d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
20-10-2022 05:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7.exe
Size

351KB
MD5

81819200a31a194923510503aeda6880
SHA1

f6c901d14402d6bd5e449840f899bee57c291a77
SHA256

d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7
SHA512

0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2
SSDEEP

3072:a8EU6GdwTYBpL/d8mvVvsyb988mNwMRjpL/uuwMRjpL/OFwMRjpL/k2wMRjpL/mD:1EtjTq/mmvV88XQp/6Qp/BQp/cQp/f+H

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
3872	explorer.exe
1912	explorer.exe
1264	explorer.exe
1960	explorer.exe
4320	explorer.exe
5028	explorer.exe
460	explorer.exe
4680	explorer.exe
5080	smss.exe
5104	explorer.exe
1072	smss.exe
1796	explorer.exe
1812	smss.exe
3460	explorer.exe
4696	explorer.exe
1724	explorer.exe
1388	smss.exe
3428	explorer.exe
4960	explorer.exe
4192	explorer.exe
1952	explorer.exe
4048	smss.exe
2316	explorer.exe
428	explorer.exe
4372	explorer.exe
3120	explorer.exe
1632	explorer.exe
1424	smss.exe
4728	explorer.exe
316	explorer.exe
3916	explorer.exe
4892	explorer.exe
4840	explorer.exe
368	smss.exe
3648	explorer.exe
1780	explorer.exe
116	explorer.exe
952	explorer.exe
3808	explorer.exe
3848	smss.exe
3908	explorer.exe
232	explorer.exe
228	explorer.exe
4692	explorer.exe
3696	explorer.exe
3400	explorer.exe
4900	explorer.exe
4360	explorer.exe
2452	smss.exe
3024	explorer.exe
2460	explorer.exe
3464	explorer.exe
4444	explorer.exe
492	smss.exe
2128	explorer.exe
2972	explorer.exe
4640	explorer.exe
1668	explorer.exe
3188	explorer.exe
4928	explorer.exe
2596	smss.exe
916	explorer.exe
4852	explorer.exe
4280	smss.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1836-132-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/files/0x0001000000022dfc-134.dat	upx
behavioral2/files/0x0001000000022dfc-135.dat	upx
behavioral2/memory/3872-136-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/files/0x0001000000022dfd-137.dat	upx
behavioral2/files/0x0001000000022dfc-139.dat	upx
behavioral2/memory/1912-140-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/files/0x0002000000022dfd-141.dat	upx
behavioral2/files/0x0001000000022dfc-143.dat	upx
behavioral2/memory/1264-144-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1836-145-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/3872-146-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/files/0x0003000000022dfd-147.dat	upx
behavioral2/files/0x0001000000022dfc-149.dat	upx
behavioral2/memory/1960-150-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1912-151-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/files/0x0001000000022e04-152.dat	upx
behavioral2/files/0x0001000000022dfc-154.dat	upx
behavioral2/memory/4320-155-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1264-156-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/files/0x0002000000022e04-157.dat	upx
behavioral2/files/0x0001000000022dfc-159.dat	upx
behavioral2/memory/5028-160-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1960-161-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/files/0x0003000000022e04-162.dat	upx
behavioral2/files/0x0001000000022dfc-164.dat	upx
behavioral2/memory/460-165-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/4320-166-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/files/0x0004000000022e04-167.dat	upx
behavioral2/files/0x0001000000022dfc-169.dat	upx
behavioral2/memory/4680-170-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/files/0x0005000000022e04-172.dat	upx
behavioral2/files/0x0005000000022e04-173.dat	upx
behavioral2/memory/5028-174-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/5080-175-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/files/0x0001000000022dfc-177.dat	upx
behavioral2/memory/5104-178-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/files/0x0005000000022e04-180.dat	upx
behavioral2/memory/460-181-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1072-182-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/files/0x0001000000022dfc-184.dat	upx
behavioral2/memory/1796-185-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/files/0x0005000000022e04-187.dat	upx
behavioral2/files/0x0001000000022dfc-189.dat	upx
behavioral2/memory/4680-190-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1812-191-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/3460-192-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/files/0x0001000000022dfc-194.dat	upx
behavioral2/memory/4696-195-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/files/0x0001000000022dfc-197.dat	upx
behavioral2/memory/5080-198-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1724-199-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/files/0x0005000000022e04-201.dat	upx
behavioral2/memory/1388-202-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/files/0x0001000000022dfc-204.dat	upx
behavioral2/files/0x0001000000022dfc-206.dat	upx
behavioral2/memory/5104-207-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/3428-208-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/4960-209-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/files/0x0001000000022dfc-211.dat	upx
behavioral2/memory/1072-212-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/4192-213-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/files/0x0001000000022dfc-215.dat	upx
behavioral2/memory/1796-216-0x0000000000400000-0x0000000000459000-memory.dmp	upx

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\x:	explorer.exe
File opened (read-only)	\??\l:	explorer.exe
File opened (read-only)	\??\v:	explorer.exe
File opened (read-only)	\??\s:	explorer.exe
File opened (read-only)	\??\i:	explorer.exe
File opened (read-only)	\??\v:	explorer.exe
File opened (read-only)	\??\n:	explorer.exe
File opened (read-only)	\??\f:	explorer.exe
File opened (read-only)	\??\i:	explorer.exe
File opened (read-only)	\??\i:	explorer.exe
File opened (read-only)	\??\k:	smss.exe
File opened (read-only)	\??\p:	smss.exe
File opened (read-only)	\??\u:	explorer.exe
File opened (read-only)	\??\v:	explorer.exe
File opened (read-only)	\??\h:	smss.exe
File opened (read-only)	\??\k:	explorer.exe
File opened (read-only)	\??\s:	explorer.exe
File opened (read-only)	\??\l:	explorer.exe
File opened (read-only)	\??\w:	explorer.exe
File opened (read-only)	\??\i:	explorer.exe
File opened (read-only)	\??\h:	explorer.exe
File opened (read-only)	\??\w:	smss.exe
File opened (read-only)	\??\r:	explorer.exe
File opened (read-only)	\??\n:	explorer.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\n:	explorer.exe
File opened (read-only)	\??\y:	explorer.exe
File opened (read-only)	\??\m:	smss.exe
File opened (read-only)	\??\j:	explorer.exe
File opened (read-only)	\??\k:	smss.exe
File opened (read-only)	\??\q:	explorer.exe
File opened (read-only)	\??\z:	explorer.exe
File opened (read-only)	\??\z:	explorer.exe
File opened (read-only)	\??\f:	smss.exe
File opened (read-only)	\??\f:	smss.exe
File opened (read-only)	\??\r:	explorer.exe
File opened (read-only)	\??\m:	explorer.exe
File opened (read-only)	\??\i:	explorer.exe
File opened (read-only)	\??\i:	explorer.exe
File opened (read-only)	\??\s:	explorer.exe
File opened (read-only)	\??\q:	explorer.exe
File opened (read-only)	\??\h:	explorer.exe
File opened (read-only)	\??\w:	explorer.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\y:	explorer.exe
File opened (read-only)	\??\n:	explorer.exe
File opened (read-only)	\??\o:	smss.exe
File opened (read-only)	\??\n:	explorer.exe
File opened (read-only)	\??\z:	explorer.exe
File opened (read-only)	\??\t:	explorer.exe
File opened (read-only)	\??\e:	smss.exe
File opened (read-only)	\??\j:	explorer.exe
File opened (read-only)	\??\v:	explorer.exe
File opened (read-only)	\??\v:	smss.exe
File opened (read-only)	\??\o:	smss.exe
File opened (read-only)	\??\n:	explorer.exe
File opened (read-only)	\??\w:	explorer.exe
File opened (read-only)	\??\o:	explorer.exe
File opened (read-only)	\??\k:	explorer.exe
File opened (read-only)	\??\g:	smss.exe
File opened (read-only)	\??\z:	explorer.exe
File opened (read-only)	\??\u:	explorer.exe
File opened (read-only)	\??\h:	smss.exe
File opened (read-only)	\??\n:	smss.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\nrgikhclnh\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\nrgikhclnh\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rotpcifdhx\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\nrgikhclnh\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\nrgikhclnh\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rotpcifdhx\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\nrgikhclnh\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\rotpcifdhx\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\nrgikhclnh\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\nrgikhclnh\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rotpcifdhx\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rotpcifdhx\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\rotpcifdhx\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\nrgikhclnh\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\rotpcifdhx\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\rotpcifdhx\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\rotpcifdhx\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\rotpcifdhx\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rotpcifdhx\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rotpcifdhx\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\rotpcifdhx\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\nrgikhclnh\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\nrgikhclnh\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rotpcifdhx\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rotpcifdhx\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\nrgikhclnh\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\rotpcifdhx\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\rotpcifdhx\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rotpcifdhx\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rotpcifdhx\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\nrgikhclnh\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\nrgikhclnh\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rotpcifdhx\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\nrgikhclnh\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\nrgikhclnh\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\rotpcifdhx\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\nrgikhclnh\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\nrgikhclnh\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\nrgikhclnh\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\rotpcifdhx\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\rotpcifdhx\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\nrgikhclnh\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\nrgikhclnh\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rotpcifdhx\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\nrgikhclnh\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\nrgikhclnh\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\rotpcifdhx\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\nrgikhclnh\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\nrgikhclnh\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\nrgikhclnh\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rotpcifdhx\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\nrgikhclnh\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rotpcifdhx\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\rotpcifdhx\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\nrgikhclnh\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\nrgikhclnh\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\rotpcifdhx\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\nrgikhclnh\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\rotpcifdhx\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\nrgikhclnh\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\rotpcifdhx\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rotpcifdhx\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rotpcifdhx\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rotpcifdhx\smss.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1836	d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7.exe
1836	d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7.exe
3872	explorer.exe
3872	explorer.exe
1912	explorer.exe
1912	explorer.exe
1264	explorer.exe
1264	explorer.exe
1960	explorer.exe
1960	explorer.exe
4320	explorer.exe
4320	explorer.exe
5028	explorer.exe
5028	explorer.exe
460	explorer.exe
460	explorer.exe
4680	explorer.exe
4680	explorer.exe
5080	smss.exe
5080	smss.exe
5104	explorer.exe
5104	explorer.exe
1072	smss.exe
1072	smss.exe
1796	explorer.exe
1796	explorer.exe
1812	smss.exe
1812	smss.exe
3460	explorer.exe
3460	explorer.exe
4696	explorer.exe
4696	explorer.exe
1724	explorer.exe
1724	explorer.exe
1388	smss.exe
1388	smss.exe
3428	explorer.exe
3428	explorer.exe
4960	explorer.exe
4960	explorer.exe
4192	explorer.exe
4192	explorer.exe
1952	explorer.exe
1952	explorer.exe
4048	smss.exe
4048	smss.exe
2316	explorer.exe
2316	explorer.exe
428	explorer.exe
428	explorer.exe
4372	explorer.exe
4372	explorer.exe
3120	explorer.exe
3120	explorer.exe
1632	explorer.exe
1632	explorer.exe
1424	smss.exe
1424	smss.exe
4728	explorer.exe
4728	explorer.exe
316	explorer.exe
316	explorer.exe
3916	explorer.exe
3916	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	1836	d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7.exe
Token: SeLoadDriverPrivilege	3872	explorer.exe
Token: SeLoadDriverPrivilege	1912	explorer.exe
Token: SeLoadDriverPrivilege	1264	explorer.exe
Token: SeLoadDriverPrivilege	1960	explorer.exe
Token: SeLoadDriverPrivilege	4320	explorer.exe
Token: SeLoadDriverPrivilege	5028	explorer.exe
Token: SeLoadDriverPrivilege	460	explorer.exe
Token: SeLoadDriverPrivilege	4680	explorer.exe
Token: SeLoadDriverPrivilege	5080	smss.exe
Token: SeLoadDriverPrivilege	5104	explorer.exe
Token: SeLoadDriverPrivilege	1072	smss.exe
Token: SeLoadDriverPrivilege	1796	explorer.exe
Token: SeLoadDriverPrivilege	1812	smss.exe
Token: SeLoadDriverPrivilege	3460	explorer.exe
Token: SeLoadDriverPrivilege	4696	explorer.exe
Token: SeLoadDriverPrivilege	1724	explorer.exe
Token: SeLoadDriverPrivilege	1388	smss.exe
Token: SeLoadDriverPrivilege	3428	explorer.exe
Token: SeLoadDriverPrivilege	4960	explorer.exe
Token: SeLoadDriverPrivilege	4192	explorer.exe
Token: SeLoadDriverPrivilege	1952	explorer.exe
Token: SeLoadDriverPrivilege	4048	smss.exe
Token: SeLoadDriverPrivilege	2316	explorer.exe
Token: SeLoadDriverPrivilege	428	explorer.exe
Token: SeLoadDriverPrivilege	4372	explorer.exe
Token: SeLoadDriverPrivilege	3120	explorer.exe
Token: SeLoadDriverPrivilege	1632	explorer.exe
Token: SeLoadDriverPrivilege	1424	smss.exe
Token: SeLoadDriverPrivilege	4728	explorer.exe
Token: SeLoadDriverPrivilege	316	explorer.exe
Token: SeLoadDriverPrivilege	3916	explorer.exe
Token: SeLoadDriverPrivilege	4892	explorer.exe
Token: SeLoadDriverPrivilege	4840	explorer.exe
Token: SeLoadDriverPrivilege	368	smss.exe
Token: SeLoadDriverPrivilege	3648	explorer.exe
Token: SeLoadDriverPrivilege	1780	explorer.exe
Token: SeLoadDriverPrivilege	116	explorer.exe
Token: SeLoadDriverPrivilege	952	explorer.exe
Token: SeLoadDriverPrivilege	3808	explorer.exe
Token: SeLoadDriverPrivilege	3848	smss.exe
Token: SeLoadDriverPrivilege	3908	explorer.exe
Token: SeLoadDriverPrivilege	232	explorer.exe
Token: SeLoadDriverPrivilege	228	explorer.exe
Token: SeLoadDriverPrivilege	4692	explorer.exe
Token: SeLoadDriverPrivilege	3696	explorer.exe
Token: SeLoadDriverPrivilege	3400	explorer.exe
Token: SeLoadDriverPrivilege	4900	explorer.exe
Token: SeLoadDriverPrivilege	4360	explorer.exe
Token: SeLoadDriverPrivilege	2452	smss.exe
Token: SeLoadDriverPrivilege	3024	explorer.exe
Token: SeLoadDriverPrivilege	2460	explorer.exe
Token: SeLoadDriverPrivilege	3464	explorer.exe
Token: SeLoadDriverPrivilege	4444	explorer.exe
Token: SeLoadDriverPrivilege	492	smss.exe
Token: SeLoadDriverPrivilege	2128	explorer.exe
Token: SeLoadDriverPrivilege	2972	explorer.exe
Token: SeLoadDriverPrivilege	4640	explorer.exe
Token: SeLoadDriverPrivilege	1668	explorer.exe
Token: SeLoadDriverPrivilege	3188	explorer.exe
Token: SeLoadDriverPrivilege	4928	explorer.exe
Token: SeLoadDriverPrivilege	2596	smss.exe
Token: SeLoadDriverPrivilege	916	explorer.exe
Token: SeLoadDriverPrivilege	4852	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 3872	1836	d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7.exe	85
PID 1836 wrote to memory of 3872	1836	d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7.exe	85
PID 1836 wrote to memory of 3872	1836	d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7.exe	85
PID 3872 wrote to memory of 1912	3872	explorer.exe	89
PID 3872 wrote to memory of 1912	3872	explorer.exe	89
PID 3872 wrote to memory of 1912	3872	explorer.exe	89
PID 1912 wrote to memory of 1264	1912	explorer.exe	91
PID 1912 wrote to memory of 1264	1912	explorer.exe	91
PID 1912 wrote to memory of 1264	1912	explorer.exe	91
PID 1264 wrote to memory of 1960	1264	explorer.exe	94
PID 1264 wrote to memory of 1960	1264	explorer.exe	94
PID 1264 wrote to memory of 1960	1264	explorer.exe	94
PID 1960 wrote to memory of 4320	1960	explorer.exe	95
PID 1960 wrote to memory of 4320	1960	explorer.exe	95
PID 1960 wrote to memory of 4320	1960	explorer.exe	95
PID 4320 wrote to memory of 5028	4320	explorer.exe	96
PID 4320 wrote to memory of 5028	4320	explorer.exe	96
PID 4320 wrote to memory of 5028	4320	explorer.exe	96
PID 5028 wrote to memory of 460	5028	explorer.exe	97
PID 5028 wrote to memory of 460	5028	explorer.exe	97
PID 5028 wrote to memory of 460	5028	explorer.exe	97
PID 460 wrote to memory of 4680	460	explorer.exe	99
PID 460 wrote to memory of 4680	460	explorer.exe	99
PID 460 wrote to memory of 4680	460	explorer.exe	99
PID 1836 wrote to memory of 5080	1836	d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7.exe	100
PID 1836 wrote to memory of 5080	1836	d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7.exe	100
PID 1836 wrote to memory of 5080	1836	d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7.exe	100
PID 4680 wrote to memory of 5104	4680	explorer.exe	101
PID 4680 wrote to memory of 5104	4680	explorer.exe	101
PID 4680 wrote to memory of 5104	4680	explorer.exe	101
PID 3872 wrote to memory of 1072	3872	explorer.exe	102
PID 3872 wrote to memory of 1072	3872	explorer.exe	102
PID 3872 wrote to memory of 1072	3872	explorer.exe	102
PID 5080 wrote to memory of 1796	5080	smss.exe	103
PID 5080 wrote to memory of 1796	5080	smss.exe	103
PID 5080 wrote to memory of 1796	5080	smss.exe	103
PID 1912 wrote to memory of 1812	1912	explorer.exe	104
PID 1912 wrote to memory of 1812	1912	explorer.exe	104
PID 1912 wrote to memory of 1812	1912	explorer.exe	104
PID 5104 wrote to memory of 3460	5104	explorer.exe	105
PID 5104 wrote to memory of 3460	5104	explorer.exe	105
PID 5104 wrote to memory of 3460	5104	explorer.exe	105
PID 1072 wrote to memory of 4696	1072	smss.exe	106
PID 1072 wrote to memory of 4696	1072	smss.exe	106
PID 1072 wrote to memory of 4696	1072	smss.exe	106
PID 1796 wrote to memory of 1724	1796	explorer.exe	107
PID 1796 wrote to memory of 1724	1796	explorer.exe	107
PID 1796 wrote to memory of 1724	1796	explorer.exe	107
PID 1264 wrote to memory of 1388	1264	explorer.exe	108
PID 1264 wrote to memory of 1388	1264	explorer.exe	108
PID 1264 wrote to memory of 1388	1264	explorer.exe	108
PID 1812 wrote to memory of 3428	1812	smss.exe	109
PID 1812 wrote to memory of 3428	1812	smss.exe	109
PID 1812 wrote to memory of 3428	1812	smss.exe	109
PID 3460 wrote to memory of 4960	3460	explorer.exe	110
PID 3460 wrote to memory of 4960	3460	explorer.exe	110
PID 3460 wrote to memory of 4960	3460	explorer.exe	110
PID 4696 wrote to memory of 4192	4696	explorer.exe	111
PID 4696 wrote to memory of 4192	4696	explorer.exe	111
PID 4696 wrote to memory of 4192	4696	explorer.exe	111
PID 1724 wrote to memory of 1952	1724	explorer.exe	112
PID 1724 wrote to memory of 1952	1724	explorer.exe	112
PID 1724 wrote to memory of 1952	1724	explorer.exe	112
PID 1960 wrote to memory of 4048	1960	explorer.exe	113

C:\Users\Admin\AppData\Local\Temp\d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7.exe
"C:\Users\Admin\AppData\Local\Temp\d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
  C:\Windows\system32\nrgikhclnh\explorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3872
- - C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
    C:\Windows\system32\nrgikhclnh\explorer.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1912
  - - C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
      C:\Windows\system32\nrgikhclnh\explorer.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1264
    - - C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1960
      - C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:460
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4680
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5104
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4960
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4372
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4892
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3908
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        17⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        
        PID:4852
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        18⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        19⤵
        Enumerates connected drives
        
        PID:2104
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        20⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        21⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        22⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        23⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        24⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        25⤵
        
        PID:9416
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        26⤵
        
        PID:11180
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        27⤵
        
        PID:12980
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        28⤵
        
        PID:15304
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        23⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        22⤵
        
        PID:14776
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        23⤵
        
        PID:17876
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        21⤵
        
        PID:12324
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        22⤵
        
        PID:14876
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        23⤵
        
        PID:18352
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        20⤵
        Enumerates connected drives
        
        PID:10824
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        21⤵
        
        PID:12456
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        22⤵
        
        PID:14984
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        23⤵
        
        PID:18368
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        19⤵
        
        PID:9300
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        20⤵
        
        PID:11004
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        21⤵
        
        PID:12740
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        22⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        18⤵
        
        PID:7428
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        19⤵
        
        PID:9316
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        20⤵
        
        PID:11028
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        21⤵
        
        PID:12748
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        22⤵
        
        PID:15048
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        17⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        18⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        19⤵
        Enumerates connected drives
        
        PID:9308
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        20⤵
        
        PID:10980
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        21⤵
        
        PID:12720
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        22⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        16⤵
        Enumerates connected drives
        
        PID:6324
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        17⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        18⤵
        Enumerates connected drives
        
        PID:7340
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        19⤵
        
        PID:9244
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        20⤵
        
        PID:11024
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        21⤵
        
        PID:12804
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        22⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        17⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        15⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        17⤵
        
        PID:692
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        18⤵
        
        PID:432
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        19⤵
        
        PID:9260
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        20⤵
        
        PID:10972
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        21⤵
        
        PID:12732
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        22⤵
        
        PID:15344
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        17⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        16⤵
        
        PID:14508
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        17⤵
        
        PID:17628
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        14⤵
        Drops file in System32 directory
        
        PID:3992
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        Drops file in System32 directory
        
        PID:6268
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        17⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        18⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        19⤵
        
        PID:9224
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        20⤵
        
        PID:10928
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        21⤵
        
        PID:12624
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        22⤵
        
        PID:15252
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        17⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        16⤵
        
        PID:14396
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        17⤵
        
        PID:17608
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        15⤵
        
        PID:11380
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:14684
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        17⤵
        
        PID:17900
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        13⤵
        
        PID:832
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        17⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        18⤵
        
        PID:8116
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        19⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        20⤵
        
        PID:10880
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        21⤵
        
        PID:12540
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        22⤵
        
        PID:15124
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        23⤵
        
        PID:7524
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        17⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        16⤵
        
        PID:14424
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        17⤵
        
        PID:17508
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        15⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:14552
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        17⤵
        
        PID:17596
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        14⤵
        Enumerates connected drives
        
        PID:10560
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:14744
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        17⤵
        
        PID:18132
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        12⤵
        Drops file in System32 directory
        
        PID:3036
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:6224
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        17⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        18⤵
        Drops file in System32 directory
        
        PID:4316
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        19⤵
        Drops file in System32 directory
        
        PID:8864
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        20⤵
        
        PID:10872
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        21⤵
        
        PID:12504
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        22⤵
        
        PID:15092
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        17⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        16⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        17⤵
        
        PID:17500
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        15⤵
        
        PID:12204
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:14468
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        17⤵
        
        PID:17588
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        14⤵
        
        PID:10528
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:14652
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        17⤵
        
        PID:18080
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        13⤵
        Enumerates connected drives
        
        PID:9120
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:10724
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:12400
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:14844
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        17⤵
        
        PID:7576
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        Drops file in System32 directory
        
        PID:5960
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:6316
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        17⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        18⤵
        Drops file in System32 directory
        
        PID:7268
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        19⤵
        
        PID:496
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        20⤵
        
        PID:10844
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        21⤵
        
        PID:12500
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        22⤵
        
        PID:15132
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        17⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        16⤵
        
        PID:14500
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        17⤵
        
        PID:17656
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        15⤵
        
        PID:11768
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:14712
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        17⤵
        
        PID:17908
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        14⤵
        Enumerates connected drives
        
        PID:10592
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:14752
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        17⤵
        
        PID:18140
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        13⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:10944
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:12656
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:15260
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        12⤵
        
        PID:7896
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:9144
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:10732
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:12368
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:14912
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        17⤵
        
        PID:18384
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4928
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        
        PID:224
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:5100
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        17⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        18⤵
        Drops file in System32 directory
        
        PID:8108
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        19⤵
        
        PID:9056
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        20⤵
        
        PID:10836
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        21⤵
        
        PID:12448
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        22⤵
        
        PID:15032
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        17⤵
        
        PID:572
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        16⤵
        
        PID:14352
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        17⤵
        
        PID:17492
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        15⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:14544
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        17⤵
        
        PID:17696
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        14⤵
        
        PID:10516
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:14612
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        17⤵
        
        PID:17672
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        13⤵
        
        PID:9104
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:10676
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:12376
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:14920
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        17⤵
        
        PID:18392
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        12⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:9116
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:10636
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:14784
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        17⤵
        
        PID:18124
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        11⤵
        Enumerates connected drives
        
        PID:6944
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        
        PID:7872
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:3824
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:10740
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:12384
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:14952
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        17⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3848
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:916
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        Drops file in System32 directory
        
        PID:5992
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        Drops file in System32 directory
        
        PID:6412
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        17⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        18⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        19⤵
        
        PID:9376
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        20⤵
        
        PID:11040
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        21⤵
        
        PID:12756
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        22⤵
        
        PID:15440
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        17⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        16⤵
        
        PID:14596
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        17⤵
        
        PID:17688
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        15⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:14760
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        17⤵
        
        PID:18116
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        14⤵
        
        PID:10656
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:12312
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:14860
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        17⤵
        
        PID:18000
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        13⤵
        
        PID:8860
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:10936
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:12548
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:15116
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        17⤵
        
        PID:18360
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        12⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:3556
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:10756
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:12392
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:14936
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        17⤵
        
        PID:18376
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        11⤵
        Drops file in System32 directory
        
        PID:6988
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        
        PID:8044
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:10852
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:12556
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:15200
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        17⤵
        
        PID:18524
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        10⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        11⤵
        Enumerates connected drives
        
        PID:6964
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        
        PID:7920
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:10764
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:12440
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:14960
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        17⤵
        
        PID:18836
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        11⤵
        
        PID:17380
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        8⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        
        PID:368
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:228
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4444
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:64
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        Enumerates connected drives
        
        PID:6608
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        17⤵
        Drops file in System32 directory
        
        PID:7516
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        18⤵
        Drops file in System32 directory
        
        PID:8420
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        19⤵
        
        PID:9796
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        20⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        21⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        22⤵
        
        PID:15640
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        17⤵
        
        PID:17924
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        16⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        17⤵
        
        PID:18828
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        15⤵
        
        PID:13024
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:15480
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        14⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:13164
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:15604
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        13⤵
        
        PID:9700
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:13232
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:15588
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        12⤵
        Drops file in System32 directory
        
        PID:8372
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:9764
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:13308
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:15628
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        11⤵
        
        PID:7480
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        
        PID:8360
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:9740
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:10892
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:13224
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:15572
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        10⤵
        Enumerates connected drives
        
        PID:6568
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        11⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        
        PID:8352
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:9732
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:13244
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:15752
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        11⤵
        
        PID:17712
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        9⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        11⤵
        
        PID:7408
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        
        PID:8300
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:9688
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:13176
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:15612
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        11⤵
        
        PID:17580
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        10⤵
        
        PID:15268
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        11⤵
        
        PID:18532
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1780
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        
        PID:3696
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        11⤵
        Enumerates connected drives
        
        PID:2496
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        
        PID:768
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        Drops file in System32 directory
        
        PID:6072
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        17⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        18⤵
        Enumerates connected drives
        
        PID:8788
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        19⤵
        Drops file in System32 directory
        
        PID:1568
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        20⤵
        
        PID:11728
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        21⤵
        
        PID:13804
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        22⤵
        
        PID:16408
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        17⤵
        
        PID:7664
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        16⤵
        
        PID:15900
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        15⤵
        
        PID:13448
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:16136
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        14⤵
        
        PID:11504
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:13568
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:16336
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        13⤵
        
        PID:10120
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:11628
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:13684
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:16280
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        12⤵
        
        PID:8680
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:10184
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:11660
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:13756
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:15504
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        11⤵
        
        PID:7720
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        
        PID:8700
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:10192
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:11652
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:13772
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        10⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:7744
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        
        PID:8688
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:10156
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:11636
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:13692
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        11⤵
        
        PID:18272
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        9⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        11⤵
        Enumerates connected drives
        
        PID:7696
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        
        PID:8636
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:10104
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:11608
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:13700
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        11⤵
        
        PID:18292
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        10⤵
        
        PID:15712
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        8⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        11⤵
        
        PID:7704
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        
        PID:8624
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:10112
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:11564
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:13676
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        11⤵
        
        PID:18300
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        10⤵
        
        PID:15704
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        9⤵
        
        PID:13328
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        
        PID:16024
      - C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4048
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4728
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:116
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        
        PID:3400
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4640
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        11⤵
        Enumerates connected drives
        
        PID:4704
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        Drops file in System32 directory
        
        PID:5640
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:4908
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        17⤵
        
        PID:8016
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        18⤵
        Drops file in System32 directory
        
        PID:9028
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        19⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        20⤵
        
        PID:12012
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        21⤵
        
        PID:14196
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        22⤵
        
        PID:16896
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        16⤵
        
        PID:16520
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        15⤵
        
        PID:13880
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:16608
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        14⤵
        
        PID:11856
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:13904
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:16712
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        13⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:11908
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:14008
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:16836
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        12⤵
        
        PID:8956
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:9408
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:11896
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:14024
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:16764
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        11⤵
        
        PID:7968
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        
        PID:8972
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:11924
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:14000
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:16820
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        10⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        11⤵
        
        PID:7984
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        
        PID:8964
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:9336
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:11916
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:13964
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:16696
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        9⤵
        Enumerates connected drives
        
        PID:6104
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        Enumerates connected drives
        
        PID:7028
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:7936
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        
        PID:8924
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:10000
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:11888
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:14016
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:16828
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        10⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        8⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        11⤵
        
        PID:7944
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        
        PID:8932
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:9980
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:11868
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:13912
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:16704
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        10⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        9⤵
        
        PID:13828
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        
        PID:15792
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        7⤵
        
        PID:972
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        8⤵
        Enumerates connected drives
        
        PID:5616
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        11⤵
        Enumerates connected drives
        
        PID:7976
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        
        PID:8984
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:9484
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:11976
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:14120
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:16844
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        10⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        9⤵
        
        PID:13840
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        
        PID:16376
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        8⤵
        
        PID:11836
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        
        PID:13864
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        
        PID:16600
    - - C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1388
      - C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        6⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:316
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:952
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4900
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        11⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        Drops file in System32 directory
        
        PID:4332
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        17⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        18⤵
        
        PID:816
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        19⤵
        
        PID:10288
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        20⤵
        
        PID:11812
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        21⤵
        
        PID:14092
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        22⤵
        
        PID:17108
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        16⤵
        
        PID:16928
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        15⤵
        
        PID:14316
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:17336
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        14⤵
        
        PID:12240
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:17400
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        13⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:12280
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:16356
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        12⤵
        Drops file in System32 directory
        
        PID:9200
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:11328
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:116
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        11⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        Enumerates connected drives
        
        PID:7904
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:9968
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:13856
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        10⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        11⤵
        
        PID:8180
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:9212
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:448
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:13900
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:17096
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        9⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:1072
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:10268
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:11796
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:14100
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        10⤵
        
        PID:16756
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        8⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        11⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:9160
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:12220
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:17320
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        10⤵
        
        PID:16672
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        9⤵
        
        PID:14252
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        
        PID:17016
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        7⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        8⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:5716
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        Enumerates connected drives
        
        PID:2216
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        11⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        
        PID:9184
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:12272
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        10⤵
        
        PID:16728
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        9⤵
        
        PID:14248
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        
        PID:16872
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        8⤵
        
        PID:12072
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        
        PID:14288
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        
        PID:17292
      - C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        6⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        7⤵
        Enumerates connected drives
        
        PID:764
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        8⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        11⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        
        PID:9152
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:9964
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:12228
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:17084
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        10⤵
        
        PID:16664
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        9⤵
        
        PID:14212
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        
        PID:16864
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        8⤵
        
        PID:12036
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        
        PID:14228
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        
        PID:16908
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        7⤵
        
        PID:9924
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        8⤵
        
        PID:12100
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        
        PID:14304
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        
        PID:17300
  - - C:\Windows\SysWOW64\rotpcifdhx\smss.exe
      C:\Windows\system32\rotpcifdhx\smss.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1812
    - - C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3428
      - C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:428
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3916
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3808
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4360
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3188
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        11⤵
        
        PID:824
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        Drops file in System32 directory
        
        PID:7004
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        17⤵
        
        PID:8076
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        18⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        19⤵
        Enumerates connected drives
        
        PID:10860
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        20⤵
        
        PID:12516
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        21⤵
        
        PID:15140
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        16⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        15⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:17424
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        14⤵
        
        PID:12196
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:14476
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:17648
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        13⤵
        Enumerates connected drives
        
        PID:10472
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:11624
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:14704
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:18088
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        12⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:10492
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:14604
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:17892
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        11⤵
        
        PID:7776
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:9076
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:10568
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:14720
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:18156
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        10⤵
        
        PID:320
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        11⤵
        
        PID:7808
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        
        PID:9100
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:10644
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:12300
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:14868
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:18312
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        9⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        11⤵
        
        PID:7824
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:10628
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:14792
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:18016
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        10⤵
        
        PID:17348
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        8⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        11⤵
        Enumerates connected drives
        
        PID:7768
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        Enumerates connected drives
        
        PID:9064
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:10548
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:14732
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:18008
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        10⤵
        
        PID:17276
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        9⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        7⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        8⤵
        Drops file in System32 directory
        
        PID:5844
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        11⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        
        PID:8912
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:10452
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:14644
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:17680
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        10⤵
        
        PID:17260
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        9⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        
        PID:7244
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        8⤵
        
        PID:12096
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        
        PID:17144
      - C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        6⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        7⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        8⤵
        Enumerates connected drives
        
        PID:5812
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        Enumerates connected drives
        
        PID:6656
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        11⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        
        PID:8828
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:10420
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:12160
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:14408
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:17980
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        10⤵
        
        PID:17228
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        9⤵
        
        PID:14164
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        
        PID:17076
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        8⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        
        PID:17152
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        7⤵
        
        PID:10380
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        8⤵
        
        PID:12136
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        
        PID:14388
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        
        PID:17640
    - - C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        5⤵
        
        PID:3468
      - C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        6⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        7⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        8⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        Enumerates connected drives
        
        PID:1888
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        11⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:8816
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:10412
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:12168
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:14416
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:18024
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        10⤵
        
        PID:17220
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        9⤵
        
        PID:14172
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        
        PID:7284
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        8⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        
        PID:14276
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        
        PID:17184
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        7⤵
        
        PID:10344
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        8⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        
        PID:17416
      - C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        6⤵
        Drops file in System32 directory
        
        PID:8748
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        7⤵
        
        PID:10352
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        8⤵
        
        PID:316
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        
        PID:7508
- - C:\Windows\SysWOW64\rotpcifdhx\smss.exe
    C:\Windows\system32\rotpcifdhx\smss.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1072
  - - C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
      C:\Windows\system32\nrgikhclnh\explorer.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4696
    - - C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4192
      - C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3120
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        
        PID:4840
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:232
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3464
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        Enumerates connected drives
        
        PID:3548
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        11⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:5312
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        17⤵
        
        PID:8404
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        18⤵
        
        PID:9780
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        19⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        20⤵
        
        PID:13288
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        21⤵
        
        PID:15580
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        16⤵
        
        PID:17764
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        15⤵
        
        PID:15324
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:7692
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        14⤵
        
        PID:12876
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:18852
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        13⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:13004
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:15556
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        12⤵
        
        PID:9596
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:10460
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:13088
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:15820
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        11⤵
        Drops file in System32 directory
        
        PID:8224
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        
        PID:9580
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:12996
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        10⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:8260
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        
        PID:9632
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:13100
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:15596
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        9⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        Drops file in System32 directory
        
        PID:7320
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        11⤵
        
        PID:8268
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        
        PID:9616
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:13060
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:15744
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        10⤵
        
        PID:17532
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        8⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        Drops file in System32 directory
        
        PID:6528
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        11⤵
        
        PID:8244
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        
        PID:9624
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:10500
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:13108
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:15620
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        10⤵
        
        PID:17540
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        9⤵
        
        PID:15084
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        
        PID:17520
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        7⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        8⤵
        Enumerates connected drives
        
        PID:5176
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        
        PID:7304
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        11⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        
        PID:9540
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:11260
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:12972
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:15488
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        10⤵
        
        PID:17480
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        9⤵
        
        PID:15064
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        
        PID:18328
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        8⤵
        
        PID:12672
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        
        PID:15244
      - C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        6⤵
        Enumerates connected drives
        
        PID:5092
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        7⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        8⤵
        Enumerates connected drives
        
        PID:6140
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        Drops file in System32 directory
        
        PID:6488
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        
        PID:7296
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        11⤵
        
        PID:8212
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        
        PID:9572
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:12988
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        10⤵
        
        PID:17468
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        9⤵
        
        PID:15072
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        
        PID:18336
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        8⤵
        
        PID:12664
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        
        PID:15276
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        7⤵
        
        PID:11148
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        8⤵
        
        PID:12836
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        
        PID:15456
    - - C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        5⤵
        
        PID:2716
      - C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        6⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        7⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        8⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        
        PID:7272
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        11⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:9548
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:11252
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:13040
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:15448
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        10⤵
        
        PID:17448
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        9⤵
        
        PID:15020
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        
        PID:7716
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        8⤵
        
        PID:12612
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        
        PID:15192
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        7⤵
        
        PID:11104
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        8⤵
        
        PID:12796
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        
        PID:6784
      - C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        6⤵
        
        PID:9460
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        7⤵
        
        PID:11160
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        8⤵
        
        PID:12956
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        
        PID:15464
  - - C:\Windows\SysWOW64\rotpcifdhx\smss.exe
      C:\Windows\system32\rotpcifdhx\smss.exe
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      PID:4280
    - - C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        5⤵
        Enumerates connected drives
        
        PID:4584
      - C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        6⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        7⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        8⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        
        PID:7232
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        11⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        
        PID:9492
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:11192
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:12964
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:15472
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        10⤵
        
        PID:17432
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        9⤵
        
        PID:14976
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        
        PID:18320
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        8⤵
        
        PID:12564
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        
        PID:15108
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        7⤵
        
        PID:11068
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        8⤵
        
        PID:12768
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        
        PID:1516
      - C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        6⤵
        
        PID:9428
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        7⤵
        
        PID:11172
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        8⤵
        
        PID:13048
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        
        PID:15808
    - - C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        5⤵
        
        PID:3668
      - C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        6⤵
        
        PID:9384
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        7⤵
        
        PID:11080
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        8⤵
        
        PID:12828
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        
        PID:6812
- C:\Windows\SysWOW64\rotpcifdhx\smss.exe
  C:\Windows\system32\rotpcifdhx\smss.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
    C:\Windows\system32\nrgikhclnh\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1796
  - - C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
      C:\Windows\system32\nrgikhclnh\explorer.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1724
    - - C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
      - C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3648
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4692
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        11⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        Enumerates connected drives
        
        PID:2660
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:5512
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        Drops file in System32 directory
        
        PID:6900
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        16⤵
        
        PID:7816
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        17⤵
        
        PID:8760
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        18⤵
        
        PID:8920
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        19⤵
        
        PID:11696
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        20⤵
        
        PID:13796
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        21⤵
        
        PID:16360
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        16⤵
        
        PID:17668
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        15⤵
        
        PID:15908
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        14⤵
        
        PID:13412
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:16120
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        13⤵
        
        PID:11488
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:13576
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:16288
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        12⤵
        
        PID:10084
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:11524
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:13608
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:16260
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        11⤵
        Enumerates connected drives
        
        PID:8596
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        
        PID:10048
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:11472
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:13560
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:16328
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        10⤵
        
        PID:7680
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        11⤵
        
        PID:8644
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        
        PID:10096
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:11596
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:13708
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        9⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        Drops file in System32 directory
        
        PID:7656
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        11⤵
        
        PID:8584
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        
        PID:10024
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:11436
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:13528
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:16252
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        10⤵
        
        PID:18264
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        8⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        
        PID:7648
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        11⤵
        
        PID:8568
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        Enumerates connected drives
        
        PID:10032
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:11444
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:13520
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:16236
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        10⤵
        
        PID:18256
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        9⤵
        
        PID:15684
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        7⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        8⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        Enumerates connected drives
        
        PID:6788
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        
        PID:7624
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        11⤵
        
        PID:8536
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        
        PID:10040
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:11480
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:13616
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:16244
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        10⤵
        
        PID:18400
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        9⤵
        
        PID:15660
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        8⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        
        PID:15976
      - C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        6⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        7⤵
        Drops file in System32 directory
        
        PID:5464
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        8⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:7616
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        11⤵
        Enumerates connected drives
        
        PID:8544
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:9984
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:11408
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:13496
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:16348
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        10⤵
        
        PID:18240
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        9⤵
        
        PID:15672
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        8⤵
        
        PID:368
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        
        PID:15924
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        7⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        8⤵
        
        PID:13272
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        
        PID:16040
    - - C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        5⤵
        
        PID:2352
      - C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        6⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        7⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        8⤵
        
        PID:524
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        Enumerates connected drives
        
        PID:6764
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        Enumerates connected drives
        
        PID:7600
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        11⤵
        
        PID:8552
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        
        PID:9972
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:11416
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:13488
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:16272
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        10⤵
        
        PID:18180
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        9⤵
        
        PID:15540
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        8⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        
        PID:15760
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        7⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        8⤵
        
        PID:12904
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        
        PID:16056
      - C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        6⤵
        
        PID:9884
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        7⤵
        
        PID:11268
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        8⤵
        
        PID:13348
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        
        PID:16068
  - - C:\Windows\SysWOW64\rotpcifdhx\smss.exe
      C:\Windows\system32\rotpcifdhx\smss.exe
      4⤵
      PID:5008
    - - C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        5⤵
        
        PID:636
      - C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        6⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        7⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        8⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:8504
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        
        PID:9928
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:11384
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:13436
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:16216
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        10⤵
        
        PID:18204
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        9⤵
        
        PID:15512
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        8⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        
        PID:15768
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        7⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        8⤵
        
        PID:12728
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        
        PID:15828
      - C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        6⤵
        Drops file in System32 directory
        
        PID:9828
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        7⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        8⤵
        
        PID:13320
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        
        PID:16048
    - - C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        5⤵
        Drops file in System32 directory
        
        PID:8448
      - C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        6⤵
        
        PID:9836
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        7⤵
        
        PID:11284
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        8⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        
        PID:16152
- - C:\Windows\SysWOW64\rotpcifdhx\smss.exe
    C:\Windows\system32\rotpcifdhx\smss.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:492
  - - C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
      C:\Windows\system32\nrgikhclnh\explorer.exe
      4⤵
      Drops file in System32 directory
      PID:2232
    - - C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        5⤵
        
        PID:3740
      - C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        6⤵
        Drops file in System32 directory
        
        PID:2292
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        7⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        8⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        10⤵
        
        PID:7584
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        11⤵
        
        PID:8520
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        12⤵
        
        PID:9936
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        13⤵
        
        PID:11392
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        14⤵
        
        PID:13428
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        15⤵
        
        PID:16128
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        10⤵
        
        PID:18220
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        9⤵
        
        PID:15528
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        8⤵
        
        PID:12604
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        
        PID:15736
        
        C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        7⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        8⤵
        
        PID:12952
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        
        PID:15968
      - C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        6⤵
        
        PID:9848
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        7⤵
        
        PID:11276
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        8⤵
        
        PID:13340
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        
        PID:16032
    - - C:\Windows\SysWOW64\rotpcifdhx\smss.exe
        
        C:\Windows\system32\rotpcifdhx\smss.exe
        5⤵
        
        PID:8468
      - C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        6⤵
        Enumerates connected drives
        
        PID:9892
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        7⤵
        
        PID:11300
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        8⤵
        
        PID:13376
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        
        PID:16144
  - - C:\Windows\SysWOW64\rotpcifdhx\smss.exe
      C:\Windows\system32\rotpcifdhx\smss.exe
      4⤵
      Enumerates connected drives
      PID:7552
    - - C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        5⤵
        
        PID:8484
      - C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        6⤵
        
        PID:9876
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        7⤵
        
        PID:11332
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        8⤵
        
        PID:13396
        
        C:\Windows\SysWOW64\nrgikhclnh\explorer.exe
        
        C:\Windows\system32\nrgikhclnh\explorer.exe
        9⤵
        
        PID:16112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\nrgikhclnh\explorer.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\nrgikhclnh\explorer.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\nrgikhclnh\explorer.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\nrgikhclnh\explorer.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\nrgikhclnh\explorer.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\nrgikhclnh\explorer.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\nrgikhclnh\explorer.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\nrgikhclnh\explorer.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\nrgikhclnh\explorer.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\nrgikhclnh\explorer.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\nrgikhclnh\explorer.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\nrgikhclnh\explorer.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\nrgikhclnh\explorer.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\nrgikhclnh\explorer.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\nrgikhclnh\explorer.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\nrgikhclnh\explorer.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\nrgikhclnh\explorer.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\nrgikhclnh\explorer.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\nrgikhclnh\explorer.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\nrgikhclnh\explorer.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\nrgikhclnh\explorer.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\nrgikhclnh\explorer.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\nrgikhclnh\explorer.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\nrgikhclnh\explorer.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\nrgikhclnh\explorer.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\nrgikhclnh\explorer.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\nrgikhclnh\explorer.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\nrgikhclnh\explorer.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\nrgikhclnh\explorer.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\nrgikhclnh\explorer.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\nrgikhclnh\explorer.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\nrgikhclnh\explorer.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\nrgikhclnh\explorer.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\nrgikhclnh\explorer.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\nrgikhclnh\explorer.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\nrgikhclnh\explorer.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\nrgikhclnh\explorer.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\nrgikhclnh\explorer.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\nrgikhclnh\explorer.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\nrgikhclnh\explorer.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\nrgikhclnh\explorer.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\nrgikhclnh\explorer.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\nrgikhclnh\explorer.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\nrgikhclnh\explorer.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\nrgikhclnh\explorer.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\nrgikhclnh\explorer.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\rotpcifdhx\smss.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\rotpcifdhx\smss.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\rotpcifdhx\smss.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\rotpcifdhx\smss.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\rotpcifdhx\smss.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\rotpcifdhx\smss.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\rotpcifdhx\smss.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\rotpcifdhx\smss.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\rotpcifdhx\smss.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\rotpcifdhx\smss.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\rotpcifdhx\smss.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\rotpcifdhx\smss.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\rotpcifdhx\smss.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\rotpcifdhx\smss.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\rotpcifdhx\smss.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\rotpcifdhx\smss.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\rotpcifdhx\smss.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
C:\Windows\SysWOW64\rotpcifdhx\smss.exe

Filesize
351KB

MD5
81819200a31a194923510503aeda6880

SHA1
f6c901d14402d6bd5e449840f899bee57c291a77

SHA256
d9308a1fa62a0e8cef8bfeeff5bde0de9efaf7834ffc01c1dc717bbc378f46f7

SHA512
0dc7d9c770fef8ff535b3b2be88b171a9a53e89f4ea7079fbe3d22e40f2f6e984c7c3e4c83bf248a3d5fa98fd8f1a092b92ddf75f849f988a393fcf5ea38b2b2

Download Submit
memory/116-272-0x0000000000000000-mapping.dmp

Download
memory/116-275-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/228-293-0x0000000000000000-mapping.dmp

Download
memory/232-291-0x0000000000000000-mapping.dmp

Download
memory/316-246-0x0000000000000000-mapping.dmp

Download
memory/316-249-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/368-264-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/368-260-0x0000000000000000-mapping.dmp

Download
memory/428-230-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/428-224-0x0000000000000000-mapping.dmp

Download
memory/428-286-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/460-181-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/460-163-0x0000000000000000-mapping.dmp

Download
memory/460-165-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/492-334-0x0000000000000000-mapping.dmp

Download
memory/916-358-0x0000000000000000-mapping.dmp

Download
memory/952-276-0x0000000000000000-mapping.dmp

Download
memory/952-279-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1072-179-0x0000000000000000-mapping.dmp

Download
memory/1072-212-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1072-182-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1264-156-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1264-144-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1264-142-0x0000000000000000-mapping.dmp

Download
memory/1388-202-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1388-200-0x0000000000000000-mapping.dmp

Download
memory/1388-248-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1424-242-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1424-238-0x0000000000000000-mapping.dmp

Download
memory/1632-241-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1632-236-0x0000000000000000-mapping.dmp

Download
memory/1668-351-0x0000000000000000-mapping.dmp

Download
memory/1724-199-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1724-196-0x0000000000000000-mapping.dmp

Download
memory/1724-240-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1780-271-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1780-267-0x0000000000000000-mapping.dmp

Download
memory/1796-185-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1796-183-0x0000000000000000-mapping.dmp

Download
memory/1796-216-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1812-186-0x0000000000000000-mapping.dmp

Download
memory/1812-228-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1812-191-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1836-145-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1836-132-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1912-151-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1912-140-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1912-138-0x0000000000000000-mapping.dmp

Download
memory/1952-217-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1952-214-0x0000000000000000-mapping.dmp

Download
memory/1952-269-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1960-150-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1960-148-0x0000000000000000-mapping.dmp

Download
memory/1960-161-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2128-341-0x0000000000000000-mapping.dmp

Download
memory/2316-221-0x0000000000000000-mapping.dmp

Download
memory/2316-223-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2316-278-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2452-317-0x0000000000000000-mapping.dmp

Download
memory/2460-321-0x0000000000000000-mapping.dmp

Download
memory/2596-357-0x0000000000000000-mapping.dmp

Download
memory/2972-343-0x0000000000000000-mapping.dmp

Download
memory/3024-319-0x0000000000000000-mapping.dmp

Download
memory/3120-232-0x0000000000000000-mapping.dmp

Download
memory/3120-235-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3188-355-0x0000000000000000-mapping.dmp

Download
memory/3400-307-0x0000000000000000-mapping.dmp

Download
memory/3428-208-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3428-203-0x0000000000000000-mapping.dmp

Download
memory/3428-254-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3460-188-0x0000000000000000-mapping.dmp

Download
memory/3460-192-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3460-229-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3464-330-0x0000000000000000-mapping.dmp

Download
memory/3648-265-0x0000000000000000-mapping.dmp

Download
memory/3648-270-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3696-301-0x0000000000000000-mapping.dmp

Download
memory/3808-280-0x0000000000000000-mapping.dmp

Download
memory/3848-282-0x0000000000000000-mapping.dmp

Download
memory/3872-133-0x0000000000000000-mapping.dmp

Download
memory/3872-136-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3872-146-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3908-284-0x0000000000000000-mapping.dmp

Download
memory/3916-256-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3916-250-0x0000000000000000-mapping.dmp

Download
memory/4048-220-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4048-218-0x0000000000000000-mapping.dmp

Download
memory/4048-274-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4192-213-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4192-210-0x0000000000000000-mapping.dmp

Download
memory/4192-262-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4280-360-0x0000000000000000-mapping.dmp

Download
memory/4320-166-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4320-155-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4320-153-0x0000000000000000-mapping.dmp

Download
memory/4360-315-0x0000000000000000-mapping.dmp

Download
memory/4372-226-0x0000000000000000-mapping.dmp

Download
memory/4372-231-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4444-332-0x0000000000000000-mapping.dmp

Download
memory/4640-348-0x0000000000000000-mapping.dmp

Download
memory/4680-190-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4680-168-0x0000000000000000-mapping.dmp

Download
memory/4680-170-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4692-299-0x0000000000000000-mapping.dmp

Download
memory/4696-193-0x0000000000000000-mapping.dmp

Download
memory/4696-195-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4696-234-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4728-243-0x0000000000000000-mapping.dmp

Download
memory/4728-245-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4840-258-0x0000000000000000-mapping.dmp

Download
memory/4840-263-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4852-359-0x0000000000000000-mapping.dmp

Download
memory/4892-257-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4892-252-0x0000000000000000-mapping.dmp

Download
memory/4900-311-0x0000000000000000-mapping.dmp

Download
memory/4928-356-0x0000000000000000-mapping.dmp

Download
memory/4960-205-0x0000000000000000-mapping.dmp

Download
memory/4960-255-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4960-209-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5028-160-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5028-158-0x0000000000000000-mapping.dmp

Download
memory/5028-174-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5080-198-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5080-171-0x0000000000000000-mapping.dmp

Download
memory/5080-175-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5104-207-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5104-176-0x0000000000000000-mapping.dmp

Download
memory/5104-178-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download