floxif | 1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209

Analysis

max time kernel
118s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-12-2024 18:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe
Size

161KB
MD5

5d41349e1ffbcf6a9b28bb26ca269990
SHA1

003990114fe981a7986460521044a00953194697
SHA256

1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209
SHA512

b58240d7aca9324cddeb05858444984e228219adfee79e9dd46ba000960d4920500f86d79c8b9435f2bacf29170311af455a35b66fe39b9952837bcdbde377a2
SSDEEP

3072:MQHcnrJXSUBz2+KWaxXLBUVfqHnpQuF4BOoTjcIDiFx7A:0V8+n0XdUVApQDTcXFx7A

Score

10^/10

floxif backdoor discovery trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral2/files/0x000d000000023b5c-2.dat	floxif

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000d000000023b5c-2.dat	acprotect

Executes dropped EXE 64 IoCs

pid	Process
3220	explorer.exe
3844	explorer.exe
4120	explorer.exe
2328	explorer.exe
1432	explorer.exe
1928	explorer.exe
1496	explorer.exe
768	explorer.exe
2964	smss.exe
4824	explorer.exe
2752	smss.exe
4376	explorer.exe
232	smss.exe
4244	explorer.exe
1608	explorer.exe
2164	explorer.exe
1932	smss.exe
1880	explorer.exe
2984	explorer.exe
672	explorer.exe
3992	explorer.exe
864	smss.exe
2216	explorer.exe
3592	explorer.exe
3032	explorer.exe
1240	explorer.exe
2240	explorer.exe
900	smss.exe
732	explorer.exe
3640	explorer.exe
4500	explorer.exe
4028	explorer.exe
3388	explorer.exe
2536	smss.exe
2256	explorer.exe
1488	explorer.exe
4396	explorer.exe
4496	explorer.exe
1456	smss.exe
4336	explorer.exe
3792	explorer.exe
3528	explorer.exe
1096	explorer.exe
756	explorer.exe
1484	explorer.exe
4364	explorer.exe
452	explorer.exe
3120	explorer.exe
1076	smss.exe
4324	explorer.exe
2068	explorer.exe
3932	explorer.exe
2436	explorer.exe
3264	smss.exe
4916	explorer.exe
1584	explorer.exe
3832	explorer.exe
1344	explorer.exe
3764	smss.exe
3116	explorer.exe
3580	explorer.exe
3872	explorer.exe
3332	explorer.exe
2524	smss.exe

Loads dropped DLL 1 IoCs

pid	Process
3780	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\r:	explorer.exe
File opened (read-only)	\??\v:	explorer.exe
File opened (read-only)	\??\g:	explorer.exe
File opened (read-only)	\??\o:	explorer.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\g:	explorer.exe
File opened (read-only)	\??\z:	explorer.exe
File opened (read-only)	\??\o:	explorer.exe
File opened (read-only)	\??\s:	explorer.exe
File opened (read-only)	\??\n:	explorer.exe
File opened (read-only)	\??\h:	smss.exe
File opened (read-only)	\??\h:	explorer.exe
File opened (read-only)	\??\t:	explorer.exe
File opened (read-only)	\??\q:	smss.exe
File opened (read-only)	\??\v:	explorer.exe
File opened (read-only)	\??\z:	smss.exe
File opened (read-only)	\??\w:	explorer.exe
File opened (read-only)	\??\u:	explorer.exe
File opened (read-only)	\??\r:	explorer.exe
File opened (read-only)	\??\l:	explorer.exe
File opened (read-only)	\??\j:	explorer.exe
File opened (read-only)	\??\i:	explorer.exe
File opened (read-only)	\??\h:	explorer.exe
File opened (read-only)	\??\k:	explorer.exe
File opened (read-only)	\??\w:	explorer.exe
File opened (read-only)	\??\g:	explorer.exe
File opened (read-only)	\??\i:	explorer.exe
File opened (read-only)	\??\v:	smss.exe
File opened (read-only)	\??\y:	explorer.exe
File opened (read-only)	\??\l:	explorer.exe
File opened (read-only)	\??\h:	explorer.exe
File opened (read-only)	\??\x:	explorer.exe
File opened (read-only)	\??\k:	explorer.exe
File opened (read-only)	\??\n:	explorer.exe
File opened (read-only)	\??\q:	smss.exe
File opened (read-only)	\??\z:	explorer.exe
File opened (read-only)	\??\x:	explorer.exe
File opened (read-only)	\??\m:	explorer.exe
File opened (read-only)	\??\o:	smss.exe
File opened (read-only)	\??\g:	explorer.exe
File opened (read-only)	\??\k:	explorer.exe
File opened (read-only)	\??\h:	explorer.exe
File opened (read-only)	\??\g:	explorer.exe
File opened (read-only)	\??\z:	smss.exe
File opened (read-only)	\??\h:	explorer.exe
File opened (read-only)	\??\y:	smss.exe
File opened (read-only)	\??\g:	smss.exe
File opened (read-only)	\??\q:	explorer.exe
File opened (read-only)	\??\h:	explorer.exe
File opened (read-only)	\??\e:	explorer.exe
File opened (read-only)	\??\z:	explorer.exe
File opened (read-only)	\??\n:	explorer.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\u:	smss.exe
File opened (read-only)	\??\q:	explorer.exe
File opened (read-only)	\??\x:	explorer.exe
File opened (read-only)	\??\q:	explorer.exe
File opened (read-only)	\??\g:	smss.exe
File opened (read-only)	\??\s:	explorer.exe
File opened (read-only)	\??\m:	explorer.exe
File opened (read-only)	\??\x:	explorer.exe
File opened (read-only)	\??\i:	explorer.exe
File opened (read-only)	\??\e:	explorer.exe
File opened (read-only)	\??\i:	explorer.exe

Network Service Discovery 1 TTPs 9 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2396	arp.exe
220	arp.exe
4324	arp.exe
2960	arp.exe
1368	arp.exe
3572	arp.exe
1076	arp.exe
2164	arp.exe
3672	arp.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\wamhjvwiug\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe	explorer.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3780-0-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x000d000000023b5c-2.dat	upx
behavioral2/memory/3780-5-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral2/files/0x000a000000023b76-12.dat	upx
behavioral2/memory/3220-21-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/3780-26-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/3780-27-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral2/memory/3220-31-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/3780-33-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral2/memory/3844-39-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/4120-45-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/3780-48-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral2/memory/2328-53-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/1432-59-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/1928-65-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/1496-74-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/768-81-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/2964-84-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/232-88-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/3780-86-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/3220-91-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/4824-94-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/2752-96-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/4376-98-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/232-107-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/3844-104-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/4244-109-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/1608-111-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/2164-114-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/1932-122-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/1880-124-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/4120-118-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/2984-126-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/672-129-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/3992-135-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/864-137-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/2328-139-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/2216-141-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/3592-146-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/2984-145-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/4028-151-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/1240-150-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/3032-148-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/672-156-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/2240-158-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/2256-163-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/900-162-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/3992-161-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/1432-165-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/864-166-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/732-167-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/2216-169-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/3640-170-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/4028-182-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/4500-181-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/3388-184-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/2536-186-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/2256-191-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/3528-192-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/1488-194-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/3780-197-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/3780-198-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral2/memory/4396-206-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/4496-209-0x0000000000400000-0x0000000000458000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\symsrv.dll	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	arp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3780	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe
3780	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe
3220	explorer.exe
3220	explorer.exe
3844	explorer.exe
3844	explorer.exe
3780	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe
3780	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe
4120	explorer.exe
4120	explorer.exe
3780	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe
3780	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe
2328	explorer.exe
2328	explorer.exe
1432	explorer.exe
1432	explorer.exe
1928	explorer.exe
1928	explorer.exe
1496	explorer.exe
1496	explorer.exe
768	explorer.exe
768	explorer.exe
2964	smss.exe
2964	smss.exe
4824	explorer.exe
4824	explorer.exe
2752	smss.exe
2752	smss.exe
4376	explorer.exe
4376	explorer.exe
232	smss.exe
232	smss.exe
4244	explorer.exe
4244	explorer.exe
1608	explorer.exe
1608	explorer.exe
2164	explorer.exe
2164	explorer.exe
1932	smss.exe
1932	smss.exe
1880	explorer.exe
1880	explorer.exe
2984	explorer.exe
2984	explorer.exe
672	explorer.exe
672	explorer.exe
3992	explorer.exe
3992	explorer.exe
864	smss.exe
864	smss.exe
2216	explorer.exe
2216	explorer.exe
3592	explorer.exe
3592	explorer.exe
3032	explorer.exe
3032	explorer.exe
1240	explorer.exe
1240	explorer.exe
2240	explorer.exe
2240	explorer.exe
900	smss.exe
900	smss.exe
732	explorer.exe
732	explorer.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3780	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3780	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe
Token: SeLoadDriverPrivilege	3780	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe
Token: SeLoadDriverPrivilege	3220	explorer.exe
Token: SeLoadDriverPrivilege	3844	explorer.exe
Token: SeLoadDriverPrivilege	4120	explorer.exe
Token: SeLoadDriverPrivilege	2328	explorer.exe
Token: SeLoadDriverPrivilege	1432	explorer.exe
Token: SeLoadDriverPrivilege	1928	explorer.exe
Token: SeLoadDriverPrivilege	1496	explorer.exe
Token: SeLoadDriverPrivilege	768	explorer.exe
Token: SeLoadDriverPrivilege	2964	smss.exe
Token: SeLoadDriverPrivilege	4824	explorer.exe
Token: SeLoadDriverPrivilege	2752	smss.exe
Token: SeLoadDriverPrivilege	4376	explorer.exe
Token: SeLoadDriverPrivilege	232	smss.exe
Token: SeLoadDriverPrivilege	4244	explorer.exe
Token: SeLoadDriverPrivilege	1608	explorer.exe
Token: SeLoadDriverPrivilege	2164	explorer.exe
Token: SeLoadDriverPrivilege	1932	smss.exe
Token: SeLoadDriverPrivilege	1880	explorer.exe
Token: SeLoadDriverPrivilege	2984	explorer.exe
Token: SeLoadDriverPrivilege	672	explorer.exe
Token: SeLoadDriverPrivilege	3992	explorer.exe
Token: SeLoadDriverPrivilege	864	smss.exe
Token: SeLoadDriverPrivilege	2216	explorer.exe
Token: SeLoadDriverPrivilege	3592	explorer.exe
Token: SeLoadDriverPrivilege	3032	explorer.exe
Token: SeLoadDriverPrivilege	1240	explorer.exe
Token: SeLoadDriverPrivilege	2240	explorer.exe
Token: SeLoadDriverPrivilege	900	smss.exe
Token: SeLoadDriverPrivilege	732	explorer.exe
Token: SeLoadDriverPrivilege	3640	explorer.exe
Token: SeLoadDriverPrivilege	4500	explorer.exe
Token: SeLoadDriverPrivilege	4028	explorer.exe
Token: SeLoadDriverPrivilege	3388	explorer.exe
Token: SeLoadDriverPrivilege	2536	smss.exe
Token: SeLoadDriverPrivilege	2256	explorer.exe
Token: SeLoadDriverPrivilege	1488	explorer.exe
Token: SeLoadDriverPrivilege	4396	explorer.exe
Token: SeLoadDriverPrivilege	4496	explorer.exe
Token: SeLoadDriverPrivilege	1456	smss.exe
Token: SeLoadDriverPrivilege	4336	explorer.exe
Token: SeLoadDriverPrivilege	3792	explorer.exe
Token: SeLoadDriverPrivilege	3528	explorer.exe
Token: SeLoadDriverPrivilege	1096	explorer.exe
Token: SeLoadDriverPrivilege	1484	explorer.exe
Token: SeLoadDriverPrivilege	4364	explorer.exe
Token: SeLoadDriverPrivilege	452	explorer.exe
Token: SeLoadDriverPrivilege	1076	smss.exe
Token: SeLoadDriverPrivilege	3120	explorer.exe
Token: SeLoadDriverPrivilege	4324	explorer.exe
Token: SeLoadDriverPrivilege	2068	explorer.exe
Token: SeLoadDriverPrivilege	3932	explorer.exe
Token: SeLoadDriverPrivilege	2436	explorer.exe
Token: SeLoadDriverPrivilege	3264	smss.exe
Token: SeLoadDriverPrivilege	4916	explorer.exe
Token: SeLoadDriverPrivilege	1584	explorer.exe
Token: SeLoadDriverPrivilege	3832	explorer.exe
Token: SeLoadDriverPrivilege	1344	explorer.exe
Token: SeLoadDriverPrivilege	3764	smss.exe
Token: SeLoadDriverPrivilege	3580	explorer.exe
Token: SeLoadDriverPrivilege	3116	explorer.exe
Token: SeLoadDriverPrivilege	3872	explorer.exe
Token: SeLoadDriverPrivilege	3332	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3780 wrote to memory of 2960	3780	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	82
PID 3780 wrote to memory of 2960	3780	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	82
PID 3780 wrote to memory of 2960	3780	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	82
PID 3780 wrote to memory of 1076	3780	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	84
PID 3780 wrote to memory of 1076	3780	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	84
PID 3780 wrote to memory of 1076	3780	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	84
PID 3780 wrote to memory of 3572	3780	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	85
PID 3780 wrote to memory of 3572	3780	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	85
PID 3780 wrote to memory of 3572	3780	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	85
PID 3780 wrote to memory of 1368	3780	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	86
PID 3780 wrote to memory of 1368	3780	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	86
PID 3780 wrote to memory of 1368	3780	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	86
PID 3780 wrote to memory of 2164	3780	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	87
PID 3780 wrote to memory of 2164	3780	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	87
PID 3780 wrote to memory of 2164	3780	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	87
PID 3780 wrote to memory of 3672	3780	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	88
PID 3780 wrote to memory of 3672	3780	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	88
PID 3780 wrote to memory of 3672	3780	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	88
PID 3780 wrote to memory of 2396	3780	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	89
PID 3780 wrote to memory of 2396	3780	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	89
PID 3780 wrote to memory of 2396	3780	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	89
PID 3780 wrote to memory of 220	3780	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	90
PID 3780 wrote to memory of 220	3780	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	90
PID 3780 wrote to memory of 220	3780	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	90
PID 3780 wrote to memory of 4324	3780	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	91
PID 3780 wrote to memory of 4324	3780	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	91
PID 3780 wrote to memory of 4324	3780	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	91
PID 3780 wrote to memory of 3220	3780	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	100
PID 3780 wrote to memory of 3220	3780	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	100
PID 3780 wrote to memory of 3220	3780	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	100
PID 3220 wrote to memory of 3844	3220	explorer.exe	101
PID 3220 wrote to memory of 3844	3220	explorer.exe	101
PID 3220 wrote to memory of 3844	3220	explorer.exe	101
PID 3844 wrote to memory of 4120	3844	explorer.exe	106
PID 3844 wrote to memory of 4120	3844	explorer.exe	106
PID 3844 wrote to memory of 4120	3844	explorer.exe	106
PID 3780 wrote to memory of 4904	3780	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	107
PID 3780 wrote to memory of 4904	3780	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	107
PID 3780 wrote to memory of 4904	3780	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	107
PID 4120 wrote to memory of 2328	4120	explorer.exe	110
PID 4120 wrote to memory of 2328	4120	explorer.exe	110
PID 4120 wrote to memory of 2328	4120	explorer.exe	110
PID 2328 wrote to memory of 1432	2328	explorer.exe	113
PID 2328 wrote to memory of 1432	2328	explorer.exe	113
PID 2328 wrote to memory of 1432	2328	explorer.exe	113
PID 1432 wrote to memory of 1928	1432	explorer.exe	114
PID 1432 wrote to memory of 1928	1432	explorer.exe	114
PID 1432 wrote to memory of 1928	1432	explorer.exe	114
PID 1928 wrote to memory of 1496	1928	explorer.exe	115
PID 1928 wrote to memory of 1496	1928	explorer.exe	115
PID 1928 wrote to memory of 1496	1928	explorer.exe	115
PID 1496 wrote to memory of 768	1496	explorer.exe	117
PID 1496 wrote to memory of 768	1496	explorer.exe	117
PID 1496 wrote to memory of 768	1496	explorer.exe	117
PID 3780 wrote to memory of 2964	3780	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	118
PID 3780 wrote to memory of 2964	3780	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	118
PID 3780 wrote to memory of 2964	3780	1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe	118
PID 768 wrote to memory of 4824	768	explorer.exe	120
PID 768 wrote to memory of 4824	768	explorer.exe	120
PID 768 wrote to memory of 4824	768	explorer.exe	120
PID 3220 wrote to memory of 2752	3220	explorer.exe	121
PID 3220 wrote to memory of 2752	3220	explorer.exe	121
PID 3220 wrote to memory of 2752	3220	explorer.exe	121
PID 2964 wrote to memory of 4376	2964	smss.exe	122

C:\Users\Admin\AppData\Local\Temp\1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe
"C:\Users\Admin\AppData\Local\Temp\1a4c71054889370aafcbf35bf9d76eb32904c3f0686d56e5cf8ce73c60b2a209N.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3780
- C:\Windows\SysWOW64\arp.exe
  arp -a
  2⤵
  - Network Service Discovery
  PID:2960
- C:\Windows\SysWOW64\arp.exe
  arp -s 10.127.0.1 b8-d8-43-b3-57-8a
  2⤵
  - Network Service Discovery
  PID:1076
- C:\Windows\SysWOW64\arp.exe
  arp -s 10.127.255.255 e6-86-1c-53-b5-ef
  2⤵
  - Network Service Discovery
  PID:3572
- C:\Windows\SysWOW64\arp.exe
  arp -s 37.27.61.183 7c-b4-5b-bd-f2-1b
  2⤵
  - Network Service Discovery
  PID:1368
- C:\Windows\SysWOW64\arp.exe
  arp -s 224.0.0.22 66-aa-d2-5c-05-5c
  2⤵
  - Network Service Discovery
  PID:2164
- C:\Windows\SysWOW64\arp.exe
  arp -s 224.0.0.251 58-1e-f5-98-2b-9c
  2⤵
  - Network Service Discovery
  - System Location Discovery: System Language Discovery
  PID:3672
- C:\Windows\SysWOW64\arp.exe
  arp -s 224.0.0.252 60-82-91-be-c4-3d
  2⤵
  - Network Service Discovery
  PID:2396
- C:\Windows\SysWOW64\arp.exe
  arp -s 239.255.255.250 4b-10-f8-1f-74-e3
  2⤵
  - Network Service Discovery
  PID:220
- C:\Windows\SysWOW64\arp.exe
  arp -s 255.255.255.255 9b-9d-8e-b6-c2-c6
  2⤵
  - Network Service Discovery
  PID:4324
- C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
  C:\Windows\system32\hfroyyvmyb\explorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3220
- - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
    C:\Windows\system32\hfroyyvmyb\explorer.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3844
  - - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
      C:\Windows\system32\hfroyyvmyb\explorer.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4120
    - - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2328
      - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1432
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4824
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4244
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3032
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4028
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3792
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3332
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        18⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        19⤵
        Drops file in System32 directory
        
        PID:2220
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        20⤵
        Drops file in System32 directory
        
        PID:5212
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:6136
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        22⤵
        Drops file in System32 directory
        
        PID:6560
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        23⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        24⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        25⤵
        
        PID:9396
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        26⤵
        
        PID:11120
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        20⤵
        
        PID:11000
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        19⤵
        
        PID:9296
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        20⤵
        Enumerates connected drives
        
        PID:10992
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:3136
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:9356
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        20⤵
        
        PID:11040
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        17⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        18⤵
        
        PID:232
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        19⤵
        
        PID:9348
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        20⤵
        
        PID:11032
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        16⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:4312
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        18⤵
        
        PID:7276
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        19⤵
        
        PID:9340
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        20⤵
        Enumerates connected drives
        
        PID:11024
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        15⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        16⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        17⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:4100
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        18⤵
        
        PID:7520
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        19⤵
        
        PID:924
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        20⤵
        
        PID:10880
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        14⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        15⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        16⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:6336
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        17⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        18⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        19⤵
        
        PID:888
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        20⤵
        Drops file in System32 directory
        
        PID:10808
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        13⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        15⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        16⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        17⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        18⤵
        Enumerates connected drives
        
        PID:7756
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        19⤵
        
        PID:8548
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        20⤵
        
        PID:10872
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        14⤵
        
        PID:10544
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:4656
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:4816
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        15⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        16⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        17⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        18⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:1680
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        19⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        20⤵
        
        PID:10784
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        14⤵
        Enumerates connected drives
        
        PID:10508
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        13⤵
        Drops file in System32 directory
        
        PID:1476
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:10516
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3764
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:4944
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        15⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:6376
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        17⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        18⤵
        Drops file in System32 directory
        
        PID:7968
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        19⤵
        
        PID:8924
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        20⤵
        
        PID:10864
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        14⤵
        Enumerates connected drives
        
        PID:10568
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        13⤵
        
        PID:8552
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:10612
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        12⤵
        
        PID:7296
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:10556
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1076
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3116
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:748
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4572
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        Drops file in System32 directory
        
        PID:5148
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        15⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        16⤵
        Drops file in System32 directory
        
        PID:6480
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        17⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        18⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        19⤵
        Drops file in System32 directory
        
        PID:4512
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        20⤵
        
        PID:10944
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        14⤵
        
        PID:10596
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        13⤵
        
        PID:8792
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:10708
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        12⤵
        
        PID:7428
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:10716
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:6888
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        Enumerates connected drives
        
        PID:7344
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:10624
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1456
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3120
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3580
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:5028
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:6076
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        16⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        17⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        18⤵
        
        PID:8048
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        19⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:9244
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        20⤵
        Enumerates connected drives
        
        PID:10964
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        14⤵
        
        PID:10604
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        13⤵
        
        PID:8796
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:10692
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        12⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:9072
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:10700
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        11⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:7892
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:9040
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:10896
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        10⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:9260
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:10984
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2536
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1096
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3208
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:5376
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        15⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        16⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        17⤵
        
        PID:7496
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        18⤵
        
        PID:8468
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        19⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:9780
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        20⤵
        Enumerates connected drives
        
        PID:11304
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        14⤵
        
        PID:10636
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:9648
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        12⤵
        
        PID:8324
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:9616
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        11⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:8380
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:9744
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        10⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:7460
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:8404
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:9728
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        9⤵
        Drops file in System32 directory
        
        PID:5432
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:6764
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7412
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:8372
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:9736
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:900
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:208
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        15⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        16⤵
        Enumerates connected drives
        
        PID:7100
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        17⤵
        
        PID:7872
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        18⤵
        
        PID:8864
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        19⤵
        Enumerates connected drives
        
        PID:3672
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        20⤵
        
        PID:11932
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        14⤵
        
        PID:11828
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        13⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:10156
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:11788
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        12⤵
        
        PID:8800
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:10204
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:11852
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        11⤵
        
        PID:7852
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:8836
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:10236
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:11876
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        10⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:7804
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:8808
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:10212
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:11860
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        9⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:6100
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:7812
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:8820
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:11884
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        8⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:7732
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:8748
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:10172
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:11868
      - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:864
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:732
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4396
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4364
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3832
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        Enumerates connected drives
        
        PID:2252
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        Drops file in System32 directory
        
        PID:5668
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        15⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        16⤵
        Enumerates connected drives
        
        PID:6276
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        17⤵
        Drops file in System32 directory
        
        PID:8036
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        18⤵
        
        PID:9004
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        19⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        20⤵
        
        PID:12152
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        14⤵
        
        PID:12036
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        13⤵
        
        PID:9580
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:12120
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        12⤵
        
        PID:8956
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:12080
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        11⤵
        
        PID:7992
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:8976
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:9932
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:12128
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        10⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:3112
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:8016
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:8968
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:12088
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        9⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:7948
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:8932
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:4896
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:12072
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        8⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:8916
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:12044
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        7⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:7912
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:8892
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:9700
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:12024
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        8⤵
        
        PID:11972
    - - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
      - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3640
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4496
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:452
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1344
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:5776
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        15⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        16⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        17⤵
        Enumerates connected drives
        
        PID:8168
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        18⤵
        
        PID:9172
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        19⤵
        
        PID:10336
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        13⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        12⤵
        
        PID:9092
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:3348
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        11⤵
        Drops file in System32 directory
        
        PID:8152
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:9108
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:10264
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        10⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        Enumerates connected drives
        
        PID:8176
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:9188
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:10328
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        9⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        Enumerates connected drives
        
        PID:8112
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:9132
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:10300
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        8⤵
        Enumerates connected drives
        
        PID:5724
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        
        PID:848
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        Enumerates connected drives
        
        PID:6448
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:9124
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:10272
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        7⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5752
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:8120
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:9116
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:10296
      - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        6⤵
        
        PID:528
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        Enumerates connected drives
        
        PID:5696
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5384
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:8072
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        Enumerates connected drives
        
        PID:9056
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:532
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        7⤵
        
        PID:1084
  - - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
      C:\Windows\system32\wamhjvwiug\smss.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:232
    - - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1880
      - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3592
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4500
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4336
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        
        PID:4324
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3872
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:224
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:5192
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        15⤵
        Drops file in System32 directory
        
        PID:6568
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        16⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        17⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:7652
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        18⤵
        
        PID:9376
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        19⤵
        
        PID:11088
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        13⤵
        
        PID:10776
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:968
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:10744
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        11⤵
        
        PID:8024
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:9252
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:10972
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:7008
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        Enumerates connected drives
        
        PID:4680
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:9288
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:11016
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        9⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:228
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:9220
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:10904
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        8⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        Drops file in System32 directory
        
        PID:1284
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:10832
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        7⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:7584
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:10824
      - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        6⤵
        Enumerates connected drives
        
        PID:3144
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        Drops file in System32 directory
        
        PID:6232
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        Enumerates connected drives
        
        PID:4356
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:8908
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:10792
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        7⤵
        
        PID:10452
    - - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        5⤵
        Drops file in System32 directory
        
        PID:2424
      - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4780
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3244
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        Drops file in System32 directory
        
        PID:1636
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:7424
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:8880
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:10680
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        7⤵
        
        PID:10460
      - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        6⤵
        
        PID:8424
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        
        PID:10468
- - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
    C:\Windows\system32\wamhjvwiug\smss.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2752
  - - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
      C:\Windows\system32\hfroyyvmyb\explorer.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1608
    - - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:672
      - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        6⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1240
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3388
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        
        PID:3528
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3932
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4416
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:404
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        Enumerates connected drives
        
        PID:4988
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:5348
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        15⤵
        Drops file in System32 directory
        
        PID:6736
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        16⤵
        
        PID:7384
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        17⤵
        
        PID:8364
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        18⤵
        
        PID:9716
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        19⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        13⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        12⤵
        
        PID:9532
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:8236
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:9516
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        10⤵
        Enumerates connected drives
        
        PID:7328
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:8284
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:9584
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        9⤵
        Enumerates connected drives
        
        PID:6664
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        Drops file in System32 directory
        
        PID:7312
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:8300
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:9592
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:10492
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5360
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:7320
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:8292
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:9624
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:10528
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        7⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:7260
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:8252
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:9564
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:1800
      - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        6⤵
        Drops file in System32 directory
        
        PID:1472
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:7268
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:8244
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:9524
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        7⤵
        
        PID:11228
    - - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        5⤵
        
        PID:1352
      - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        6⤵
        
        PID:952
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:7368
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:8344
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:9656
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        7⤵
        
        PID:11220
      - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        6⤵
        
        PID:9476
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        
        PID:11256
  - - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
      C:\Windows\system32\wamhjvwiug\smss.exe
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      PID:2524
    - - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        5⤵
        
        PID:1312
      - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        6⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:7392
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:8412
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:9788
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:11296
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        7⤵
        
        PID:11212
      - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        6⤵
        
        PID:9468
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        
        PID:4176
    - - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        5⤵
        Drops file in System32 directory
        
        PID:8212
      - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:9460
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        
        PID:9696
- C:\Windows\SysWOW64\arp.exe
  arp -d
  2⤵
  PID:4904
- C:\Windows\SysWOW64\wamhjvwiug\smss.exe
  C:\Windows\system32\wamhjvwiug\smss.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
    C:\Windows\system32\hfroyyvmyb\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4376
  - - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
      C:\Windows\system32\hfroyyvmyb\explorer.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2164
    - - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3992
      - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        Executes dropped EXE
        
        PID:756
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4916
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        14⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        15⤵
        Enumerates connected drives
        
        PID:7020
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        16⤵
        Enumerates connected drives
        
        PID:7744
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        17⤵
        Enumerates connected drives
        
        PID:8740
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:10164
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        19⤵
        
        PID:11796
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        13⤵
        
        PID:11612
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        12⤵
        
        PID:9980
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:11620
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        11⤵
        
        PID:8612
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:10028
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:11716
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        10⤵
        
        PID:7676
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:8684
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:10052
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:11708
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        9⤵
        Drops file in System32 directory
        
        PID:6904
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:7620
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:8660
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:10088
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:11748
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        8⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:7692
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:8692
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:10060
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:11728
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        7⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5808
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        Enumerates connected drives
        
        PID:7644
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:8628
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:10012
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:11668
      - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        6⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        Enumerates connected drives
        
        PID:5448
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        Drops file in System32 directory
        
        PID:2500
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:7628
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:8620
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:9988
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:11628
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        7⤵
        
        PID:11496
    - - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        5⤵
        
        PID:2072
      - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        6⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        Enumerates connected drives
        
        PID:6864
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        Drops file in System32 directory
        
        PID:7600
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:8588
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:9956
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:11536
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        7⤵
        
        PID:11448
      - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:9864
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        
        PID:11456
  - - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
      C:\Windows\system32\wamhjvwiug\smss.exe
      4⤵
      PID:5060
    - - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        5⤵
        Drops file in System32 directory
        
        PID:1972
      - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3760
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        Drops file in System32 directory
        
        PID:5456
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4388
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        
        PID:7636
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:8636
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        
        PID:10020
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        
        PID:11688
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        7⤵
        Enumerates connected drives
        
        PID:11504
      - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        6⤵
        
        PID:9860
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        
        PID:11428
    - - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        5⤵
        
        PID:8540
      - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        6⤵
        
        PID:9876
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        
        PID:11420
- - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
    C:\Windows\system32\wamhjvwiug\smss.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3264
  - - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
      C:\Windows\system32\hfroyyvmyb\explorer.exe
      4⤵
      Drops file in System32 directory
      PID:2120
    - - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        5⤵
        
        PID:1676
      - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        6⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        8⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        9⤵
        Enumerates connected drives
        
        PID:6988
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        10⤵
        Drops file in System32 directory
        
        PID:7700
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        11⤵
        
        PID:8700
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:10096
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:11740
        
        C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        7⤵
        
        PID:11516
      - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        6⤵
        
        PID:9924
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        
        PID:11564
    - - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
        
        C:\Windows\system32\wamhjvwiug\smss.exe
        5⤵
        Enumerates connected drives
        
        PID:8580
      - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        6⤵
        
        PID:9948
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        
        PID:11556
  - - C:\Windows\SysWOW64\wamhjvwiug\smss.exe
      C:\Windows\system32\wamhjvwiug\smss.exe
      4⤵
      PID:7564
    - - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        5⤵
        
        PID:8564
      - C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        6⤵
        
        PID:9908
        
        C:\Windows\SysWOW64\hfroyyvmyb\explorer.exe
        
        C:\Windows\system32\hfroyyvmyb\explorer.exe
        7⤵
        
        PID:11468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\symsrv.dll

Filesize
72KB

MD5
0609f5fe5fee88412b62aacafc43aedc

SHA1
e36ebd88d34a8b9af2808eb156f108ffc30d6a26

SHA256
b2e599e330c75124b46da9091b2546acff6dddc56d0f21d20e1af892f3ac07d6

SHA512
63f2ce803eed240ea27fcbef2658645a654b157dc8b2c630719bbe16de109467b28de81179cc99625c074dec4b8aa1c473798bcf48a3b394c8ea0be9edecc2d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\A1D26E2\808AB0CEC4.tmp

Filesize
80KB

MD5
691bbe9926fb1e25fca69011ee582cda

SHA1
38aa194ead7afc4fb00c878dea4ac91a2fbb53ea

SHA256
a89de750c7600fa9ddc08bc8ae7d332bcc7a095a40ff7ee642d152432ca6a777

SHA512
6e48356a9106d02758d2ca551a6d387473f6091ff1d09a26fa70eb3667c959d4ba6e316e09aff3cf3e5708c12ccdcadf4a0aafdcfca33750f6320c8021175209

Download Submit
memory/224-302-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/232-88-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/232-107-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/452-247-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/672-156-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/672-129-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/732-167-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/756-238-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/768-81-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/864-166-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/864-137-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/900-162-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1076-249-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1076-224-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1096-230-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1240-150-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1312-309-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1344-275-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1352-308-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1432-165-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1432-59-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1456-213-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1484-240-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1488-194-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1496-74-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1584-268-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1608-111-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1880-124-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1928-65-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1932-122-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1972-317-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2008-315-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2068-261-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2120-298-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2164-114-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2216-141-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2216-169-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2240-158-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2256-191-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2256-163-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2328-139-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2328-53-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2424-311-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2436-263-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2524-289-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2536-186-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2724-282-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2724-307-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2752-96-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2896-301-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2964-84-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2984-145-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2984-126-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3032-148-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3116-277-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3120-248-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3148-299-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3220-91-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3220-21-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3220-31-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3220-232-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3264-264-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3332-288-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3388-184-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3528-227-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3528-192-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3580-280-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3592-146-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3640-170-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3684-310-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3764-276-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3780-5-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/3780-198-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/3780-197-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3780-86-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3780-27-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/3780-48-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/3780-33-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/3780-0-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3780-26-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3792-225-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3828-316-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3832-269-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3844-254-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3844-39-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3844-104-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3872-281-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3932-262-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3992-135-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3992-161-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4028-151-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4028-182-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4120-45-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4120-118-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4120-284-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4244-109-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4324-228-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4324-252-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4336-223-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4364-244-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4376-98-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4384-296-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4396-206-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4416-295-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4496-209-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4500-181-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4824-94-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4916-265-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/5060-297-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download