sality | 000880adc66e24a46b36ddf040972792fcddd22b12ee8ff2540fa581635375e1

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	explorer.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
Sality family
sality

UAC bypass 3 TTPs 2 IoCs

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe

Windows security bypass 2 TTPs 12 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	explorer.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	explorer.exe

Disables Task Manager via registry modification
evasion

Deletes itself 1 IoCs

pid	Process
2008	explorer.exe

Executes dropped EXE 54 IoCs

pid	Process
1624	explorer.exe
1108	explorer.exe
2008	explorer.exe
2236	explorer.exe
4104	explorer.exe
3568	explorer.exe
380	explorer.exe
4556	smss.exe
1448	explorer.exe
4516	explorer.exe
3380	smss.exe
3892	explorer.exe
1064	explorer.exe
3804	smss.exe
3928	explorer.exe
2928	explorer.exe
1548	smss.exe
3376	explorer.exe
3512	explorer.exe
4932	explorer.exe
4616	explorer.exe
2340	smss.exe
5068	explorer.exe
1704	explorer.exe
4592	explorer.exe
4236	explorer.exe
1112	explorer.exe
1648	smss.exe
528	explorer.exe
4024	explorer.exe
2528	explorer.exe
1812	explorer.exe
2260	smss.exe
3524	explorer.exe
4528	explorer.exe
704	explorer.exe
856	explorer.exe
4624	explorer.exe
1304	explorer.exe
1900	explorer.exe
208	smss.exe
3484	explorer.exe
4052	explorer.exe
3700	explorer.exe
2280	explorer.exe
4700	explorer.exe
2524	smss.exe
3192	explorer.exe
2064	explorer.exe
2384	explorer.exe
408	smss.exe
3096	explorer.exe
1384	explorer.exe
2632	explorer.exe

Windows security modification 2 TTPs 14 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	explorer.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\v:	explorer.exe
File opened (read-only)	\??\e:	smss.exe
File opened (read-only)	\??\m:	smss.exe
File opened (read-only)	\??\g:	explorer.exe
File opened (read-only)	\??\e:	explorer.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\x:	explorer.exe
File opened (read-only)	\??\v:	explorer.exe
File opened (read-only)	\??\j:	explorer.exe
File opened (read-only)	\??\i:	explorer.exe
File opened (read-only)	\??\y:	smss.exe
File opened (read-only)	\??\g:	explorer.exe
File opened (read-only)	\??\r:	explorer.exe
File opened (read-only)	\??\z:	explorer.exe
File opened (read-only)	\??\s:	explorer.exe
File opened (read-only)	\??\z:	explorer.exe
File opened (read-only)	\??\s:	explorer.exe
File opened (read-only)	\??\o:	explorer.exe
File opened (read-only)	\??\m:	explorer.exe
File opened (read-only)	\??\j:	explorer.exe
File opened (read-only)	\??\y:	explorer.exe
File opened (read-only)	\??\o:	explorer.exe
File opened (read-only)	\??\y:	explorer.exe
File opened (read-only)	\??\g:	smss.exe
File opened (read-only)	\??\w:	explorer.exe
File opened (read-only)	\??\S:	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\k:	explorer.exe
File opened (read-only)	\??\n:	explorer.exe
File opened (read-only)	\??\j:	explorer.exe
File opened (read-only)	\??\e:	explorer.exe
File opened (read-only)	\??\n:	explorer.exe
File opened (read-only)	\??\x:	explorer.exe
File opened (read-only)	\??\q:	explorer.exe
File opened (read-only)	\??\e:	explorer.exe
File opened (read-only)	\??\q:	explorer.exe
File opened (read-only)	\??\m:	smss.exe
File opened (read-only)	\??\e:	smss.exe
File opened (read-only)	\??\v:	smss.exe
File opened (read-only)	\??\j:	explorer.exe
File opened (read-only)	\??\u:	smss.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\i:	explorer.exe
File opened (read-only)	\??\y:	explorer.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\z:	explorer.exe
File opened (read-only)	\??\i:	explorer.exe
File opened (read-only)	\??\n:	explorer.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\m:	smss.exe
File opened (read-only)	\??\z:	explorer.exe
File opened (read-only)	\??\l:	explorer.exe
File opened (read-only)	\??\w:	explorer.exe
File opened (read-only)	\??\i:	smss.exe
File opened (read-only)	\??\z:	explorer.exe
File opened (read-only)	\??\m:	explorer.exe
File opened (read-only)	\??\z:	explorer.exe
File opened (read-only)	\??\x:	explorer.exe
File opened (read-only)	\??\n:	explorer.exe
File opened (read-only)	\??\w:	explorer.exe
File opened (read-only)	\??\o:	smss.exe
File opened (read-only)	\??\v:	explorer.exe
File opened (read-only)	\??\t:	explorer.exe
File opened (read-only)	\??\i:	explorer.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
File opened for modification	F:\autorun.inf	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rmuueugtlu\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\rmuueugtlu\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\rmuueugtlu\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rmuueugtlu\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\rmuueugtlu\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rmuueugtlu\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\rmuueugtlu\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\rmuueugtlu\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\rmuueugtlu\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rmuueugtlu\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\rmuueugtlu\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rmuueugtlu\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\rmuueugtlu\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\rmuueugtlu\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\rmuueugtlu\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rmuueugtlu\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\rmuueugtlu\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rmuueugtlu\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\rmuueugtlu\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\rmuueugtlu\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\rmuueugtlu\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\rmuueugtlu\smss.exe	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
File opened for modification	C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\rmuueugtlu\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\rmuueugtlu\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rmuueugtlu\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rmuueugtlu\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rmuueugtlu\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\rmuueugtlu\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rmuueugtlu\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rmuueugtlu\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\rmuueugtlu\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe	explorer.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3868-0-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3868-3-0x0000000002290000-0x000000000331E000-memory.dmp	upx
behavioral2/memory/3868-4-0x0000000002290000-0x000000000331E000-memory.dmp	upx
behavioral2/memory/3868-5-0x0000000002290000-0x000000000331E000-memory.dmp	upx
behavioral2/memory/3868-7-0x0000000002290000-0x000000000331E000-memory.dmp	upx
behavioral2/memory/3868-11-0x0000000002290000-0x000000000331E000-memory.dmp	upx
behavioral2/memory/3868-6-0x0000000002290000-0x000000000331E000-memory.dmp	upx
behavioral2/memory/3868-10-0x0000000002290000-0x000000000331E000-memory.dmp	upx
behavioral2/memory/3868-12-0x0000000002290000-0x000000000331E000-memory.dmp	upx
behavioral2/files/0x000a000000023b6a-22.dat	upx
behavioral2/memory/3868-14-0x0000000002290000-0x000000000331E000-memory.dmp	upx
behavioral2/memory/1624-23-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3868-21-0x0000000002290000-0x000000000331E000-memory.dmp	upx
behavioral2/memory/3868-16-0x0000000002290000-0x000000000331E000-memory.dmp	upx
behavioral2/memory/3868-24-0x0000000002290000-0x000000000331E000-memory.dmp	upx
behavioral2/memory/3868-25-0x0000000002290000-0x000000000331E000-memory.dmp	upx
behavioral2/memory/3868-26-0x0000000002290000-0x000000000331E000-memory.dmp	upx
behavioral2/memory/3868-29-0x0000000002290000-0x000000000331E000-memory.dmp	upx
behavioral2/memory/3868-30-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1108-35-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3868-34-0x0000000002290000-0x000000000331E000-memory.dmp	upx
behavioral2/memory/1624-43-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3868-45-0x0000000002290000-0x000000000331E000-memory.dmp	upx
behavioral2/memory/3868-47-0x0000000002290000-0x000000000331E000-memory.dmp	upx
behavioral2/memory/3868-49-0x0000000002290000-0x000000000331E000-memory.dmp	upx
behavioral2/memory/3868-50-0x0000000002290000-0x000000000331E000-memory.dmp	upx
behavioral2/memory/1624-51-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3868-55-0x0000000002290000-0x000000000331E000-memory.dmp	upx
behavioral2/memory/3868-58-0x0000000002290000-0x000000000331E000-memory.dmp	upx
behavioral2/memory/1108-59-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3868-65-0x0000000002290000-0x000000000331E000-memory.dmp	upx
behavioral2/memory/3868-68-0x0000000002290000-0x000000000331E000-memory.dmp	upx
behavioral2/memory/3868-69-0x0000000002290000-0x000000000331E000-memory.dmp	upx
behavioral2/memory/3868-71-0x0000000002290000-0x000000000331E000-memory.dmp	upx
behavioral2/memory/1108-73-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3868-74-0x0000000002290000-0x000000000331E000-memory.dmp	upx
behavioral2/memory/3868-75-0x0000000002290000-0x000000000331E000-memory.dmp	upx
behavioral2/memory/2008-82-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3868-90-0x0000000002290000-0x000000000331E000-memory.dmp	upx
behavioral2/memory/1624-92-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2236-93-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3868-95-0x0000000002290000-0x000000000331E000-memory.dmp	upx
behavioral2/memory/2008-96-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4104-125-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3568-144-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/380-149-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4556-155-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3892-156-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1064-177-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1448-176-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4516-180-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3380-185-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3892-194-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1064-199-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3804-205-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3928-209-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2928-237-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1548-244-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3376-246-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3512-250-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4932-254-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4616-257-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2340-260-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/5068-267-0x0000000000400000-0x000000000046C000-memory.dmp	upx

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File opened for modification	C:\PROGRAM FILES\7-ZIP\7z.exe	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zG.exe	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\7zFM.exe	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
File opened for modification	C:\PROGRAM FILES\7-ZIP\Uninstall.exe	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
File opened for modification	C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM.INI	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe

System Location Discovery: System Language Discovery 1 TTPs 44 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
1624	explorer.exe
1624	explorer.exe
1108	explorer.exe
1108	explorer.exe
3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
2008	explorer.exe
2008	explorer.exe
2236	explorer.exe
2236	explorer.exe
3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
4104	explorer.exe
4104	explorer.exe
3568	explorer.exe
3568	explorer.exe
380	explorer.exe
380	explorer.exe
3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
4556	smss.exe
4556	smss.exe
1448	explorer.exe
1448	explorer.exe
4516	explorer.exe
4516	explorer.exe
3380	smss.exe
3380	smss.exe
3892	explorer.exe
3892	explorer.exe
3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
1064	explorer.exe
1064	explorer.exe
3804	smss.exe
3804	smss.exe
3928	explorer.exe
3928	explorer.exe
2928	explorer.exe
2928	explorer.exe
1548	smss.exe
1548	smss.exe
3376	explorer.exe
3376	explorer.exe
3512	explorer.exe
3512	explorer.exe
4932	explorer.exe
4932	explorer.exe
4616	explorer.exe
4616	explorer.exe
3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
2340	smss.exe
2340	smss.exe
5068	explorer.exe
5068	explorer.exe
1704	explorer.exe
1704	explorer.exe
4592	explorer.exe
4592	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Token: SeDebugPrivilege	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3868 wrote to memory of 800	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	9
PID 3868 wrote to memory of 808	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	10
PID 3868 wrote to memory of 412	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	13
PID 3868 wrote to memory of 2540	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	42
PID 3868 wrote to memory of 2572	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	43
PID 3868 wrote to memory of 2836	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	49
PID 3868 wrote to memory of 3448	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	56
PID 3868 wrote to memory of 3608	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	57
PID 3868 wrote to memory of 3792	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	58
PID 3868 wrote to memory of 3884	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	59
PID 3868 wrote to memory of 3948	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	60
PID 3868 wrote to memory of 4036	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	61
PID 3868 wrote to memory of 3068	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	74
PID 3868 wrote to memory of 3628	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	76
PID 3868 wrote to memory of 1624	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	82
PID 3868 wrote to memory of 1624	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	82
PID 3868 wrote to memory of 1624	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	82
PID 1624 wrote to memory of 1108	1624	explorer.exe	83
PID 1624 wrote to memory of 1108	1624	explorer.exe	83
PID 1624 wrote to memory of 1108	1624	explorer.exe	83
PID 3868 wrote to memory of 800	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	9
PID 3868 wrote to memory of 808	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	10
PID 3868 wrote to memory of 412	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	13
PID 3868 wrote to memory of 2540	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	42
PID 3868 wrote to memory of 2572	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	43
PID 3868 wrote to memory of 2836	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	49
PID 3868 wrote to memory of 3448	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	56
PID 3868 wrote to memory of 3608	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	57
PID 3868 wrote to memory of 3792	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	58
PID 3868 wrote to memory of 3884	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	59
PID 3868 wrote to memory of 3948	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	60
PID 3868 wrote to memory of 4036	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	61
PID 3868 wrote to memory of 3068	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	74
PID 3868 wrote to memory of 3628	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	76
PID 3868 wrote to memory of 1624	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	82
PID 3868 wrote to memory of 1624	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	82
PID 3868 wrote to memory of 1108	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	83
PID 3868 wrote to memory of 1108	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	83
PID 1108 wrote to memory of 2008	1108	explorer.exe	84
PID 1108 wrote to memory of 2008	1108	explorer.exe	84
PID 1108 wrote to memory of 2008	1108	explorer.exe	84
PID 2008 wrote to memory of 2236	2008	explorer.exe	85
PID 2008 wrote to memory of 2236	2008	explorer.exe	85
PID 2008 wrote to memory of 2236	2008	explorer.exe	85
PID 3868 wrote to memory of 800	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	9
PID 3868 wrote to memory of 808	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	10
PID 3868 wrote to memory of 412	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	13
PID 3868 wrote to memory of 2540	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	42
PID 3868 wrote to memory of 2572	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	43
PID 3868 wrote to memory of 2836	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	49
PID 3868 wrote to memory of 3448	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	56
PID 3868 wrote to memory of 3608	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	57
PID 3868 wrote to memory of 3792	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	58
PID 3868 wrote to memory of 3884	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	59
PID 3868 wrote to memory of 3948	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	60
PID 3868 wrote to memory of 4036	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	61
PID 3868 wrote to memory of 3068	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	74
PID 3868 wrote to memory of 3628	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	76
PID 3868 wrote to memory of 2008	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	84
PID 3868 wrote to memory of 2008	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	84
PID 3868 wrote to memory of 2236	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	85
PID 3868 wrote to memory of 2236	3868	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe	85
PID 2236 wrote to memory of 4104	2236	explorer.exe	86
PID 2236 wrote to memory of 4104	2236	explorer.exe	86

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:800

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:808

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:412

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2572

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2836

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3448
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0a623d1323ee9b74d08428d2c17f7910.exe"
  2⤵
  - Modifies firewall policy service
  - UAC bypass
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Windows security modification
  - Checks whether UAC is enabled
  - Enumerates connected drives
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3868
- - C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
    C:\Windows\system32\ydjrkrymyr\explorer.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
      C:\Windows\system32\ydjrkrymyr\explorer.exe
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1108
    - - C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        5⤵
        Modifies firewall policy service
        UAC bypass
        Windows security bypass
        Disables RegEdit via registry modification
        Deletes itself
        Executes dropped EXE
        Windows security modification
        Checks whether UAC is enabled
        Enumerates connected drives
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2008
      - C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        6⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4104
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        8⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3568
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        9⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:380
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1448
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3892
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2928
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4616
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1112
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        Executes dropped EXE
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:4528
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4052
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        17⤵
        Executes dropped EXE
        Enumerates connected drives
        
        PID:1384
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        18⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        19⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        20⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        21⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        22⤵
        
        PID:7492
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        23⤵
        
        PID:9336
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        24⤵
        
        PID:11080
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        25⤵
        
        PID:13568
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        26⤵
        
        PID:14544
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        27⤵
        
        PID:19628
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        28⤵
        
        PID:22416
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        23⤵
        
        PID:18748
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        22⤵
        
        PID:21556
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        23⤵
        
        PID:11360
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        23⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        21⤵
        
        PID:16060
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        22⤵
        
        PID:21628
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        23⤵
        
        PID:23748
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        20⤵
        
        PID:14916
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        21⤵
        
        PID:18784
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        22⤵
        
        PID:21644
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        23⤵
        
        PID:22680
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        19⤵
        
        PID:12824
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        20⤵
        
        PID:14892
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        21⤵
        
        PID:18800
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        22⤵
        
        PID:21636
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        23⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        18⤵
        
        PID:10632
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        19⤵
        
        PID:13016
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        20⤵
        
        PID:14936
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        21⤵
        
        PID:17832
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        22⤵
        
        PID:21604
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        23⤵
        
        PID:9936
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        23⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        17⤵
        
        PID:8532
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        18⤵
        
        PID:10728
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        19⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        20⤵
        
        PID:15184
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        21⤵
        
        PID:19192
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        22⤵
        
        PID:22004
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        16⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        17⤵
        
        PID:8948
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        18⤵
        
        PID:10688
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        19⤵
        
        PID:11524
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        20⤵
        
        PID:15012
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        21⤵
        
        PID:18600
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        22⤵
        
        PID:21804
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        17⤵
        
        PID:14228
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        15⤵
        
        PID:7716
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:8020
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        17⤵
        
        PID:9060
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        18⤵
        
        PID:10776
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        19⤵
        
        PID:11876
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        20⤵
        
        PID:15220
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        21⤵
        
        PID:18876
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        22⤵
        
        PID:22096
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        17⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        16⤵
        
        PID:21176
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        17⤵
        
        PID:24024
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        14⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:7760
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:8056
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        17⤵
        
        PID:8252
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        18⤵
        
        PID:10736
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        19⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        20⤵
        
        PID:15072
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        21⤵
        
        PID:18688
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        22⤵
        
        PID:21860
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        23⤵
        
        PID:19092
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        23⤵
        
        PID:7728
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        17⤵
        
        PID:13832
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        16⤵
        
        PID:21224
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        17⤵
        
        PID:24080
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        15⤵
        
        PID:19264
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:21340
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        17⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        13⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:7752
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        17⤵
        
        PID:8684
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        18⤵
        
        PID:10856
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        19⤵
        
        PID:13332
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        20⤵
        
        PID:15172
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        21⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        22⤵
        
        PID:21912
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        23⤵
        
        PID:23780
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        23⤵
        
        PID:19100
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        17⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        16⤵
        
        PID:21312
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        17⤵
        
        PID:9924
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        15⤵
        
        PID:19272
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:21296
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        17⤵
        
        PID:13752
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        14⤵
        
        PID:14516
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:19300
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:21160
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        17⤵
        
        PID:24012
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        17⤵
        
        PID:20492
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        16⤵
        
        PID:16840
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        12⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        17⤵
        
        PID:9424
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        18⤵
        
        PID:10972
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        19⤵
        
        PID:13436
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        20⤵
        
        PID:15296
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        21⤵
        
        PID:18472
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        22⤵
        
        PID:22280
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        16⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        17⤵
        
        PID:24008
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        17⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        15⤵
        
        PID:17432
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        17⤵
        
        PID:21424
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        14⤵
        
        PID:14684
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:17076
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        17⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        17⤵
        
        PID:23836
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        16⤵
        
        PID:7904
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        13⤵
        
        PID:12296
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:14744
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:17908
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:21588
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        17⤵
        
        PID:7232
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        17⤵
        
        PID:18104
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        11⤵
        Executes dropped EXE
        Enumerates connected drives
        
        PID:408
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        12⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        17⤵
        
        PID:8460
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        18⤵
        
        PID:10908
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        19⤵
        
        PID:13340
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        20⤵
        
        PID:15204
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        21⤵
        
        PID:8028
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        22⤵
        
        PID:22036
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        17⤵
        
        PID:18580
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        16⤵
        
        PID:20556
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        15⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        17⤵
        
        PID:11344
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        17⤵
        
        PID:23900
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        14⤵
        
        PID:14676
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:16820
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        17⤵
        
        PID:9924
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        13⤵
        
        PID:12304
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:14736
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:18100
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:21596
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        17⤵
        
        PID:12624
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        17⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        12⤵
        
        PID:10484
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:12100
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:14652
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:19432
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:7560
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        17⤵
        
        PID:23804
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        17⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        10⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:208
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        11⤵
        Executes dropped EXE
        Enumerates connected drives
        
        PID:3096
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        12⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:7884
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        17⤵
        
        PID:9400
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        18⤵
        
        PID:10956
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        19⤵
        
        PID:13412
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        20⤵
        
        PID:15288
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        21⤵
        
        PID:19464
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        22⤵
        
        PID:22272
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        17⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        16⤵
        
        PID:20560
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        17⤵
        
        PID:18740
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        15⤵
        
        PID:17264
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        17⤵
        
        PID:468
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        14⤵
        
        PID:14720
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:17712
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        17⤵
        
        PID:24348
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        17⤵
        
        PID:20980
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        13⤵
        
        PID:12600
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:14756
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:17536
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        17⤵
        
        PID:21108
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        17⤵
        
        PID:17596
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        12⤵
        
        PID:10508
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:12448
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:14768
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:18076
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:21580
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        17⤵
        
        PID:12292
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        17⤵
        
        PID:22728
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        11⤵
        
        PID:9084
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        12⤵
        
        PID:10536
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:12632
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:14776
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:17948
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:21660
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        9⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        Executes dropped EXE
        Enumerates connected drives
        
        PID:3700
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        11⤵
        
        PID:772
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        12⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:8040
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        17⤵
        
        PID:9696
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        18⤵
        
        PID:11160
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        19⤵
        
        PID:13656
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        20⤵
        
        PID:15476
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        21⤵
        
        PID:19780
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        22⤵
        
        PID:22140
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        17⤵
        
        PID:8840
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        16⤵
        
        PID:21852
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        17⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        17⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        15⤵
        
        PID:18956
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:21884
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        14⤵
        
        PID:15128
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:22080
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        13⤵
        
        PID:13356
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:15212
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:19196
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:22020
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        12⤵
        
        PID:10832
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:15136
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:22028
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        11⤵
        
        PID:9360
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        12⤵
        
        PID:10840
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:13348
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:15320
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:19472
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:22264
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        10⤵
        
        PID:7956
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        11⤵
        
        PID:8940
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        12⤵
        
        PID:10696
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:13256
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:15080
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:18680
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:21876
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        17⤵
        
        PID:23660
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        11⤵
        
        PID:20636
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:704
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:2280
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        11⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        12⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:8072
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:7648
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        17⤵
        
        PID:9656
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        18⤵
        
        PID:11168
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        19⤵
        
        PID:13664
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        20⤵
        
        PID:15468
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        21⤵
        
        PID:19788
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        22⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        17⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        16⤵
        
        PID:21952
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        17⤵
        
        PID:24092
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        15⤵
        
        PID:19008
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:22052
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        14⤵
        
        PID:15280
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:22064
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        13⤵
        
        PID:13468
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:19604
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:22352
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        12⤵
        
        PID:11004
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:13444
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:19532
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:22252
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        11⤵
        
        PID:9440
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        12⤵
        
        PID:11024
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:13484
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:19612
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:22360
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        10⤵
        
        PID:7336
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        11⤵
        
        PID:9296
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        12⤵
        
        PID:11016
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:13476
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:19596
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:22368
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        11⤵
        
        PID:23608
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        9⤵
        
        PID:7968
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        11⤵
        
        PID:9512
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        12⤵
        
        PID:11120
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:13616
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:15448
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:19756
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:21512
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        11⤵
        
        PID:20868
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        10⤵
        
        PID:21700
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        11⤵
        
        PID:16316
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        11⤵
        
        PID:7320
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2340
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        8⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:528
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        9⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:856
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4700
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        11⤵
        
        PID:624
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        12⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        17⤵
        
        PID:8836
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        18⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        19⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        20⤵
        
        PID:15364
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        21⤵
        
        PID:20604
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        22⤵
        
        PID:7280
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        22⤵
        
        PID:22744
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        21⤵
        
        PID:7216
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        20⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        19⤵
        
        PID:16184
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        18⤵
        
        PID:20720
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        17⤵
        
        PID:24044
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        15⤵
        
        PID:20036
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        16⤵
        
        PID:22900
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        14⤵
        
        PID:15616
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:19948
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        13⤵
        
        PID:13776
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:15604
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:19928
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        14⤵
        
        PID:22716
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        12⤵
        
        PID:11208
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:13756
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:15584
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:19908
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        15⤵
        
        PID:22572
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        11⤵
        
        PID:9728
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        12⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:13920
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:15816
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:20236
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:23300
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        10⤵
        
        PID:8152
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        11⤵
        
        PID:9948
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        12⤵
        
        PID:10248
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:13864
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:15764
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:20160
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:23108
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        9⤵
        
        PID:8132
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        11⤵
        
        PID:10008
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        12⤵
        
        PID:10264
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:13844
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:15732
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:20120
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:22952
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        10⤵
        
        PID:22488
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        8⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        9⤵
        
        PID:8144
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        11⤵
        
        PID:9940
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        12⤵
        
        PID:10244
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:13836
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:15724
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:20112
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:23020
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        10⤵
        
        PID:22496
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        9⤵
        
        PID:19736
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        
        PID:22452
      - C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1548
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5068
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        8⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4024
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        9⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4624
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:3192
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        11⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        12⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:10032
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        17⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        18⤵
        
        PID:11732
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        19⤵
        
        PID:14432
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        20⤵
        
        PID:19240
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        21⤵
        
        PID:21328
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        22⤵
        
        PID:20852
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        22⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        21⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        20⤵
        
        PID:23708
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        16⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        15⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        16⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        14⤵
        
        PID:16192
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:20400
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        16⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        15⤵
        
        PID:19868
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        13⤵
        
        PID:14232
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:16144
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:22944
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        16⤵
        
        PID:23084
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        15⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        14⤵
        
        PID:15908
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        12⤵
        
        PID:11228
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:14188
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:16104
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        15⤵
        
        PID:22824
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        13⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        11⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        12⤵
        
        PID:11248
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:14212
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:16136
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:19864
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:584
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        16⤵
        
        PID:19844
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        13⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        12⤵
        
        PID:16124
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        10⤵
        
        PID:8204
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        11⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        12⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:14292
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:16212
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:19776
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:16024
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        16⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        15⤵
        
        PID:7540
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        14⤵
        
        PID:18708
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        13⤵
        
        PID:14308
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        12⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        11⤵
        
        PID:21176
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        9⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        11⤵
        
        PID:10116
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        12⤵
        
        PID:10612
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:14136
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:16084
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        16⤵
        
        PID:22668
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        8⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        9⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        11⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        12⤵
        
        PID:10588
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:14116
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:16076
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:9496
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:23528
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        9⤵
        
        PID:19956
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        7⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        8⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        9⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        11⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        12⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:14316
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:16236
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:20492
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:18464
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        16⤵
        
        PID:10212
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        14⤵
        
        PID:23432
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        13⤵
        
        PID:19988
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        12⤵
        
        PID:15616
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        11⤵
        
        PID:12624
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        10⤵
        
        PID:22960
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        9⤵
        
        PID:20084
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        8⤵
        
        PID:15684
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        9⤵
        
        PID:20016
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        10⤵
        
        PID:22768
    - - C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3804
      - C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        6⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3512
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4592
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        8⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1812
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        9⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1900
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        Executes dropped EXE
        
        PID:2384
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        11⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        12⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:7816
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:9156
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        17⤵
        
        PID:10924
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        18⤵
        
        PID:13384
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        19⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        20⤵
        
        PID:19544
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        21⤵
        
        PID:22376
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        16⤵
        
        PID:18516
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        15⤵
        
        PID:21416
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        16⤵
        
        PID:12616
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        14⤵
        
        PID:19360
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:21440
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        15⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        13⤵
        
        PID:14580
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:19372
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:21232
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        12⤵
        
        PID:12036
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:14612
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:19400
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:8064
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:12200
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        16⤵
        
        PID:19088
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        11⤵
        
        PID:10356
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        12⤵
        
        PID:13096
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:14404
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:19136
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:21104
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:23984
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        16⤵
        
        PID:12552
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        15⤵
        
        PID:9228
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        14⤵
        
        PID:16232
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        10⤵
        
        PID:10144
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        11⤵
        
        PID:10320
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        12⤵
        
        PID:13280
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:14352
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:19080
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:21040
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:640
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        16⤵
        
        PID:12204
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        15⤵
        
        PID:9384
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        14⤵
        
        PID:24180
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        13⤵
        
        PID:12660
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        9⤵
        
        PID:7360
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        
        PID:10152
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        11⤵
        
        PID:10372
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        12⤵
        
        PID:11848
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:14492
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:19212
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:21240
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:23940
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        16⤵
        
        PID:16212
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        15⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        14⤵
        
        PID:8656
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        10⤵
        
        PID:23252
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        8⤵
        
        PID:7404
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        9⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        
        PID:10040
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        11⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        12⤵
        
        PID:13232
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:14284
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:18976
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:20908
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:20628
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        16⤵
        
        PID:14248
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        15⤵
        
        PID:12180
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        14⤵
        
        PID:17580
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        13⤵
        
        PID:24064
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        12⤵
        
        PID:8836
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        10⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        9⤵
        
        PID:19972
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        
        PID:22936
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        10⤵
        
        PID:23076
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        7⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        8⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        9⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        
        PID:10016
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        11⤵
        
        PID:10328
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        12⤵
        
        PID:13024
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:14412
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:19128
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:21116
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:23928
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        16⤵
        
        PID:12396
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        15⤵
        
        PID:16264
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        14⤵
        
        PID:23936
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        13⤵
        
        PID:20876
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        12⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        10⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        9⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        10⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        8⤵
        
        PID:16200
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        9⤵
        
        PID:19992
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        
        PID:23504
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        10⤵
        
        PID:18440
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        9⤵
        
        PID:15892
      - C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        6⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        7⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        8⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        9⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        
        PID:10024
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        11⤵
        
        PID:10280
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        12⤵
        
        PID:11764
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:14440
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:19232
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:21304
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:12912
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        16⤵
        
        PID:14240
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        15⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        14⤵
        
        PID:8704
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        10⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        9⤵
        
        PID:19964
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        
        PID:22912
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        10⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        8⤵
        
        PID:16184
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        9⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        10⤵
        
        PID:19896
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        7⤵
        
        PID:14260
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        8⤵
        
        PID:16220
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        9⤵
        
        PID:20416
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        
        PID:20344
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        10⤵
        
        PID:13916
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        9⤵
        
        PID:20472
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        8⤵
        
        PID:23536
  - - C:\Windows\SysWOW64\rmuueugtlu\smss.exe
      C:\Windows\system32\rmuueugtlu\smss.exe
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3380
    - - C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3928
      - C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        6⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4932
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4236
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        8⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3524
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        9⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3484
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        Executes dropped EXE
        
        PID:2632
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        11⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        12⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:7984
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:9544
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        17⤵
        
        PID:11128
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        18⤵
        
        PID:13624
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        19⤵
        
        PID:15428
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        20⤵
        
        PID:19712
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        21⤵
        
        PID:22460
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        16⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        15⤵
        
        PID:21692
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        14⤵
        
        PID:18512
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:21572
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:11376
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        16⤵
        
        PID:19324
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        15⤵
        
        PID:19140
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        13⤵
        
        PID:14956
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:18828
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:21652
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:19296
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        16⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        12⤵
        
        PID:12936
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:14948
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:17880
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:21620
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        11⤵
        
        PID:10676
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        12⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:15064
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:18940
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:21868
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:20972
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        16⤵
        
        PID:18812
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        10⤵
        
        PID:8892
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        11⤵
        
        PID:10748
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        12⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:15004
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:18592
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:21796
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:9748
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        16⤵
        
        PID:7596
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        9⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        
        PID:9188
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        11⤵
        
        PID:10704
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        12⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:15144
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:22044
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        10⤵
        
        PID:20608
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        8⤵
        
        PID:7588
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        9⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        
        PID:8628
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        11⤵
        
        PID:10556
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        12⤵
        
        PID:12744
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:14868
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:18152
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:21612
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:20956
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        16⤵
        
        PID:16792
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        10⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        9⤵
        
        PID:20936
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        10⤵
        
        PID:14252
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        7⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        8⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        9⤵
        
        PID:7740
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        
        PID:8916
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        11⤵
        
        PID:10712
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        12⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:15244
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:19524
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:22344
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        10⤵
        
        PID:18732
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        9⤵
        
        PID:21032
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        10⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        8⤵
        
        PID:19060
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        9⤵
        
        PID:20964
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        
        PID:15932
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        10⤵
        
        PID:19968
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        9⤵
        
        PID:23968
      - C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        6⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        7⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        8⤵
        
        PID:7660
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        9⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        
        PID:8572
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        11⤵
        
        PID:10648
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        12⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:15020
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:18608
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:21816
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        16⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        10⤵
        
        PID:20612
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        9⤵
        
        PID:21012
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        10⤵
        
        PID:12332
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        8⤵
        
        PID:19040
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        9⤵
        
        PID:20944
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        
        PID:8812
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        10⤵
        
        PID:17532
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        9⤵
        
        PID:24276
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        7⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        8⤵
        
        PID:19096
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        9⤵
        
        PID:21096
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        10⤵
        
        PID:23976
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        9⤵
        
        PID:21060
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        8⤵
        
        PID:16160
    - - C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        5⤵
        
        PID:5488
      - C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        6⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        7⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        8⤵
        
        PID:7780
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        9⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        
        PID:9172
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        11⤵
        
        PID:10848
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        12⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:15152
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:22012
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        10⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        9⤵
        
        PID:21428
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        8⤵
        
        PID:19336
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        9⤵
        
        PID:21348
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        
        PID:20764
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        7⤵
        
        PID:14532
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        8⤵
        
        PID:19288
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        9⤵
        
        PID:20840
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        
        PID:23996
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        10⤵
        
        PID:19076
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        9⤵
        
        PID:7896
      - C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        6⤵
        
        PID:11884
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        7⤵
        
        PID:14604
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        8⤵
        
        PID:19420
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        9⤵
        
        PID:21448
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        
        PID:9412
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        10⤵
        
        PID:9008
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        9⤵
        
        PID:9436
- - C:\Windows\SysWOW64\rmuueugtlu\smss.exe
    C:\Windows\system32\rmuueugtlu\smss.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4556
  - - C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
      C:\Windows\system32\ydjrkrymyr\explorer.exe
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4516
    - - C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1064
      - C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        6⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3376
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1704
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        9⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1304
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        Executes dropped EXE
        Enumerates connected drives
        
        PID:2064
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        11⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        12⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:10188
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        17⤵
        
        PID:10364
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        18⤵
        
        PID:13040
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        19⤵
        
        PID:14424
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        20⤵
        
        PID:19204
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        21⤵
        
        PID:21232
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        22⤵
        
        PID:24264
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        21⤵
        
        PID:23652
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        20⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        19⤵
        
        PID:24196
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        16⤵
        
        PID:19872
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        15⤵
        
        PID:20620
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        16⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        14⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:20660
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:8420
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        16⤵
        
        PID:14076
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        13⤵
        
        PID:13820
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:20720
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        16⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        15⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        14⤵
        
        PID:12848
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        12⤵
        
        PID:11340
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:20764
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        16⤵
        
        PID:14192
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        15⤵
        
        PID:16048
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        14⤵
        
        PID:20740
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        13⤵
        
        PID:24004
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        11⤵
        
        PID:9900
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        12⤵
        
        PID:11292
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:20652
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:8196
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        16⤵
        
        PID:15628
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        14⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        13⤵
        
        PID:15940
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        12⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        10⤵
        
        PID:8308
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        11⤵
        
        PID:9528
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        12⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:16328
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:20564
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        16⤵
        
        PID:8364
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        15⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        14⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        13⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        12⤵
        
        PID:13600
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        11⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        9⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        
        PID:8284
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        11⤵
        
        PID:8860
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        12⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:16320
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:20516
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        16⤵
        
        PID:22856
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        15⤵
        
        PID:15980
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        14⤵
        
        PID:8332
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        13⤵
        
        PID:16168
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        12⤵
        
        PID:8456
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        11⤵
        
        PID:20644
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        10⤵
        
        PID:23192
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        8⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        9⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        
        PID:724
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        11⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        12⤵
        
        PID:224
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:14308
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:16228
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:20508
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:22612
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        16⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        15⤵
        
        PID:20004
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        14⤵
        
        PID:23508
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        13⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        12⤵
        
        PID:9020
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        11⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        9⤵
        
        PID:20092
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        
        PID:22828
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        7⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        8⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        9⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        11⤵
        
        PID:8804
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        12⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:13736
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:16336
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:20500
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:20364
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        16⤵
        
        PID:23336
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        15⤵
        
        PID:23468
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        14⤵
        
        PID:15936
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        13⤵
        
        PID:20584
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        12⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        11⤵
        
        PID:16136
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        9⤵
        
        PID:20076
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        
        PID:22876
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        8⤵
        
        PID:15704
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        9⤵
        
        PID:20044
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        
        PID:22868
      - C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        6⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        7⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        8⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        9⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        
        PID:8356
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        11⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        12⤵
        
        PID:11332
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:20712
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        16⤵
        
        PID:19964
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        15⤵
        
        PID:20504
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        14⤵
        
        PID:9016
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        13⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        12⤵
        
        PID:20692
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        11⤵
        
        PID:14288
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        10⤵
        
        PID:23476
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        9⤵
        
        PID:20452
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        10⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        8⤵
        
        PID:15976
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        9⤵
        
        PID:20408
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        
        PID:19908
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        10⤵
        
        PID:15632
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        9⤵
        
        PID:23048
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        7⤵
        
        PID:14080
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        8⤵
        
        PID:15896
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        9⤵
        
        PID:20420
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        
        PID:8292
    - - C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        5⤵
        
        PID:2272
      - C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        6⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        7⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        8⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        9⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        
        PID:8392
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        11⤵
        
        PID:9852
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        12⤵
        
        PID:11348
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:15564
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:20772
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        16⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        15⤵
        
        PID:18028
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        14⤵
        
        PID:12628
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        13⤵
        
        PID:7576
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        12⤵
        
        PID:20580
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        9⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        
        PID:20012
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        8⤵
        
        PID:15968
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        9⤵
        
        PID:19496
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        
        PID:22672
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        7⤵
        
        PID:14072
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        8⤵
        
        PID:15888
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        9⤵
        
        PID:20340
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        
        PID:23336
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        9⤵
        
        PID:22796
      - C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        6⤵
        
        PID:10460
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        7⤵
        
        PID:13968
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        8⤵
        
        PID:15848
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        9⤵
        
        PID:20304
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        
        PID:23268
  - - C:\Windows\SysWOW64\rmuueugtlu\smss.exe
      C:\Windows\system32\rmuueugtlu\smss.exe
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      PID:2524
    - - C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        5⤵
        
        PID:436
      - C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        6⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        7⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        8⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        9⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        
        PID:8336
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        11⤵
        
        PID:9760
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        12⤵
        
        PID:11312
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        13⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        14⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        15⤵
        
        PID:20612
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        16⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        16⤵
        
        PID:19980
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        14⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        13⤵
        
        PID:20500
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        12⤵
        
        PID:20496
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        11⤵
        
        PID:20684
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        10⤵
        
        PID:23364
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        9⤵
        
        PID:20368
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        
        PID:23540
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        8⤵
        
        PID:15984
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        9⤵
        
        PID:19492
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        7⤵
        
        PID:14064
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        8⤵
        
        PID:15960
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        9⤵
        
        PID:20476
        
        C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        8⤵
        
        PID:13696
      - C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        6⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        7⤵
        
        PID:13960
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        8⤵
        
        PID:15856
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        9⤵
        
        PID:20284
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        
        PID:23280
    - - C:\Windows\SysWOW64\rmuueugtlu\smss.exe
        
        C:\Windows\system32\rmuueugtlu\smss.exe
        5⤵
        
        PID:10064
      - C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        6⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        7⤵
        
        PID:13940
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        8⤵
        
        PID:15808
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        9⤵
        
        PID:20244
        
        C:\Windows\SysWOW64\ydjrkrymyr\explorer.exe
        
        C:\Windows\system32\ydjrkrymyr\explorer.exe
        10⤵
        
        PID:23320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3608

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3792

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3884

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3948

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4036

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:3068

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3628

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:23136

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:6264

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:13912

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:22604

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:18856

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:1236

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:23880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

Modify Registry