f6a110db05d1d3ae9e537921a41dc8e9ad272e266ccb98b0915063e8d06bf5c7

Analysis

max time kernel
134s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-09-2024 14:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d22b3df36457a17f032833b7b02f0601_JaffaCakes118.exe
Size

352KB
MD5

d22b3df36457a17f032833b7b02f0601
SHA1

1e7d1b70265d5929ff5e5f58c24f628679eff893
SHA256

f6a110db05d1d3ae9e537921a41dc8e9ad272e266ccb98b0915063e8d06bf5c7
SHA512

ed780042aa9b892dc332d3d6a4fca6c6b360ca0728f87529cec37c4f7f548c7768de1d792fab5c19d339f3f57c9c93cd737959fb68a3e1e8248c29e9998304b2
SSDEEP

3072:L8EU6GdwTYBpL/d8mvgvyybyc8mNwMRjpL/ZJCwMRjpL/thBwMRjpL/vJCwMRjpH:oEtjTq/mmvgV83Qp/9Qp/2Qp/7Qp/Lu0

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
1840	explorer.exe
2420	explorer.exe
2688	explorer.exe
2748	explorer.exe
2760	explorer.exe
2388	explorer.exe
2660	explorer.exe
2620	explorer.exe
1656	smss.exe
324	explorer.exe
2340	smss.exe
900	explorer.exe
2364	smss.exe
2304	explorer.exe
1932	explorer.exe
1260	explorer.exe
1572	smss.exe
2096	explorer.exe
2228	explorer.exe
2828	explorer.exe
2612	explorer.exe
444	smss.exe
1188	explorer.exe
1192	explorer.exe
1676	explorer.exe
1292	explorer.exe
916	explorer.exe
2856	smss.exe
1668	explorer.exe
932	explorer.exe
1884	explorer.exe
948	explorer.exe
1220	explorer.exe
788	smss.exe
1216	explorer.exe
2432	explorer.exe
2476	explorer.exe
2076	explorer.exe
1720	explorer.exe
3020	smss.exe
2284	explorer.exe
1872	explorer.exe
1936	explorer.exe
1536	explorer.exe
1532	explorer.exe
2900	explorer.exe
2460	explorer.exe
1908	explorer.exe
3056	smss.exe
3012	explorer.exe
2776	explorer.exe
2752	explorer.exe
2772	explorer.exe
2736	smss.exe
2708	explorer.exe
2564	explorer.exe
2588	explorer.exe
2552	explorer.exe
2000	explorer.exe
1048	explorer.exe
2328	explorer.exe
2368	smss.exe
1588	explorer.exe
2512	explorer.exe

Loads dropped DLL 64 IoCs

pid	Process
2384	d22b3df36457a17f032833b7b02f0601_JaffaCakes118.exe
2384	d22b3df36457a17f032833b7b02f0601_JaffaCakes118.exe
1840	explorer.exe
1840	explorer.exe
2420	explorer.exe
2420	explorer.exe
2688	explorer.exe
2688	explorer.exe
2748	explorer.exe
2748	explorer.exe
2760	explorer.exe
2760	explorer.exe
2388	explorer.exe
2388	explorer.exe
2660	explorer.exe
2660	explorer.exe
2384	d22b3df36457a17f032833b7b02f0601_JaffaCakes118.exe
2384	d22b3df36457a17f032833b7b02f0601_JaffaCakes118.exe
2620	explorer.exe
2620	explorer.exe
1840	explorer.exe
1840	explorer.exe
1656	smss.exe
1656	smss.exe
2420	explorer.exe
2420	explorer.exe
324	explorer.exe
324	explorer.exe
2340	smss.exe
2340	smss.exe
900	explorer.exe
900	explorer.exe
2688	explorer.exe
2688	explorer.exe
2364	smss.exe
2364	smss.exe
2304	explorer.exe
2304	explorer.exe
1932	explorer.exe
1932	explorer.exe
1260	explorer.exe
1260	explorer.exe
2748	explorer.exe
2748	explorer.exe
1572	smss.exe
1572	smss.exe
2096	explorer.exe
2096	explorer.exe
2228	explorer.exe
2228	explorer.exe
2828	explorer.exe
2828	explorer.exe
2612	explorer.exe
2612	explorer.exe
2760	explorer.exe
2760	explorer.exe
444	smss.exe
444	smss.exe
1188	explorer.exe
1188	explorer.exe
1192	explorer.exe
1192	explorer.exe
1676	explorer.exe
1676	explorer.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2384-0-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/files/0x001700000001866f-3.dat	upx
behavioral1/memory/1840-11-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2384-17-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1840-20-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2420-27-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2688-33-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2748-39-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2760-45-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2660-50-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2388-52-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2660-60-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2620-65-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2340-69-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1656-71-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/324-75-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2304-83-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2340-81-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1932-88-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/900-85-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2364-92-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2304-94-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1932-98-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1260-102-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2228-103-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1572-104-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2096-105-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2612-106-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2228-107-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2828-108-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1188-109-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2612-110-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/444-111-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1188-112-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1192-113-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/916-114-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1676-115-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1668-116-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1292-117-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/916-118-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2856-119-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/948-121-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1668-122-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/932-125-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1216-126-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2856-128-0x0000000000370000-0x00000000003C9000-memory.dmp	upx
behavioral1/memory/1884-127-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/948-129-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1220-131-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/788-132-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1216-133-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2432-136-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2476-140-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/3020-139-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/932-142-0x0000000001E00000-0x0000000001E59000-memory.dmp	upx
behavioral1/memory/2076-143-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1936-148-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1720-145-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2384-149-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/3020-150-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/2284-153-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1532-155-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1872-156-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral1/memory/1936-158-0x0000000000400000-0x0000000000459000-memory.dmp	upx

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\i:	explorer.exe
File opened (read-only)	\??\x:	explorer.exe
File opened (read-only)	\??\w:	explorer.exe
File opened (read-only)	\??\q:	explorer.exe
File opened (read-only)	\??\r:	explorer.exe
File opened (read-only)	\??\l:	smss.exe
File opened (read-only)	\??\h:	smss.exe
File opened (read-only)	\??\z:	explorer.exe
File opened (read-only)	\??\z:	explorer.exe
File opened (read-only)	\??\x:	explorer.exe
File opened (read-only)	\??\j:	explorer.exe
File opened (read-only)	\??\m:	explorer.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\l:	smss.exe
File opened (read-only)	\??\l:	explorer.exe
File opened (read-only)	\??\k:	explorer.exe
File opened (read-only)	\??\j:	explorer.exe
File opened (read-only)	\??\t:	explorer.exe
File opened (read-only)	\??\n:	explorer.exe
File opened (read-only)	\??\w:	explorer.exe
File opened (read-only)	\??\o:	explorer.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\e:	explorer.exe
File opened (read-only)	\??\u:	explorer.exe
File opened (read-only)	\??\t:	explorer.exe
File opened (read-only)	\??\q:	explorer.exe
File opened (read-only)	\??\i:	smss.exe
File opened (read-only)	\??\i:	explorer.exe
File opened (read-only)	\??\w:	explorer.exe
File opened (read-only)	\??\y:	explorer.exe
File opened (read-only)	\??\y:	smss.exe
File opened (read-only)	\??\k:	explorer.exe
File opened (read-only)	\??\h:	smss.exe
File opened (read-only)	\??\h:	explorer.exe
File opened (read-only)	\??\e:	explorer.exe
File opened (read-only)	\??\o:	explorer.exe
File opened (read-only)	\??\x:	explorer.exe
File opened (read-only)	\??\v:	smss.exe
File opened (read-only)	\??\e:	smss.exe
File opened (read-only)	\??\p:	smss.exe
File opened (read-only)	\??\r:	explorer.exe
File opened (read-only)	\??\o:	explorer.exe
File opened (read-only)	\??\q:	explorer.exe
File opened (read-only)	\??\y:	explorer.exe
File opened (read-only)	\??\v:	explorer.exe
File opened (read-only)	\??\v:	explorer.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\y:	explorer.exe
File opened (read-only)	\??\o:	explorer.exe
File opened (read-only)	\??\s:	smss.exe
File opened (read-only)	\??\j:	explorer.exe
File opened (read-only)	\??\w:	explorer.exe
File opened (read-only)	\??\g:	smss.exe
File opened (read-only)	\??\r:	explorer.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\m:	explorer.exe
File opened (read-only)	\??\s:	explorer.exe
File opened (read-only)	\??\x:	explorer.exe
File opened (read-only)	\??\q:	explorer.exe
File opened (read-only)	\??\k:	smss.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\i:	smss.exe
File opened (read-only)	\??\i:	explorer.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	smss.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2384	d22b3df36457a17f032833b7b02f0601_JaffaCakes118.exe
1840	explorer.exe
2420	explorer.exe
2688	explorer.exe
2748	explorer.exe
2760	explorer.exe
2388	explorer.exe
2660	explorer.exe
2620	explorer.exe
1656	smss.exe
324	explorer.exe
2340	smss.exe
900	explorer.exe
2364	smss.exe
2304	explorer.exe
1932	explorer.exe
1260	explorer.exe
1572	smss.exe
2096	explorer.exe
2228	explorer.exe
2828	explorer.exe
2612	explorer.exe
444	smss.exe
1188	explorer.exe
1192	explorer.exe
1676	explorer.exe
1292	explorer.exe
916	explorer.exe
2856	smss.exe
1668	explorer.exe
932	explorer.exe
1884	explorer.exe
948	explorer.exe
1220	explorer.exe
788	smss.exe
1216	explorer.exe
2432	explorer.exe
2476	explorer.exe
2076	explorer.exe
1720	explorer.exe
3020	smss.exe
2284	explorer.exe
1872	explorer.exe
1936	explorer.exe
1536	explorer.exe
1532	explorer.exe
2900	explorer.exe
2460	explorer.exe
1908	explorer.exe
3056	smss.exe
3012	explorer.exe
2776	explorer.exe
2752	explorer.exe
2772	explorer.exe
2736	smss.exe
2708	explorer.exe
2564	explorer.exe
2588	explorer.exe
2552	explorer.exe
2000	explorer.exe
1048	explorer.exe
2328	explorer.exe
2368	smss.exe
1588	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	2384	d22b3df36457a17f032833b7b02f0601_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	1840	explorer.exe
Token: SeLoadDriverPrivilege	2420	explorer.exe
Token: SeLoadDriverPrivilege	2688	explorer.exe
Token: SeLoadDriverPrivilege	2748	explorer.exe
Token: SeLoadDriverPrivilege	2760	explorer.exe
Token: SeLoadDriverPrivilege	2388	explorer.exe
Token: SeLoadDriverPrivilege	2660	explorer.exe
Token: SeLoadDriverPrivilege	2620	explorer.exe
Token: SeLoadDriverPrivilege	1656	smss.exe
Token: SeLoadDriverPrivilege	324	explorer.exe
Token: SeLoadDriverPrivilege	2340	smss.exe
Token: SeLoadDriverPrivilege	900	explorer.exe
Token: SeLoadDriverPrivilege	2364	smss.exe
Token: SeLoadDriverPrivilege	2304	explorer.exe
Token: SeLoadDriverPrivilege	1932	explorer.exe
Token: SeLoadDriverPrivilege	1260	explorer.exe
Token: SeLoadDriverPrivilege	1572	smss.exe
Token: SeLoadDriverPrivilege	2096	explorer.exe
Token: SeLoadDriverPrivilege	2228	explorer.exe
Token: SeLoadDriverPrivilege	2828	explorer.exe
Token: SeLoadDriverPrivilege	2612	explorer.exe
Token: SeLoadDriverPrivilege	444	smss.exe
Token: SeLoadDriverPrivilege	1188	explorer.exe
Token: SeLoadDriverPrivilege	1192	explorer.exe
Token: SeLoadDriverPrivilege	1676	explorer.exe
Token: SeLoadDriverPrivilege	1292	explorer.exe
Token: SeLoadDriverPrivilege	916	explorer.exe
Token: SeLoadDriverPrivilege	2856	smss.exe
Token: SeLoadDriverPrivilege	1668	explorer.exe
Token: SeLoadDriverPrivilege	932	explorer.exe
Token: SeLoadDriverPrivilege	1884	explorer.exe
Token: SeLoadDriverPrivilege	948	explorer.exe
Token: SeLoadDriverPrivilege	1220	explorer.exe
Token: SeLoadDriverPrivilege	788	smss.exe
Token: SeLoadDriverPrivilege	1216	explorer.exe
Token: SeLoadDriverPrivilege	2432	explorer.exe
Token: SeLoadDriverPrivilege	2476	explorer.exe
Token: SeLoadDriverPrivilege	2076	explorer.exe
Token: SeLoadDriverPrivilege	1720	explorer.exe
Token: SeLoadDriverPrivilege	3020	smss.exe
Token: SeLoadDriverPrivilege	2284	explorer.exe
Token: SeLoadDriverPrivilege	1872	explorer.exe
Token: SeLoadDriverPrivilege	1936	explorer.exe
Token: SeLoadDriverPrivilege	1536	explorer.exe
Token: SeLoadDriverPrivilege	1532	explorer.exe
Token: SeLoadDriverPrivilege	2900	explorer.exe
Token: SeLoadDriverPrivilege	2460	explorer.exe
Token: SeLoadDriverPrivilege	1908	explorer.exe
Token: SeLoadDriverPrivilege	3056	smss.exe
Token: SeLoadDriverPrivilege	3012	explorer.exe
Token: SeLoadDriverPrivilege	2776	explorer.exe
Token: SeLoadDriverPrivilege	2752	explorer.exe
Token: SeLoadDriverPrivilege	2772	explorer.exe
Token: SeLoadDriverPrivilege	2736	smss.exe
Token: SeLoadDriverPrivilege	2708	explorer.exe
Token: SeLoadDriverPrivilege	2564	explorer.exe
Token: SeLoadDriverPrivilege	2588	explorer.exe
Token: SeLoadDriverPrivilege	2552	explorer.exe
Token: SeLoadDriverPrivilege	2000	explorer.exe
Token: SeLoadDriverPrivilege	1048	explorer.exe
Token: SeLoadDriverPrivilege	2328	explorer.exe
Token: SeLoadDriverPrivilege	2368	smss.exe
Token: SeLoadDriverPrivilege	1588	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 1840	2384	d22b3df36457a17f032833b7b02f0601_JaffaCakes118.exe	31
PID 2384 wrote to memory of 1840	2384	d22b3df36457a17f032833b7b02f0601_JaffaCakes118.exe	31
PID 2384 wrote to memory of 1840	2384	d22b3df36457a17f032833b7b02f0601_JaffaCakes118.exe	31
PID 2384 wrote to memory of 1840	2384	d22b3df36457a17f032833b7b02f0601_JaffaCakes118.exe	31
PID 1840 wrote to memory of 2420	1840	explorer.exe	32
PID 1840 wrote to memory of 2420	1840	explorer.exe	32
PID 1840 wrote to memory of 2420	1840	explorer.exe	32
PID 1840 wrote to memory of 2420	1840	explorer.exe	32
PID 2420 wrote to memory of 2688	2420	explorer.exe	33
PID 2420 wrote to memory of 2688	2420	explorer.exe	33
PID 2420 wrote to memory of 2688	2420	explorer.exe	33
PID 2420 wrote to memory of 2688	2420	explorer.exe	33
PID 2688 wrote to memory of 2748	2688	explorer.exe	34
PID 2688 wrote to memory of 2748	2688	explorer.exe	34
PID 2688 wrote to memory of 2748	2688	explorer.exe	34
PID 2688 wrote to memory of 2748	2688	explorer.exe	34
PID 2748 wrote to memory of 2760	2748	explorer.exe	35
PID 2748 wrote to memory of 2760	2748	explorer.exe	35
PID 2748 wrote to memory of 2760	2748	explorer.exe	35
PID 2748 wrote to memory of 2760	2748	explorer.exe	35
PID 2760 wrote to memory of 2388	2760	explorer.exe	36
PID 2760 wrote to memory of 2388	2760	explorer.exe	36
PID 2760 wrote to memory of 2388	2760	explorer.exe	36
PID 2760 wrote to memory of 2388	2760	explorer.exe	36
PID 2388 wrote to memory of 2660	2388	explorer.exe	37
PID 2388 wrote to memory of 2660	2388	explorer.exe	37
PID 2388 wrote to memory of 2660	2388	explorer.exe	37
PID 2388 wrote to memory of 2660	2388	explorer.exe	37
PID 2660 wrote to memory of 2620	2660	explorer.exe	38
PID 2660 wrote to memory of 2620	2660	explorer.exe	38
PID 2660 wrote to memory of 2620	2660	explorer.exe	38
PID 2660 wrote to memory of 2620	2660	explorer.exe	38
PID 2384 wrote to memory of 1656	2384	d22b3df36457a17f032833b7b02f0601_JaffaCakes118.exe	39
PID 2384 wrote to memory of 1656	2384	d22b3df36457a17f032833b7b02f0601_JaffaCakes118.exe	39
PID 2384 wrote to memory of 1656	2384	d22b3df36457a17f032833b7b02f0601_JaffaCakes118.exe	39
PID 2384 wrote to memory of 1656	2384	d22b3df36457a17f032833b7b02f0601_JaffaCakes118.exe	39
PID 2620 wrote to memory of 324	2620	explorer.exe	40
PID 2620 wrote to memory of 324	2620	explorer.exe	40
PID 2620 wrote to memory of 324	2620	explorer.exe	40
PID 2620 wrote to memory of 324	2620	explorer.exe	40
PID 1840 wrote to memory of 2340	1840	explorer.exe	41
PID 1840 wrote to memory of 2340	1840	explorer.exe	41
PID 1840 wrote to memory of 2340	1840	explorer.exe	41
PID 1840 wrote to memory of 2340	1840	explorer.exe	41
PID 1656 wrote to memory of 900	1656	smss.exe	42
PID 1656 wrote to memory of 900	1656	smss.exe	42
PID 1656 wrote to memory of 900	1656	smss.exe	42
PID 1656 wrote to memory of 900	1656	smss.exe	42
PID 2420 wrote to memory of 2364	2420	explorer.exe	43
PID 2420 wrote to memory of 2364	2420	explorer.exe	43
PID 2420 wrote to memory of 2364	2420	explorer.exe	43
PID 2420 wrote to memory of 2364	2420	explorer.exe	43
PID 324 wrote to memory of 2304	324	explorer.exe	44
PID 324 wrote to memory of 2304	324	explorer.exe	44
PID 324 wrote to memory of 2304	324	explorer.exe	44
PID 324 wrote to memory of 2304	324	explorer.exe	44
PID 2340 wrote to memory of 1932	2340	smss.exe	45
PID 2340 wrote to memory of 1932	2340	smss.exe	45
PID 2340 wrote to memory of 1932	2340	smss.exe	45
PID 2340 wrote to memory of 1932	2340	smss.exe	45
PID 900 wrote to memory of 1260	900	explorer.exe	46
PID 900 wrote to memory of 1260	900	explorer.exe	46
PID 900 wrote to memory of 1260	900	explorer.exe	46
PID 900 wrote to memory of 1260	900	explorer.exe	46

C:\Users\Admin\AppData\Local\Temp\d22b3df36457a17f032833b7b02f0601_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d22b3df36457a17f032833b7b02f0601_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\SysWOW64\rgnotesftt\explorer.exe
  C:\Windows\system32\rgnotesftt\explorer.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
    C:\Windows\system32\rgnotesftt\explorer.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2420
  - - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
      C:\Windows\system32\rgnotesftt\explorer.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2748
      - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:324
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:948
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        18⤵
        
        PID:2400
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        19⤵
        
        PID:808
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        20⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        21⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        22⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        23⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        24⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:6036
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        25⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        26⤵
        
        PID:8564
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        27⤵
        
        PID:10372
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        28⤵
        
        PID:12780
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        23⤵
        
        PID:14764
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:12140
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        23⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        21⤵
        
        PID:9984
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        22⤵
        Drops file in System32 directory
        
        PID:12240
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        23⤵
        
        PID:15208
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        20⤵
        
        PID:8204
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        21⤵
        
        PID:10072
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        22⤵
        
        PID:12336
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        23⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        19⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        20⤵
        
        PID:8356
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        21⤵
        Enumerates connected drives
        
        PID:10252
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        22⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:12596
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        23⤵
        
        PID:15904
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        18⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        19⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        20⤵
        
        PID:8368
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        21⤵
        
        PID:10268
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        22⤵
        
        PID:12688
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        23⤵
        
        PID:15944
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        17⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        18⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        19⤵
        Enumerates connected drives
        
        PID:6608
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        20⤵
        
        PID:8588
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:10404
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        22⤵
        
        PID:12984
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        16⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        18⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        19⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        20⤵
        
        PID:8572
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        21⤵
        
        PID:10388
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        22⤵
        
        PID:13004
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        17⤵
        
        PID:14776
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        15⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        18⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        19⤵
        Enumerates connected drives
        
        PID:856
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        20⤵
        
        PID:8548
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        21⤵
        
        PID:10344
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        22⤵
        
        PID:12724
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        17⤵
        
        PID:14740
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        16⤵
        
        PID:12188
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:15304
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        14⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        18⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        19⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        20⤵
        
        PID:8532
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        21⤵
        
        PID:10336
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        22⤵
        
        PID:12732
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        17⤵
        
        PID:14756
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        16⤵
        
        PID:12152
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        15⤵
        
        PID:9992
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:12272
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:15196
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        13⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        18⤵
        Enumerates connected drives
        
        PID:6108
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        19⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        20⤵
        
        PID:8580
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        21⤵
        
        PID:10380
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        22⤵
        
        PID:12796
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        17⤵
        
        PID:14784
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        16⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:12196
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        Drops file in System32 directory
        
        PID:2652
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        15⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:10036
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:12264
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:15296
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        14⤵
        
        PID:8256
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:10088
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:12376
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:15040
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:956
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        18⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        19⤵
        
        PID:7144
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        20⤵
        
        PID:8524
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        21⤵
        
        PID:10320
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        22⤵
        
        PID:12696
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        23⤵
        
        PID:15960
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        17⤵
        
        PID:14748
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        16⤵
        
        PID:12132
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:15228
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        15⤵
        Enumerates connected drives
        
        PID:10000
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:12248
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        Enumerates connected drives
        
        PID:15272
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        14⤵
        
        PID:8232
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:10080
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:12368
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        13⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:8340
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:12516
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:15896
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        18⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        19⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        20⤵
        
        PID:8388
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        21⤵
        
        PID:10260
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        22⤵
        
        PID:12652
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        17⤵
        
        PID:14704
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        16⤵
        
        PID:12092
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:15080
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        15⤵
        
        PID:9912
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:12204
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:15164
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        14⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:10064
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:12328
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:14712
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        13⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:8300
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:12484
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:15832
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        12⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:8332
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:948
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:12608
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:15928
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:568
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        18⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        19⤵
        Drops file in System32 directory
        
        PID:7136
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        20⤵
        
        PID:8540
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        21⤵
        
        PID:10360
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        22⤵
        
        PID:12716
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        17⤵
        
        PID:14716
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:12084
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        Enumerates connected drives
        
        PID:15056
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        15⤵
        
        PID:9904
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:12220
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:15188
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        14⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:9968
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:15288
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        13⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:1192
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:10116
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:12408
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:5912
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:8280
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:10176
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:12472
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:15524
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        11⤵
        Drops file in System32 directory
        
        PID:5080
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:6952
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        Drops file in System32 directory
        
        PID:8308
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:12500
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:15888
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        18⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        19⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        20⤵
        
        PID:8508
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        21⤵
        
        PID:10292
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        22⤵
        
        PID:12672
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        17⤵
        
        PID:14724
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        16⤵
        
        PID:12124
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:15136
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        15⤵
        
        PID:9928
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:12212
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:15156
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        14⤵
        
        PID:8212
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:9952
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:12256
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:15216
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        13⤵
        Enumerates connected drives
        
        PID:7020
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:8292
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:10168
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:12464
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:15492
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        12⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:8348
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:10244
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:12580
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:15920
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        11⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:8516
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:10300
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        Drops file in System32 directory
        
        PID:12704
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:15952
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:1004
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:7164
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:8556
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:10352
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:12756
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        11⤵
        
        PID:14732
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:788
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2040
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        Drops file in System32 directory
        
        PID:4532
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        18⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        19⤵
        
        PID:7372
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        20⤵
        
        PID:8920
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        21⤵
        
        PID:10744
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        22⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        17⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        16⤵
        
        PID:12636
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:15848
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        15⤵
        
        PID:10560
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:13020
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        14⤵
        
        PID:8828
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:10652
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:13184
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:7336
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:8852
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:10672
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        Enumerates connected drives
        
        PID:1852
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        12⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:7348
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:8884
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:10720
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        Enumerates connected drives
        
        PID:2136
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        11⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:7408
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:8936
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:10760
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:8892
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:10712
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        11⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4540
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:5256
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:7356
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:8876
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:10704
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        11⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:12620
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:15840
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1532
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        Drops file in System32 directory
        
        PID:3588
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:3476
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        18⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        19⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        20⤵
        
        PID:9256
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        21⤵
        
        PID:11288
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        22⤵
        
        PID:13752
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        17⤵
        
        PID:15772
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        16⤵
        
        PID:13292
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        15⤵
        
        PID:11164
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:13480
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        14⤵
        
        PID:376
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:11200
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:13624
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        13⤵
        
        PID:7700
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:8652
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:13668
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        12⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:7740
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:9248
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        Drops file in System32 directory
        
        PID:2496
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:13692
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        11⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:6476
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:7764
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:9228
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:11272
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:13728
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:7748
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:9240
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:11176
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:13720
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        11⤵
        
        PID:15740
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:7672
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:10288
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:13660
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        11⤵
        Enumerates connected drives
        
        PID:15700
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:13276
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3572
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        Enumerates connected drives
        
        PID:1796
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        Drops file in System32 directory
        
        PID:2424
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:13676
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        11⤵
        
        PID:15732
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:13248
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        
        PID:11128
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:13496
      - C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:444
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2476
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:3632
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:5556
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        18⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        19⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:9356
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        21⤵
        
        PID:11412
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        22⤵
        
        PID:14048
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        16⤵
        Drops file in System32 directory
        
        PID:13788
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        15⤵
        
        PID:11348
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:14032
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        14⤵
        
        PID:9336
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        Enumerates connected drives
        
        PID:11388
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:14040
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        13⤵
        
        PID:7856
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:9384
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:11420
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:14088
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        12⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:9404
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:11472
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:14104
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        11⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:7888
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        Drops file in System32 directory
        
        PID:9436
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:11484
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:14080
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:7832
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:9376
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:11448
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:14064
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        Drops file in System32 directory
        
        PID:4776
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5564
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:6552
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:7812
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:9396
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:11428
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:14056
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:13780
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        8⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5616
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:6596
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:7900
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:9448
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:11500
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:14112
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:13812
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        
        PID:11364
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:14024
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        7⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:6584
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:9416
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:11440
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:14096
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:13772
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:11356
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        Enumerates connected drives
        
        PID:14016
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        8⤵
        Enumerates connected drives
        
        PID:9344
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:11400
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:14072
    - - C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
      - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1188
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:932
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:812
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:3688
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        18⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        19⤵
        
        PID:8012
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        20⤵
        Drops file in System32 directory
        
        PID:9620
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        21⤵
        
        PID:11740
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        22⤵
        
        PID:14308
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        16⤵
        
        PID:14180
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        15⤵
        
        PID:11632
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:14268
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        14⤵
        
        PID:9544
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:11652
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:14332
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        13⤵
        
        PID:8000
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:9588
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:11716
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        12⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:8044
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:9628
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:11696
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        Enumerates connected drives
        
        PID:2808
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        11⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:8036
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:9636
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:11748
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4912
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:8068
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:9660
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:11768
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        Drops file in System32 directory
        
        PID:4160
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4888
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:5680
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:7968
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:9536
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:11660
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:14300
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:14160
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3680
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:8024
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:9596
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:11732
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        Drops file in System32 directory
        
        PID:14216
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:14132
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        
        PID:11612
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        Enumerates connected drives
        
        PID:14276
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        7⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        Drops file in System32 directory
        
        PID:4864
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5664
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:7992
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:9604
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        Drops file in System32 directory
        
        PID:11704
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:14148
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        
        PID:11604
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:14260
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        8⤵
        Drops file in System32 directory
        
        PID:9564
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:11644
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:14284
      - C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        6⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        7⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:7956
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:9520
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:11580
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:14324
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:14140
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:11572
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        Enumerates connected drives
        
        PID:14252
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        8⤵
        
        PID:9512
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:11596
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:14292
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        7⤵
        
        PID:7976
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:9556
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        Drops file in System32 directory
        
        PID:11676
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:14316
  - - C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
      C:\Windows\system32\vuxffdbvqd\smss.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2364
    - - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
      - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1192
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1884
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1908
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:5036
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        18⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        19⤵
        
        PID:8240
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:10124
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        21⤵
        
        PID:12392
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        22⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        16⤵
        
        PID:14648
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        15⤵
        Drops file in System32 directory
        
        PID:12036
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:15064
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        14⤵
        
        PID:9864
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:12076
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:14928
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        13⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:9960
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        Drops file in System32 directory
        
        PID:2816
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:15264
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        12⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:10108
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:12400
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:14700
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        11⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:2420
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:10140
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:12416
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:984
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:8272
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:10132
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:12384
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        Enumerates connected drives
        
        PID:4216
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:8316
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:12492
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:15864
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:14672
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        8⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:8008
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:9976
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:14656
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        
        PID:12024
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:15088
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        7⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        Enumerates connected drives
        
        PID:6976
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:8324
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:3224
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:12524
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:15912
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        Drops file in System32 directory
        
        PID:14664
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        
        PID:12052
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:15104
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        8⤵
        Drops file in System32 directory
        
        PID:9888
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:12100
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:14912
      - C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        6⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        7⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        Enumerates connected drives
        
        PID:6868
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        Drops file in System32 directory
        
        PID:10096
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:12360
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:15032
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:14632
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        
        PID:11976
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:15116
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        8⤵
        
        PID:9856
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:12060
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:14920
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        7⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:9876
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:12180
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:15144
    - - C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        5⤵
        
        PID:2972
      - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        6⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        7⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        Enumerates connected drives
        
        PID:3756
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:792
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:9840
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        Drops file in System32 directory
        
        PID:12008
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:14884
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:14624
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        
        PID:11984
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:15044
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        8⤵
        Drops file in System32 directory
        
        PID:9832
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:12000
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:14816
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        7⤵
        
        PID:7184
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        Drops file in System32 directory
        
        PID:9944
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:12280
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:15236
      - C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        6⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        7⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:10052
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:12352
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:14772
- - C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
    C:\Windows\system32\vuxffdbvqd\smss.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
      C:\Windows\system32\rgnotesftt\explorer.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1932
    - - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
      - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1292
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1220
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        Executes dropped EXE
        
        PID:2512
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:3960
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:7292
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        19⤵
        
        PID:8812
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        20⤵
        
        PID:10628
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        21⤵
        
        PID:13168
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        16⤵
        Enumerates connected drives
        
        PID:15332
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        15⤵
        
        PID:12540
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:15824
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:10440
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:12808
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        13⤵
        
        PID:8684
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:10536
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:13060
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        12⤵
        
        PID:7216
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:8744
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:10588
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:13084
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        11⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:7208
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:8708
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:10552
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:13092
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:7200
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:8696
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:10576
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:13104
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:7312
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:8804
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:10680
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        Enumerates connected drives
        
        PID:15324
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        8⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:4460
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:7272
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:8788
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:10644
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:13176
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:15316
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        Drops file in System32 directory
        
        PID:12532
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:15816
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        7⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        Enumerates connected drives
        
        PID:4512
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5228
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:7284
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:8844
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:10664
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:15340
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        
        PID:12588
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:15872
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        8⤵
        
        PID:10476
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:12840
      - C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        6⤵
        
        PID:868
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        7⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        Enumerates connected drives
        
        PID:4524
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        Drops file in System32 directory
        
        PID:5240
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:8900
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        Drops file in System32 directory
        
        PID:10728
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        Enumerates connected drives
        
        PID:12628
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:15856
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        8⤵
        
        PID:10500
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        Drops file in System32 directory
        
        PID:12964
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        7⤵
        
        PID:8676
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:10528
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        Drops file in System32 directory
        
        PID:13032
    - - C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        5⤵
        
        PID:2088
      - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        6⤵
        Enumerates connected drives
        
        PID:2380
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        7⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4488
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        Enumerates connected drives
        
        PID:5180
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:7260
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:8768
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:10636
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        Drops file in System32 directory
        
        PID:13156
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:15356
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        
        PID:12568
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:15880
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        8⤵
        
        PID:10448
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:12872
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        7⤵
        
        PID:8656
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:10520
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:13040
      - C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        6⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        7⤵
        
        PID:8664
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:10488
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:13012
  - - C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
      C:\Windows\system32\vuxffdbvqd\smss.exe
      4⤵
      PID:1636
    - - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        5⤵
        
        PID:1592
      - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        6⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3436
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:484
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:7300
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:8836
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:10696
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        Drops file in System32 directory
        
        PID:1936
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:15348
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        
        PID:12556
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:15808
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        8⤵
        
        PID:10456
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:12884
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        7⤵
        Enumerates connected drives
        
        PID:8724
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:10544
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:13048
      - C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        6⤵
        
        PID:7224
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        7⤵
        
        PID:8732
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:10600
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:13120
    - - C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        5⤵
        
        PID:1856
      - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        6⤵
        
        PID:7232
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        7⤵
        
        PID:8780
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:10688
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:3940
- C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
  C:\Windows\system32\vuxffdbvqd\smss.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
    C:\Windows\system32\rgnotesftt\explorer.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:900
  - - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
      C:\Windows\system32\rgnotesftt\explorer.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1260
    - - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
      - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:916
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1216
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:1600
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:4088
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        18⤵
        
        PID:7512
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        19⤵
        Enumerates connected drives
        
        PID:9076
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        20⤵
        
        PID:10980
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        21⤵
        
        PID:13504
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        16⤵
        
        PID:15660
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        15⤵
        
        PID:13216
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        14⤵
        
        PID:11020
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:13440
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        13⤵
        Enumerates connected drives
        
        PID:9112
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:11068
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:13536
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:7600
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:11244
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:13632
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        11⤵
        Drops file in System32 directory
        
        PID:6380
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:7636
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:1304
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:13640
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:684
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:11252
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:13608
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        Enumerates connected drives
        
        PID:6436
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:7684
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        Drops file in System32 directory
        
        PID:3052
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:13684
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:15708
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        8⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:7656
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:788
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:13700
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:15748
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        
        PID:13256
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        7⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:784
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:7692
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:872
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:3500
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:13708
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:15716
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        
        PID:13268
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        8⤵
        
        PID:11116
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:13488
      - C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        6⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        7⤵
        Enumerates connected drives
        
        PID:3548
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        Drops file in System32 directory
        
        PID:5408
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:9192
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:11192
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:13576
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:15676
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        
        PID:13228
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        8⤵
        
        PID:11044
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:13464
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        7⤵
        
        PID:9172
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:11184
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:13544
    - - C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        5⤵
        
        PID:2844
      - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3084
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        7⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        Enumerates connected drives
        
        PID:2760
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:5400
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:9120
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:11100
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:13528
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:15684
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:13236
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        8⤵
        
        PID:11036
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:13448
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        7⤵
        Enumerates connected drives
        
        PID:9148
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        Enumerates connected drives
        
        PID:11108
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:13560
      - C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        6⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        7⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        Enumerates connected drives
        
        PID:13648
  - - C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
      C:\Windows\system32\vuxffdbvqd\smss.exe
      4⤵
      PID:2360
    - - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        5⤵
        
        PID:1452
      - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        6⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        7⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        Enumerates connected drives
        
        PID:5372
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:6288
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:7528
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:9092
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:11004
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:13520
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:15648
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        
        PID:13204
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        8⤵
        
        PID:11012
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:13472
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        7⤵
        
        PID:9132
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:11140
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:13568
      - C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        6⤵
        
        PID:7592
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        7⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:11232
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:13616
    - - C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        5⤵
        
        PID:6360
      - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        6⤵
        
        PID:7584
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        7⤵
        
        PID:9180
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:11092
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:13600
- - C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
    C:\Windows\system32\vuxffdbvqd\smss.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2736
  - - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
      C:\Windows\system32\rgnotesftt\explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2788
    - - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        5⤵
        
        PID:2792
      - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2616
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        7⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        Drops file in System32 directory
        
        PID:4612
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        Enumerates connected drives
        
        PID:6276
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:7492
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:9044
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:10944
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:13456
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:15640
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        
        PID:13144
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:10956
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:13424
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        7⤵
        
        PID:9056
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:10972
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:13512
      - C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        6⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        7⤵
        
        PID:9068
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:10996
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:13584
    - - C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        5⤵
        
        PID:6312
      - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        6⤵
        
        PID:7556
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        7⤵
        
        PID:9160
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:11216
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:13592
  - - C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
      C:\Windows\system32\vuxffdbvqd\smss.exe
      4⤵
      PID:5388
    - - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        5⤵
        
        PID:6320
      - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        6⤵
        
        PID:7536
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        7⤵
        
        PID:9100
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:11060
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:13552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\rgnotesftt\explorer.exe

Filesize
352KB

MD5
d22b3df36457a17f032833b7b02f0601

SHA1
1e7d1b70265d5929ff5e5f58c24f628679eff893

SHA256
f6a110db05d1d3ae9e537921a41dc8e9ad272e266ccb98b0915063e8d06bf5c7

SHA512
ed780042aa9b892dc332d3d6a4fca6c6b360ca0728f87529cec37c4f7f548c7768de1d792fab5c19d339f3f57c9c93cd737959fb68a3e1e8248c29e9998304b2

Download Submit
memory/324-75-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/444-120-0x0000000000260000-0x00000000002B9000-memory.dmp

Filesize
356KB

Download
memory/444-111-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/788-157-0x0000000000260000-0x00000000002B9000-memory.dmp

Filesize
356KB

Download
memory/788-132-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/788-146-0x0000000000260000-0x00000000002B9000-memory.dmp

Filesize
356KB

Download
memory/900-85-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/916-118-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/916-114-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/932-125-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/932-142-0x0000000001E00000-0x0000000001E59000-memory.dmp

Filesize
356KB

Download
memory/948-121-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/948-129-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1188-112-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1188-124-0x0000000001DB0000-0x0000000001E09000-memory.dmp

Filesize
356KB

Download
memory/1188-109-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1192-113-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1216-159-0x0000000000460000-0x00000000004B9000-memory.dmp

Filesize
356KB

Download
memory/1216-133-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1216-126-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1220-131-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1220-154-0x00000000002C0000-0x0000000000319000-memory.dmp

Filesize
356KB

Download
memory/1220-144-0x00000000002C0000-0x0000000000319000-memory.dmp

Filesize
356KB

Download
memory/1260-102-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1292-117-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1292-123-0x0000000000260000-0x00000000002B9000-memory.dmp

Filesize
356KB

Download
memory/1532-163-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1532-155-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1536-160-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1572-104-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1656-71-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1668-116-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1668-130-0x00000000005F0000-0x0000000000649000-memory.dmp

Filesize
356KB

Download
memory/1668-122-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1668-141-0x00000000005F0000-0x0000000000649000-memory.dmp

Filesize
356KB

Download
memory/1676-115-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1720-145-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1840-78-0x0000000000460000-0x00000000004B9000-memory.dmp

Filesize
356KB

Download
memory/1840-167-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1840-20-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1840-11-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1872-156-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1884-134-0x0000000000460000-0x00000000004B9000-memory.dmp

Filesize
356KB

Download
memory/1884-127-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1908-168-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1932-88-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1932-98-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1936-158-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1936-148-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2076-143-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2096-105-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2228-103-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2228-107-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2284-153-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2304-94-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2304-83-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2340-69-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2340-81-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2364-92-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2384-0-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2384-9-0x0000000000290000-0x00000000002E9000-memory.dmp

Filesize
356KB

Download
memory/2384-17-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2384-149-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2384-19-0x0000000000290000-0x00000000002E9000-memory.dmp

Filesize
356KB

Download
memory/2388-52-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2420-27-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2432-152-0x0000000000260000-0x00000000002B9000-memory.dmp

Filesize
356KB

Download
memory/2432-151-0x0000000000260000-0x00000000002B9000-memory.dmp

Filesize
356KB

Download
memory/2432-162-0x0000000000260000-0x00000000002B9000-memory.dmp

Filesize
356KB

Download
memory/2432-136-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2460-161-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2460-166-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2476-140-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2612-106-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2612-110-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2620-65-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2660-137-0x00000000021A0000-0x00000000021F9000-memory.dmp

Filesize
356KB

Download
memory/2660-60-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2660-50-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2660-138-0x00000000021A0000-0x00000000021F9000-memory.dmp

Filesize
356KB

Download
memory/2660-147-0x00000000021A0000-0x00000000021F9000-memory.dmp

Filesize
356KB

Download
memory/2688-33-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2748-39-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2760-45-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2772-170-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2828-108-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2856-119-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2856-135-0x0000000000370000-0x00000000003C9000-memory.dmp

Filesize
356KB

Download
memory/2856-128-0x0000000000370000-0x00000000003C9000-memory.dmp

Filesize
356KB

Download
memory/2900-164-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3012-172-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3020-139-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3020-171-0x0000000000310000-0x0000000000369000-memory.dmp

Filesize
356KB

Download
memory/3020-150-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3056-169-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3056-165-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download