
1520	explorer.exe
1520	explorer.exe
3004	explorer.exe
3004	explorer.exe
272	smss.exe
272	smss.exe
2644	explorer.exe
2644	explorer.exe
968	explorer.exe
968	explorer.exe
684	smss.exe
684	smss.exe
1364	explorer.exe
1364	explorer.exe
2124	explorer.exe
2124	explorer.exe
556	smss.exe
556	smss.exe
1968	explorer.exe
1968	explorer.exe
804	explorer.exe
804	explorer.exe
1716	explorer.exe
1716	explorer.exe
2924	explorer.exe
2924	explorer.exe
1752	smss.exe
1752	smss.exe
2456	explorer.exe
2456	explorer.exe
344	explorer.exe
344	explorer.exe
2316	explorer.exe
2316	explorer.exe
1800	explorer.exe
1800	explorer.exe
2600	explorer.exe
2600	explorer.exe
2724	smss.exe
2724	smss.exe
2736	explorer.exe
2736	explorer.exe
2192	explorer.exe
2192	explorer.exe
1952	explorer.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\y:	explorer.exe
File opened (read-only)	\??\p:	smss.exe
File opened (read-only)	\??\q:	explorer.exe
File opened (read-only)	\??\n:	explorer.exe
File opened (read-only)	\??\h:	explorer.exe
File opened (read-only)	\??\v:	explorer.exe
File opened (read-only)	\??\n:	explorer.exe
File opened (read-only)	\??\z:	explorer.exe
File opened (read-only)	\??\o:	smss.exe
File opened (read-only)	\??\g:	explorer.exe
File opened (read-only)	\??\k:	explorer.exe
File opened (read-only)	\??\h:	smss.exe
File opened (read-only)	\??\m:	explorer.exe
File opened (read-only)	\??\o:	explorer.exe
File opened (read-only)	\??\i:	explorer.exe
File opened (read-only)	\??\i:	explorer.exe
File opened (read-only)	\??\t:	explorer.exe
File opened (read-only)	\??\w:	smss.exe
File opened (read-only)	\??\q:	explorer.exe
File opened (read-only)	\??\y:	explorer.exe
File opened (read-only)	\??\e:	smss.exe
File opened (read-only)	\??\u:	explorer.exe
File opened (read-only)	\??\y:	explorer.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\q:	smss.exe
File opened (read-only)	\??\t:	explorer.exe
File opened (read-only)	\??\x:	explorer.exe
File opened (read-only)	\??\z:	explorer.exe
File opened (read-only)	\??\y:	smss.exe
File opened (read-only)	\??\g:	explorer.exe
File opened (read-only)	\??\y:	explorer.exe
File opened (read-only)	\??\i:	explorer.exe
File opened (read-only)	\??\q:	explorer.exe
File opened (read-only)	\??\e:	smss.exe
File opened (read-only)	\??\s:	explorer.exe
File opened (read-only)	\??\u:	explorer.exe
File opened (read-only)	\??\i:	explorer.exe
File opened (read-only)	\??\h:	explorer.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\s:	explorer.exe
File opened (read-only)	\??\h:	explorer.exe
File opened (read-only)	\??\i:	explorer.exe
File opened (read-only)	\??\z:	smss.exe
File opened (read-only)	\??\z:	explorer.exe
File opened (read-only)	\??\h:	explorer.exe
File opened (read-only)	\??\i:	explorer.exe
File opened (read-only)	\??\m:	explorer.exe
File opened (read-only)	\??\s:	explorer.exe
File opened (read-only)	\??\h:	smss.exe
File opened (read-only)	\??\n:	explorer.exe
File opened (read-only)	\??\r:	explorer.exe
File opened (read-only)	\??\o:	explorer.exe
File opened (read-only)	\??\u:	explorer.exe
File opened (read-only)	\??\i:	explorer.exe
File opened (read-only)	\??\m:	explorer.exe
File opened (read-only)	\??\x:	explorer.exe
File opened (read-only)	\??\v:	explorer.exe
File opened (read-only)	\??\t:	explorer.exe
File opened (read-only)	\??\o:	explorer.exe
File opened (read-only)	\??\x:	explorer.exe
File opened (read-only)	\??\i:	explorer.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\q:	explorer.exe
File opened (read-only)	\??\q:	explorer.exe

Network Service Discovery 1 TTPs 9 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2564	arp.exe
1488	arp.exe
2352	arp.exe
2364	arp.exe
1688	arp.exe
1336	arp.exe
2104	arp.exe
2284	arp.exe
2848	arp.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2568-0-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/files/0x000a00000001202c-2.dat	upx
behavioral1/memory/2568-4-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral1/files/0x000700000001939c-11.dat	upx
behavioral1/memory/2568-17-0x00000000026E0000-0x0000000002738000-memory.dmp	upx
behavioral1/memory/3004-23-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2568-28-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2568-30-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral1/memory/3004-31-0x0000000000370000-0x00000000003C8000-memory.dmp	upx
behavioral1/memory/3004-35-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2124-41-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2568-43-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral1/memory/2644-46-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2124-55-0x0000000000560000-0x00000000005B8000-memory.dmp	upx
behavioral1/memory/2124-60-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2568-69-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral1/memory/2924-70-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1800-83-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1924-90-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2568-96-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral1/memory/2596-105-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1520-111-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/968-112-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/272-120-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2568-124-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/968-129-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/684-131-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1364-137-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/3004-140-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/272-142-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/556-147-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1968-150-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/968-153-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/804-154-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1716-159-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2644-160-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/684-162-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1752-163-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1364-164-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2456-167-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2724-171-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/344-172-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2316-173-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2124-177-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1968-180-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/556-179-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2600-181-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2724-183-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/804-186-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2736-187-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1716-190-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2192-191-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1952-193-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2364-195-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2924-196-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/1752-197-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2824-198-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2456-200-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/344-202-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2452-203-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2908-208-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2316-207-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2632-210-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral1/memory/2880-209-0x0000000000400000-0x0000000000458000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe
3004	explorer.exe
2644	explorer.exe
2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe
2124	explorer.exe
2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe
2924	explorer.exe
1800	explorer.exe
1924	explorer.exe
2596	explorer.exe
1520	explorer.exe
272	smss.exe
968	explorer.exe
684	smss.exe
1364	explorer.exe
556	smss.exe
1968	explorer.exe
804	explorer.exe
1716	explorer.exe
1752	smss.exe
2456	explorer.exe
344	explorer.exe
2316	explorer.exe
2600	explorer.exe
2724	smss.exe
2736	explorer.exe
2192	explorer.exe
1952	explorer.exe
2364	explorer.exe
2824	smss.exe
2452	explorer.exe
2908	explorer.exe
2880	explorer.exe
2632	explorer.exe
2696	explorer.exe
2012	explorer.exe
1816	smss.exe
988	explorer.exe
2592	explorer.exe
2892	explorer.exe
2956	explorer.exe
1552	smss.exe
1776	explorer.exe
2244	explorer.exe
2252	explorer.exe
2276	explorer.exe
1268	explorer.exe
1656	explorer.exe
912	explorer.exe
2064	explorer.exe
1580	explorer.exe
2516	explorer.exe
1508	smss.exe
1692	explorer.exe
2268	explorer.exe
2052	explorer.exe
2432	smss.exe
1572	explorer.exe
1248	explorer.exe
1040	explorer.exe
2340	explorer.exe
2876	explorer.exe
2264	explorer.exe
2660	smss.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
476	Process not Found
476	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe
Token: SeLoadDriverPrivilege	2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe
Token: SeLoadDriverPrivilege	3004	explorer.exe
Token: SeLoadDriverPrivilege	2644	explorer.exe
Token: SeLoadDriverPrivilege	2124	explorer.exe
Token: SeLoadDriverPrivilege	2924	explorer.exe
Token: SeLoadDriverPrivilege	1800	explorer.exe
Token: SeLoadDriverPrivilege	1924	explorer.exe
Token: SeLoadDriverPrivilege	2596	explorer.exe
Token: SeLoadDriverPrivilege	1520	explorer.exe
Token: SeLoadDriverPrivilege	272	smss.exe
Token: SeLoadDriverPrivilege	968	explorer.exe
Token: SeLoadDriverPrivilege	684	smss.exe
Token: SeLoadDriverPrivilege	1364	explorer.exe
Token: SeLoadDriverPrivilege	556	smss.exe
Token: SeLoadDriverPrivilege	1968	explorer.exe
Token: SeLoadDriverPrivilege	804	explorer.exe
Token: SeLoadDriverPrivilege	1716	explorer.exe
Token: SeLoadDriverPrivilege	1752	smss.exe
Token: SeLoadDriverPrivilege	2456	explorer.exe
Token: SeLoadDriverPrivilege	344	explorer.exe
Token: SeLoadDriverPrivilege	2316	explorer.exe
Token: SeLoadDriverPrivilege	2600	explorer.exe
Token: SeLoadDriverPrivilege	2724	smss.exe
Token: SeLoadDriverPrivilege	2736	explorer.exe
Token: SeLoadDriverPrivilege	2192	explorer.exe
Token: SeLoadDriverPrivilege	1952	explorer.exe
Token: SeLoadDriverPrivilege	2364	explorer.exe
Token: SeLoadDriverPrivilege	2824	smss.exe
Token: SeLoadDriverPrivilege	2452	explorer.exe
Token: SeLoadDriverPrivilege	2908	explorer.exe
Token: SeLoadDriverPrivilege	2880	explorer.exe
Token: SeLoadDriverPrivilege	2632	explorer.exe
Token: SeLoadDriverPrivilege	2696	explorer.exe
Token: SeLoadDriverPrivilege	2012	explorer.exe
Token: SeLoadDriverPrivilege	1816	smss.exe
Token: SeLoadDriverPrivilege	988	explorer.exe
Token: SeLoadDriverPrivilege	2592	explorer.exe
Token: SeLoadDriverPrivilege	2892	explorer.exe
Token: SeLoadDriverPrivilege	2956	explorer.exe
Token: SeLoadDriverPrivilege	1552	smss.exe
Token: SeLoadDriverPrivilege	1776	explorer.exe
Token: SeLoadDriverPrivilege	2244	explorer.exe
Token: SeLoadDriverPrivilege	2252	explorer.exe
Token: SeLoadDriverPrivilege	2276	explorer.exe
Token: SeLoadDriverPrivilege	1268	explorer.exe
Token: SeLoadDriverPrivilege	1656	explorer.exe
Token: SeLoadDriverPrivilege	912	explorer.exe
Token: SeLoadDriverPrivilege	2064	explorer.exe
Token: SeLoadDriverPrivilege	1580	explorer.exe
Token: SeLoadDriverPrivilege	2516	explorer.exe
Token: SeLoadDriverPrivilege	1508	smss.exe
Token: SeLoadDriverPrivilege	1692	explorer.exe
Token: SeLoadDriverPrivilege	2268	explorer.exe
Token: SeLoadDriverPrivilege	2052	explorer.exe
Token: SeLoadDriverPrivilege	2432	smss.exe
Token: SeLoadDriverPrivilege	1572	explorer.exe
Token: SeLoadDriverPrivilege	1248	explorer.exe
Token: SeLoadDriverPrivilege	1040	explorer.exe
Token: SeLoadDriverPrivilege	2340	explorer.exe
Token: SeLoadDriverPrivilege	2876	explorer.exe
Token: SeLoadDriverPrivilege	2264	explorer.exe
Token: SeLoadDriverPrivilege	2660	smss.exe
Token: SeLoadDriverPrivilege	2732	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 2564	2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe	30
PID 2568 wrote to memory of 2564	2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe	30
PID 2568 wrote to memory of 2564	2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe	30
PID 2568 wrote to memory of 2564	2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe	30
PID 2568 wrote to memory of 1488	2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe	32
PID 2568 wrote to memory of 1488	2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe	32
PID 2568 wrote to memory of 1488	2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe	32
PID 2568 wrote to memory of 1488	2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe	32
PID 2568 wrote to memory of 2284	2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe	33
PID 2568 wrote to memory of 2284	2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe	33
PID 2568 wrote to memory of 2284	2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe	33
PID 2568 wrote to memory of 2284	2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe	33
PID 2568 wrote to memory of 2352	2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe	35
PID 2568 wrote to memory of 2352	2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe	35
PID 2568 wrote to memory of 2352	2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe	35
PID 2568 wrote to memory of 2352	2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe	35
PID 2568 wrote to memory of 2364	2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe	37
PID 2568 wrote to memory of 2364	2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe	37
PID 2568 wrote to memory of 2364	2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe	37
PID 2568 wrote to memory of 2364	2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe	37
PID 2568 wrote to memory of 1688	2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe	39
PID 2568 wrote to memory of 1688	2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe	39
PID 2568 wrote to memory of 1688	2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe	39
PID 2568 wrote to memory of 1688	2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe	39
PID 2568 wrote to memory of 2104	2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe	41
PID 2568 wrote to memory of 2104	2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe	41
PID 2568 wrote to memory of 2104	2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe	41
PID 2568 wrote to memory of 2104	2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe	41
PID 2568 wrote to memory of 2848	2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe	43
PID 2568 wrote to memory of 2848	2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe	43
PID 2568 wrote to memory of 2848	2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe	43
PID 2568 wrote to memory of 2848	2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe	43
PID 2568 wrote to memory of 1336	2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe	45
PID 2568 wrote to memory of 1336	2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe	45
PID 2568 wrote to memory of 1336	2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe	45
PID 2568 wrote to memory of 1336	2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe	45
PID 2568 wrote to memory of 3004	2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe	48
PID 2568 wrote to memory of 3004	2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe	48
PID 2568 wrote to memory of 3004	2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe	48
PID 2568 wrote to memory of 3004	2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe	48
PID 3004 wrote to memory of 2644	3004	explorer.exe	49
PID 3004 wrote to memory of 2644	3004	explorer.exe	49
PID 3004 wrote to memory of 2644	3004	explorer.exe	49
PID 3004 wrote to memory of 2644	3004	explorer.exe	49
PID 2644 wrote to memory of 2124	2644	explorer.exe	50
PID 2644 wrote to memory of 2124	2644	explorer.exe	50
PID 2644 wrote to memory of 2124	2644	explorer.exe	50
PID 2644 wrote to memory of 2124	2644	explorer.exe	50
PID 2568 wrote to memory of 568	2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe	51
PID 2568 wrote to memory of 568	2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe	51
PID 2568 wrote to memory of 568	2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe	51
PID 2568 wrote to memory of 568	2568	b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe	51
PID 2124 wrote to memory of 2924	2124	explorer.exe	54
PID 2124 wrote to memory of 2924	2124	explorer.exe	54
PID 2124 wrote to memory of 2924	2124	explorer.exe	54
PID 2124 wrote to memory of 2924	2124	explorer.exe	54
PID 2924 wrote to memory of 1800	2924	explorer.exe	56
PID 2924 wrote to memory of 1800	2924	explorer.exe	56
PID 2924 wrote to memory of 1800	2924	explorer.exe	56
PID 2924 wrote to memory of 1800	2924	explorer.exe	56
PID 1800 wrote to memory of 1924	1800	explorer.exe	57
PID 1800 wrote to memory of 1924	1800	explorer.exe	57
PID 1800 wrote to memory of 1924	1800	explorer.exe	57
PID 1800 wrote to memory of 1924	1800	explorer.exe	57

C:\Users\Admin\AppData\Local\Temp\b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe
"C:\Users\Admin\AppData\Local\Temp\b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Windows\SysWOW64\arp.exe
  arp -a
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  PID:2564
- C:\Windows\SysWOW64\arp.exe
  arp -s 10.127.0.1 f6-61-60-08-e1-aa
  2⤵
  - Network Service Discovery
  PID:1488
- C:\Windows\SysWOW64\arp.exe
  arp -s 10.127.255.255 9a-1f-67-95-e2-5d
  2⤵
  - Network Service Discovery
  PID:2284
- C:\Windows\SysWOW64\arp.exe
  arp -s 37.27.61.184 27-f3-63-b5-82-b2
  2⤵
  - Network Service Discovery
  PID:2352
- C:\Windows\SysWOW64\arp.exe
  arp -s 224.0.0.22 a6-49-7c-26-3f-cf
  2⤵
  - Network Service Discovery
  PID:2364
- C:\Windows\SysWOW64\arp.exe
  arp -s 224.0.0.251 27-d0-1e-52-e1-b0
  2⤵
  - Network Service Discovery
  PID:1688
- C:\Windows\SysWOW64\arp.exe
  arp -s 224.0.0.252 ca-f7-fc-28-0c-cd
  2⤵
  - Network Service Discovery
  PID:2104
- C:\Windows\SysWOW64\arp.exe
  arp -s 239.255.255.250 02-ae-f9-4b-aa-79
  2⤵
  - Network Service Discovery
  PID:2848
- C:\Windows\SysWOW64\arp.exe
  arp -s 255.255.255.255 57-9f-92-1c-19-a3
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  PID:1336
- C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
  C:\Windows\system32\hfroyyvmyb\explorer.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
    C:\Windows\system32\hfroyyvmyb\explorer.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
      C:\Windows\system32\hfroyyvmyb\explorer.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2124
    - - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2924
      - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:968
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:344
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        16⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        18⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        19⤵
        Drops file in System32 directory
        
        PID:2820
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        20⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        21⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        22⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        23⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        24⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:6056
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        25⤵
        Enumerates connected drives
        
        PID:6568
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        26⤵
        
        PID:8488
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        20⤵
        
        PID:8248
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        19⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        20⤵
        
        PID:8396
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        18⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        19⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        20⤵
        
        PID:8528
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        17⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        18⤵
        Drops file in System32 directory
        
        PID:5140
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        19⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        20⤵
        
        PID:8536
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        16⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        17⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        18⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        19⤵
        Drops file in System32 directory
        
        PID:6980
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        20⤵
        Enumerates connected drives
        
        PID:8552
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        15⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:4408
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        17⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        18⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        19⤵
        Drops file in System32 directory
        
        PID:1752
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        20⤵
        
        PID:8544
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        14⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        15⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        16⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        17⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        18⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        19⤵
        Drops file in System32 directory
        
        PID:2508
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        20⤵
        
        PID:8512
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        13⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:3292
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:3944
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        16⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        17⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        18⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        19⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        20⤵
        Enumerates connected drives
        
        PID:8520
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        14⤵
        Enumerates connected drives
        
        PID:8232
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        12⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        15⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        16⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        17⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        18⤵
        Drops file in System32 directory
        
        PID:5248
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        19⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        20⤵
        
        PID:8560
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        14⤵
        
        PID:8352
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        13⤵
        Drops file in System32 directory
        
        PID:6416
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:8332
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:444
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:2204
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        15⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        16⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        17⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        18⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        19⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        20⤵
        
        PID:8300
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        14⤵
        
        PID:8200
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:7100
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:8276
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        12⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:8472
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        15⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        16⤵
        Drops file in System32 directory
        
        PID:4340
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        17⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        18⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        19⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        20⤵
        
        PID:8376
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        14⤵
        
        PID:8208
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        13⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:7156
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:8284
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        12⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:8496
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        11⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:7132
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:8324
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1552
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1580
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        15⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        16⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        17⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        18⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        19⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        20⤵
        Enumerates connected drives
        
        PID:8308
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        14⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:7048
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        12⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:8368
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        11⤵
        Drops file in System32 directory
        
        PID:4280
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:8132
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        10⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:5912
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1816
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:3464
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        15⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        16⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        17⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        18⤵
        Drops file in System32 directory
        
        PID:2740
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        19⤵
        
        PID:7404
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        20⤵
        
        PID:8916
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        14⤵
        
        PID:8908
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        13⤵
        
        PID:7420
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:8944
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        12⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:7444
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:8964
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        11⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:7436
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:8980
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        10⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:7428
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:8952
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        9⤵
        Drops file in System32 directory
        
        PID:3100
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:8928
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:988
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1268
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:2484
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        Drops file in System32 directory
        
        PID:3552
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        15⤵
        Drops file in System32 directory
        
        PID:3604
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        16⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        17⤵
        Enumerates connected drives
        
        PID:5488
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:6388
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        19⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        20⤵
        
        PID:9212
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        14⤵
        
        PID:9192
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        13⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        12⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:7660
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:8268
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        11⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5448
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:7752
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:9172
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        10⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:7760
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:8852
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        9⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:4696
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        Enumerates connected drives
        
        PID:5404
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:6356
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:7704
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:8824
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        8⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        Enumerates connected drives
        
        PID:3460
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        Enumerates connected drives
        
        PID:6340
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:7696
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:1244
      - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:912
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:664
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:920
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        Drops file in System32 directory
        
        PID:3660
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        15⤵
        Enumerates connected drives
        
        PID:2060
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:4888
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        17⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5628
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        18⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        19⤵
        Drops file in System32 directory
        
        PID:7992
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        20⤵
        
        PID:9420
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        14⤵
        
        PID:9396
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        13⤵
        Enumerates connected drives
        
        PID:7972
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:9404
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        12⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:9444
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        11⤵
        Enumerates connected drives
        
        PID:5636
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:8008
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:9428
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        10⤵
        Drops file in System32 directory
        
        PID:4880
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:8020
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:9488
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        9⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        Enumerates connected drives
        
        PID:4856
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:5584
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:7912
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:9380
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        8⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        Drops file in System32 directory
        
        PID:3892
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:7896
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:9340
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        7⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        Enumerates connected drives
        
        PID:4844
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:5592
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:7948
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:9372
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        8⤵
        
        PID:9352
    - - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
      - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:564
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:4148
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        16⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        17⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:6748
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        19⤵
        
        PID:8160
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        13⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:6784
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        11⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:8180
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        10⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:6772
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4132
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5716
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:8152
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3724
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:8112
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        7⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4104
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        Enumerates connected drives
        
        PID:6676
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:8080
      - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        6⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4928
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:5680
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:8068
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        7⤵
        
        PID:8092
  - - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
      C:\Windows\system32\wamhjvwiug\smss.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:556
    - - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456
      - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1776
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:808
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:3884
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        15⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        16⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        17⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        18⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        19⤵
        
        PID:8504
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        13⤵
        
        PID:8216
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        12⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:8316
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        11⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:6556
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:8480
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        10⤵
        Enumerates connected drives
        
        PID:4304
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:8292
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        9⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5960
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:7028
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:8344
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        8⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        Drops file in System32 directory
        
        PID:4312
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:5984
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        Enumerates connected drives
        
        PID:7064
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:8148
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        7⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        Enumerates connected drives
        
        PID:4252
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5904
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        Enumerates connected drives
        
        PID:6984
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:8100
      - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        6⤵
        
        PID:628
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:3828
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:6952
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:1904
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        7⤵
        
        PID:2916
    - - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        5⤵
        
        PID:1100
      - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        6⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        Drops file in System32 directory
        
        PID:3176
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5072
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5872
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:6944
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:7944
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        7⤵
        Enumerates connected drives
        
        PID:7960
      - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        6⤵
        Enumerates connected drives
        
        PID:6932
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        Enumerates connected drives
        
        PID:7908
- - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
    C:\Windows\system32\wamhjvwiug\smss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:684
  - - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
      C:\Windows\system32\hfroyyvmyb\explorer.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:804
    - - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
      - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:604
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:4084
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        15⤵
        Drops file in System32 directory
        
        PID:4544
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        16⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        17⤵
        Drops file in System32 directory
        
        PID:2392
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        18⤵
        
        PID:7312
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        19⤵
        Enumerates connected drives
        
        PID:8832
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        13⤵
        Enumerates connected drives
        
        PID:8856
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        12⤵
        Enumerates connected drives
        
        PID:7328
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:8888
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        11⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2512
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:7336
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:8872
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        10⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1408
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:8880
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        9⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:7288
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:8788
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        8⤵
        Drops file in System32 directory
        
        PID:4072
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:5932
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        Enumerates connected drives
        
        PID:7304
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:8800
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3400
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        Drops file in System32 directory
        
        PID:4060
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:7280
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:8768
      - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        6⤵
        Drops file in System32 directory
        
        PID:1980
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        Drops file in System32 directory
        
        PID:4040
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        Enumerates connected drives
        
        PID:2832
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:7248
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:8712
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        7⤵
        
        PID:8744
    - - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        5⤵
        
        PID:652
      - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        6⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5132
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:7208
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:8692
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        7⤵
        
        PID:8660
      - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        6⤵
        
        PID:7216
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        
        PID:8668
  - - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
      C:\Windows\system32\wamhjvwiug\smss.exe
      4⤵
      Executes dropped EXE
      PID:2984
    - - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:868
      - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        6⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3376
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        Drops file in System32 directory
        
        PID:4484
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:768
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:7256
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:8736
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        7⤵
        
        PID:8724
      - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        6⤵
        
        PID:7224
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        
        PID:8684
    - - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        5⤵
        
        PID:5620
      - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        6⤵
        
        PID:7200
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        
        PID:8700
- C:\Windows\SysWOW64\arp.exe
  arp -d
  2⤵
  PID:568
- C:\Windows\SysWOW64\wamhjvwiug\smss.exe
  C:\Windows\system32\wamhjvwiug\smss.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:272
- - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
    C:\Windows\system32\hfroyyvmyb\explorer.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1364
  - - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
      C:\Windows\system32\hfroyyvmyb\explorer.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1716
    - - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
      - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1248
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:3608
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        15⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        16⤵
        Enumerates connected drives
        
        PID:5532
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        17⤵
        Drops file in System32 directory
        
        PID:6472
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        18⤵
        Drops file in System32 directory
        
        PID:7824
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        19⤵
        
        PID:9244
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        13⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        12⤵
        
        PID:7836
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:9220
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        11⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:9228
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5548
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:6496
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:9288
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        9⤵
        Drops file in System32 directory
        
        PID:4796
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:7812
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:9252
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3748
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        Enumerates connected drives
        
        PID:5504
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:9236
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        7⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        Enumerates connected drives
        
        PID:3588
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        Enumerates connected drives
        
        PID:4716
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:6332
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:2844
      - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:316
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        Drops file in System32 directory
        
        PID:5496
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:7776
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:8820
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        7⤵
        
        PID:1632
    - - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        5⤵
        
        PID:2752
      - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        6⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        Enumerates connected drives
        
        PID:3444
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:7600
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        7⤵
        
        PID:9180
      - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        6⤵
        
        PID:7648
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        
        PID:1740
  - - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
      C:\Windows\system32\wamhjvwiug\smss.exe
      4⤵
      PID:320
    - - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        5⤵
        
        PID:1028
      - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        6⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        Enumerates connected drives
        
        PID:5388
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        Enumerates connected drives
        
        PID:6276
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:7588
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:9116
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        7⤵
        
        PID:9132
      - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        6⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        
        PID:7368
    - - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        5⤵
        
        PID:6304
      - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        6⤵
        
        PID:7624
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        
        PID:8840
- - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
    C:\Windows\system32\wamhjvwiug\smss.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2432
  - - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
      C:\Windows\system32\hfroyyvmyb\explorer.exe
      4⤵
      PID:2420
    - - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        5⤵
        
        PID:2128
      - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        6⤵
        
        PID:928
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        Enumerates connected drives
        
        PID:5360
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:9148
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        7⤵
        
        PID:9140
      - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        6⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        
        PID:9092
    - - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        5⤵
        Enumerates connected drives
        
        PID:6240
      - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        6⤵
        Enumerates connected drives
        
        PID:7556
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        
        PID:9124
  - - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
      C:\Windows\system32\wamhjvwiug\smss.exe
      4⤵
      PID:5348
    - - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        5⤵
        Drops file in System32 directory
        
        PID:6248
      - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:7544
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        
        PID:9100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b4bbd636c976d3831a309d629337851bcc8d4675dac30c037dc3a9bd1fd8b03fN.exe

Filesize
80KB

MD5
691bbe9926fb1e25fca69011ee582cda

SHA1
38aa194ead7afc4fb00c878dea4ac91a2fbb53ea

SHA256
a89de750c7600fa9ddc08bc8ae7d332bcc7a095a40ff7ee642d152432ca6a777

SHA512
6e48356a9106d02758d2ca551a6d387473f6091ff1d09a26fa70eb3667c959d4ba6e316e09aff3cf3e5708c12ccdcadf4a0aafdcfca33750f6320c8021175209

Download Submit
\Program Files\Common Files\System\symsrv.dll

Filesize
72KB

MD5
0609f5fe5fee88412b62aacafc43aedc

SHA1
e36ebd88d34a8b9af2808eb156f108ffc30d6a26

SHA256
b2e599e330c75124b46da9091b2546acff6dddc56d0f21d20e1af892f3ac07d6

SHA512
63f2ce803eed240ea27fcbef2658645a654b157dc8b2c630719bbe16de109467b28de81179cc99625c074dec4b8aa1c473798bcf48a3b394c8ea0be9edecc2d0

Download Submit
memory/272-120-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/272-142-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/344-172-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/344-192-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/344-184-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/344-202-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/556-179-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/556-165-0x0000000001DF0000-0x0000000001E48000-memory.dmp

Filesize
352KB

Download
memory/556-147-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/684-131-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/684-162-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/804-186-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/804-154-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/968-129-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/968-112-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/968-153-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/988-222-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/988-265-0x0000000000290000-0x00000000002E8000-memory.dmp

Filesize
352KB

Download
memory/1268-266-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1364-137-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1364-145-0x0000000000260000-0x00000000002B8000-memory.dmp

Filesize
352KB

Download
memory/1364-164-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1364-158-0x0000000000260000-0x00000000002B8000-memory.dmp

Filesize
352KB

Download
memory/1520-111-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1552-275-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/1552-242-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1656-274-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1716-190-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1716-159-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1716-174-0x0000000000310000-0x0000000000368000-memory.dmp

Filesize
352KB

Download
memory/1716-166-0x0000000000310000-0x0000000000368000-memory.dmp

Filesize
352KB

Download
memory/1752-197-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1752-163-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1776-254-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1776-235-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1800-217-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1800-77-0x0000000000270000-0x00000000002C8000-memory.dmp

Filesize
352KB

Download
memory/1800-89-0x0000000000270000-0x00000000002C8000-memory.dmp

Filesize
352KB

Download
memory/1800-83-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1816-221-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1816-260-0x0000000000260000-0x00000000002B8000-memory.dmp

Filesize
352KB

Download
memory/1816-243-0x0000000000260000-0x00000000002B8000-memory.dmp

Filesize
352KB

Download
memory/1924-90-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1952-213-0x0000000001DF0000-0x0000000001E48000-memory.dmp

Filesize
352KB

Download
memory/1952-204-0x0000000001DF0000-0x0000000001E48000-memory.dmp

Filesize
352KB

Download
memory/1952-193-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1968-180-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1968-170-0x0000000000330000-0x0000000000388000-memory.dmp

Filesize
352KB

Download
memory/1968-150-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2012-257-0x0000000000260000-0x00000000002B8000-memory.dmp

Filesize
352KB

Download
memory/2012-219-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2012-241-0x0000000000260000-0x00000000002B8000-memory.dmp

Filesize
352KB

Download
memory/2124-60-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2124-41-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2124-55-0x0000000000560000-0x00000000005B8000-memory.dmp

Filesize
352KB

Download
memory/2124-177-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2124-67-0x0000000000560000-0x00000000005B8000-memory.dmp

Filesize
352KB

Download
memory/2192-191-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2244-255-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2252-259-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2276-264-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2316-173-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2316-207-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2316-194-0x00000000002A0000-0x00000000002F8000-memory.dmp

Filesize
352KB

Download
memory/2364-195-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2452-214-0x0000000000260000-0x00000000002B8000-memory.dmp

Filesize
352KB

Download
memory/2452-224-0x0000000000260000-0x00000000002B8000-memory.dmp

Filesize
352KB

Download
memory/2452-216-0x0000000000260000-0x00000000002B8000-memory.dmp

Filesize
352KB

Download
memory/2452-233-0x0000000000260000-0x00000000002B8000-memory.dmp

Filesize
352KB

Download
memory/2452-203-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2456-167-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2456-200-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2568-124-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2568-96-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/2568-28-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2568-104-0x0000000003910000-0x0000000003968000-memory.dmp

Filesize
352KB

Download
memory/2568-248-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/2568-43-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/2568-17-0x00000000026E0000-0x0000000002738000-memory.dmp

Filesize
352KB

Download
memory/2568-34-0x00000000026E0000-0x0000000002738000-memory.dmp

Filesize
352KB

Download
memory/2568-0-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2568-69-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/2568-118-0x0000000003910000-0x0000000003968000-memory.dmp

Filesize
352KB

Download
memory/2568-247-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2568-4-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/2568-30-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/2592-256-0x0000000000260000-0x00000000002B8000-memory.dmp

Filesize
352KB

Download
memory/2592-234-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2592-273-0x0000000000260000-0x00000000002B8000-memory.dmp

Filesize
352KB

Download
memory/2596-105-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2600-181-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2600-212-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2632-210-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2632-244-0x0000000000260000-0x00000000002B8000-memory.dmp

Filesize
352KB

Download
memory/2644-46-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2644-58-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2644-160-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2696-215-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2724-218-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2724-171-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2724-183-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2736-187-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2736-220-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2824-198-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2880-209-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2892-276-0x0000000000280000-0x00000000002D8000-memory.dmp

Filesize
352KB

Download
memory/2892-236-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2908-208-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2924-80-0x0000000000460000-0x00000000004B8000-memory.dmp

Filesize
352KB

Download
memory/2924-196-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2924-70-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2924-182-0x0000000002170000-0x00000000021C8000-memory.dmp

Filesize
352KB

Download
memory/2924-169-0x0000000002170000-0x00000000021C8000-memory.dmp

Filesize
352KB

Download
memory/2956-223-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2956-240-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3004-31-0x0000000000370000-0x00000000003C8000-memory.dmp

Filesize
352KB

Download
memory/3004-45-0x0000000000370000-0x00000000003C8000-memory.dmp

Filesize
352KB

Download
memory/3004-35-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3004-23-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3004-140-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download