f6a110db05d1d3ae9e537921a41dc8e9ad272e266ccb98b0915063e8d06bf5c7

Analysis

max time kernel
130s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-09-2024 14:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d22b3df36457a17f032833b7b02f0601_JaffaCakes118.exe
Size

352KB
MD5

d22b3df36457a17f032833b7b02f0601
SHA1

1e7d1b70265d5929ff5e5f58c24f628679eff893
SHA256

f6a110db05d1d3ae9e537921a41dc8e9ad272e266ccb98b0915063e8d06bf5c7
SHA512

ed780042aa9b892dc332d3d6a4fca6c6b360ca0728f87529cec37c4f7f548c7768de1d792fab5c19d339f3f57c9c93cd737959fb68a3e1e8248c29e9998304b2
SSDEEP

3072:L8EU6GdwTYBpL/d8mvgvyybyc8mNwMRjpL/ZJCwMRjpL/thBwMRjpL/vJCwMRjpH:oEtjTq/mmvgV83Qp/9Qp/2Qp/7Qp/Lu0

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
3728	explorer.exe
4440	explorer.exe
1596	explorer.exe
2676	explorer.exe
4784	explorer.exe
1848	explorer.exe
3316	explorer.exe
1068	explorer.exe
1196	smss.exe
528	explorer.exe
2804	smss.exe
3076	explorer.exe
3348	smss.exe
1696	explorer.exe
4860	explorer.exe
4660	explorer.exe
4084	smss.exe
892	explorer.exe
4872	explorer.exe
1020	explorer.exe
4344	explorer.exe
5084	smss.exe
4412	explorer.exe
2784	explorer.exe
3600	explorer.exe
4212	explorer.exe
2872	smss.exe
1236	explorer.exe
660	explorer.exe
404	explorer.exe
4928	explorer.exe
3536	explorer.exe
4264	explorer.exe
3968	smss.exe
4516	explorer.exe
4752	explorer.exe
1048	explorer.exe
2624	explorer.exe
216	explorer.exe
1440	smss.exe
388	explorer.exe
1892	explorer.exe
4944	explorer.exe
776	explorer.exe
1056	explorer.exe
1620	explorer.exe
1720	explorer.exe
2992	explorer.exe
3052	smss.exe
1428	explorer.exe
3396	explorer.exe
2604	explorer.exe
4648	explorer.exe
4680	smss.exe
2268	explorer.exe
804	explorer.exe
4804	explorer.exe
1904	explorer.exe
4284	explorer.exe
2476	explorer.exe
2336	smss.exe
2092	explorer.exe
2720	explorer.exe
3324	smss.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3308-0-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/files/0x0002000000022b23-4.dat	upx
behavioral2/memory/3308-9-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1596-14-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/3728-13-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/4440-18-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1596-22-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/2676-26-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/4784-30-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1848-34-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/3316-38-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/2804-41-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1068-43-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1196-45-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/528-48-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/2804-50-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/3076-52-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/3348-55-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1696-57-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/4860-59-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/4660-61-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/4084-63-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/892-65-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/4872-67-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1020-69-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/4344-72-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1236-74-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/2872-73-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/5084-76-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/4412-78-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/2784-80-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/3600-82-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/4212-84-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/2872-86-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1236-87-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/660-90-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/404-92-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/4928-94-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/216-97-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/3536-96-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/4264-99-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/3968-101-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1892-103-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/4516-105-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/4752-106-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/3308-107-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1048-110-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/2624-112-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/216-113-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1440-115-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/388-117-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1892-119-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/4944-121-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/3728-123-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/776-125-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1056-127-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1620-130-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1720-131-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/2992-132-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/3052-133-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/1428-134-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/4440-135-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/3396-136-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/2604-137-0x0000000000400000-0x0000000000459000-memory.dmp	upx

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\g:	explorer.exe
File opened (read-only)	\??\i:	explorer.exe
File opened (read-only)	\??\h:	smss.exe
File opened (read-only)	\??\u:	explorer.exe
File opened (read-only)	\??\t:	explorer.exe
File opened (read-only)	\??\u:	explorer.exe
File opened (read-only)	\??\o:	smss.exe
File opened (read-only)	\??\m:	explorer.exe
File opened (read-only)	\??\k:	explorer.exe
File opened (read-only)	\??\r:	smss.exe
File opened (read-only)	\??\r:	explorer.exe
File opened (read-only)	\??\v:	explorer.exe
File opened (read-only)	\??\l:	explorer.exe
File opened (read-only)	\??\o:	explorer.exe
File opened (read-only)	\??\t:	smss.exe
File opened (read-only)	\??\i:	smss.exe
File opened (read-only)	\??\t:	smss.exe
File opened (read-only)	\??\t:	explorer.exe
File opened (read-only)	\??\s:	explorer.exe
File opened (read-only)	\??\x:	smss.exe
File opened (read-only)	\??\l:	explorer.exe
File opened (read-only)	\??\t:	explorer.exe
File opened (read-only)	\??\x:	explorer.exe
File opened (read-only)	\??\t:	explorer.exe
File opened (read-only)	\??\m:	explorer.exe
File opened (read-only)	\??\x:	explorer.exe
File opened (read-only)	\??\s:	explorer.exe
File opened (read-only)	\??\h:	explorer.exe
File opened (read-only)	\??\l:	explorer.exe
File opened (read-only)	\??\s:	explorer.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\z:	explorer.exe
File opened (read-only)	\??\e:	explorer.exe
File opened (read-only)	\??\o:	smss.exe
File opened (read-only)	\??\q:	explorer.exe
File opened (read-only)	\??\l:	explorer.exe
File opened (read-only)	\??\h:	explorer.exe
File opened (read-only)	\??\g:	explorer.exe
File opened (read-only)	\??\v:	explorer.exe
File opened (read-only)	\??\x:	explorer.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\o:	explorer.exe
File opened (read-only)	\??\v:	explorer.exe
File opened (read-only)	\??\k:	explorer.exe
File opened (read-only)	\??\k:	explorer.exe
File opened (read-only)	\??\t:	smss.exe
File opened (read-only)	\??\s:	explorer.exe
File opened (read-only)	\??\u:	explorer.exe
File opened (read-only)	\??\l:	explorer.exe
File opened (read-only)	\??\i:	explorer.exe
File opened (read-only)	\??\v:	explorer.exe
File opened (read-only)	\??\y:	explorer.exe
File opened (read-only)	\??\o:	explorer.exe
File opened (read-only)	\??\y:	explorer.exe
File opened (read-only)	\??\u:	explorer.exe
File opened (read-only)	\??\i:	smss.exe
File opened (read-only)	\??\x:	smss.exe
File opened (read-only)	\??\k:	explorer.exe
File opened (read-only)	\??\m:	explorer.exe
File opened (read-only)	\??\o:	explorer.exe
File opened (read-only)	\??\p:	smss.exe
File opened (read-only)	\??\j:	explorer.exe
File opened (read-only)	\??\q:	explorer.exe
File opened (read-only)	\??\q:	explorer.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\rgnotesftt\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\vuxffdbvqd\smss.exe	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3308	d22b3df36457a17f032833b7b02f0601_JaffaCakes118.exe
3308	d22b3df36457a17f032833b7b02f0601_JaffaCakes118.exe
3728	explorer.exe
3728	explorer.exe
4440	explorer.exe
4440	explorer.exe
1596	explorer.exe
1596	explorer.exe
2676	explorer.exe
2676	explorer.exe
4784	explorer.exe
4784	explorer.exe
1848	explorer.exe
1848	explorer.exe
3316	explorer.exe
3316	explorer.exe
1068	explorer.exe
1068	explorer.exe
1196	smss.exe
1196	smss.exe
528	explorer.exe
528	explorer.exe
2804	smss.exe
2804	smss.exe
3076	explorer.exe
3076	explorer.exe
3348	smss.exe
3348	smss.exe
1696	explorer.exe
1696	explorer.exe
4860	explorer.exe
4860	explorer.exe
4660	explorer.exe
4660	explorer.exe
4084	smss.exe
4084	smss.exe
892	explorer.exe
892	explorer.exe
4872	explorer.exe
4872	explorer.exe
1020	explorer.exe
1020	explorer.exe
4344	explorer.exe
4344	explorer.exe
5084	smss.exe
5084	smss.exe
4412	explorer.exe
4412	explorer.exe
2784	explorer.exe
2784	explorer.exe
3600	explorer.exe
3600	explorer.exe
4212	explorer.exe
4212	explorer.exe
2872	smss.exe
2872	smss.exe
1236	explorer.exe
1236	explorer.exe
660	explorer.exe
660	explorer.exe
404	explorer.exe
404	explorer.exe
4928	explorer.exe
4928	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	3308	d22b3df36457a17f032833b7b02f0601_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	3728	explorer.exe
Token: SeLoadDriverPrivilege	4440	explorer.exe
Token: SeLoadDriverPrivilege	1596	explorer.exe
Token: SeLoadDriverPrivilege	2676	explorer.exe
Token: SeLoadDriverPrivilege	4784	explorer.exe
Token: SeLoadDriverPrivilege	1848	explorer.exe
Token: SeLoadDriverPrivilege	3316	explorer.exe
Token: SeLoadDriverPrivilege	1068	explorer.exe
Token: SeLoadDriverPrivilege	1196	smss.exe
Token: SeLoadDriverPrivilege	528	explorer.exe
Token: SeLoadDriverPrivilege	2804	smss.exe
Token: SeLoadDriverPrivilege	3076	explorer.exe
Token: SeLoadDriverPrivilege	3348	smss.exe
Token: SeLoadDriverPrivilege	1696	explorer.exe
Token: SeLoadDriverPrivilege	4860	explorer.exe
Token: SeLoadDriverPrivilege	4660	explorer.exe
Token: SeLoadDriverPrivilege	4084	smss.exe
Token: SeLoadDriverPrivilege	892	explorer.exe
Token: SeLoadDriverPrivilege	4872	explorer.exe
Token: SeLoadDriverPrivilege	1020	explorer.exe
Token: SeLoadDriverPrivilege	4344	explorer.exe
Token: SeLoadDriverPrivilege	5084	smss.exe
Token: SeLoadDriverPrivilege	4412	explorer.exe
Token: SeLoadDriverPrivilege	2784	explorer.exe
Token: SeLoadDriverPrivilege	3600	explorer.exe
Token: SeLoadDriverPrivilege	4212	explorer.exe
Token: SeLoadDriverPrivilege	2872	smss.exe
Token: SeLoadDriverPrivilege	1236	explorer.exe
Token: SeLoadDriverPrivilege	660	explorer.exe
Token: SeLoadDriverPrivilege	404	explorer.exe
Token: SeLoadDriverPrivilege	4928	explorer.exe
Token: SeLoadDriverPrivilege	3536	explorer.exe
Token: SeLoadDriverPrivilege	4264	explorer.exe
Token: SeLoadDriverPrivilege	3968	smss.exe
Token: SeLoadDriverPrivilege	4516	explorer.exe
Token: SeLoadDriverPrivilege	4752	explorer.exe
Token: SeLoadDriverPrivilege	1048	explorer.exe
Token: SeLoadDriverPrivilege	2624	explorer.exe
Token: SeLoadDriverPrivilege	216	explorer.exe
Token: SeLoadDriverPrivilege	1440	smss.exe
Token: SeLoadDriverPrivilege	388	explorer.exe
Token: SeLoadDriverPrivilege	1892	explorer.exe
Token: SeLoadDriverPrivilege	4944	explorer.exe
Token: SeLoadDriverPrivilege	776	explorer.exe
Token: SeLoadDriverPrivilege	1056	explorer.exe
Token: SeLoadDriverPrivilege	1620	explorer.exe
Token: SeLoadDriverPrivilege	1720	explorer.exe
Token: SeLoadDriverPrivilege	2992	explorer.exe
Token: SeLoadDriverPrivilege	3052	smss.exe
Token: SeLoadDriverPrivilege	1428	explorer.exe
Token: SeLoadDriverPrivilege	3396	explorer.exe
Token: SeLoadDriverPrivilege	2604	explorer.exe
Token: SeLoadDriverPrivilege	4648	explorer.exe
Token: SeLoadDriverPrivilege	4680	smss.exe
Token: SeLoadDriverPrivilege	804	explorer.exe
Token: SeLoadDriverPrivilege	2268	explorer.exe
Token: SeLoadDriverPrivilege	4804	explorer.exe
Token: SeLoadDriverPrivilege	1904	explorer.exe
Token: SeLoadDriverPrivilege	4284	explorer.exe
Token: SeLoadDriverPrivilege	2336	smss.exe
Token: SeLoadDriverPrivilege	2476	explorer.exe
Token: SeLoadDriverPrivilege	2092	explorer.exe
Token: SeLoadDriverPrivilege	2720	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3308 wrote to memory of 3728	3308	d22b3df36457a17f032833b7b02f0601_JaffaCakes118.exe	86
PID 3308 wrote to memory of 3728	3308	d22b3df36457a17f032833b7b02f0601_JaffaCakes118.exe	86
PID 3308 wrote to memory of 3728	3308	d22b3df36457a17f032833b7b02f0601_JaffaCakes118.exe	86
PID 3728 wrote to memory of 4440	3728	explorer.exe	92
PID 3728 wrote to memory of 4440	3728	explorer.exe	92
PID 3728 wrote to memory of 4440	3728	explorer.exe	92
PID 4440 wrote to memory of 1596	4440	explorer.exe	94
PID 4440 wrote to memory of 1596	4440	explorer.exe	94
PID 4440 wrote to memory of 1596	4440	explorer.exe	94
PID 1596 wrote to memory of 2676	1596	explorer.exe	97
PID 1596 wrote to memory of 2676	1596	explorer.exe	97
PID 1596 wrote to memory of 2676	1596	explorer.exe	97
PID 2676 wrote to memory of 4784	2676	explorer.exe	98
PID 2676 wrote to memory of 4784	2676	explorer.exe	98
PID 2676 wrote to memory of 4784	2676	explorer.exe	98
PID 4784 wrote to memory of 1848	4784	explorer.exe	99
PID 4784 wrote to memory of 1848	4784	explorer.exe	99
PID 4784 wrote to memory of 1848	4784	explorer.exe	99
PID 1848 wrote to memory of 3316	1848	explorer.exe	100
PID 1848 wrote to memory of 3316	1848	explorer.exe	100
PID 1848 wrote to memory of 3316	1848	explorer.exe	100
PID 3316 wrote to memory of 1068	3316	explorer.exe	102
PID 3316 wrote to memory of 1068	3316	explorer.exe	102
PID 3316 wrote to memory of 1068	3316	explorer.exe	102
PID 3308 wrote to memory of 1196	3308	d22b3df36457a17f032833b7b02f0601_JaffaCakes118.exe	103
PID 3308 wrote to memory of 1196	3308	d22b3df36457a17f032833b7b02f0601_JaffaCakes118.exe	103
PID 3308 wrote to memory of 1196	3308	d22b3df36457a17f032833b7b02f0601_JaffaCakes118.exe	103
PID 1068 wrote to memory of 528	1068	explorer.exe	105
PID 1068 wrote to memory of 528	1068	explorer.exe	105
PID 1068 wrote to memory of 528	1068	explorer.exe	105
PID 3728 wrote to memory of 2804	3728	explorer.exe	106
PID 3728 wrote to memory of 2804	3728	explorer.exe	106
PID 3728 wrote to memory of 2804	3728	explorer.exe	106
PID 1196 wrote to memory of 3076	1196	smss.exe	107
PID 1196 wrote to memory of 3076	1196	smss.exe	107
PID 1196 wrote to memory of 3076	1196	smss.exe	107
PID 4440 wrote to memory of 3348	4440	explorer.exe	108
PID 4440 wrote to memory of 3348	4440	explorer.exe	108
PID 4440 wrote to memory of 3348	4440	explorer.exe	108
PID 528 wrote to memory of 1696	528	explorer.exe	109
PID 528 wrote to memory of 1696	528	explorer.exe	109
PID 528 wrote to memory of 1696	528	explorer.exe	109
PID 2804 wrote to memory of 4860	2804	smss.exe	110
PID 2804 wrote to memory of 4860	2804	smss.exe	110
PID 2804 wrote to memory of 4860	2804	smss.exe	110
PID 3076 wrote to memory of 4660	3076	explorer.exe	111
PID 3076 wrote to memory of 4660	3076	explorer.exe	111
PID 3076 wrote to memory of 4660	3076	explorer.exe	111
PID 1596 wrote to memory of 4084	1596	explorer.exe	112
PID 1596 wrote to memory of 4084	1596	explorer.exe	112
PID 1596 wrote to memory of 4084	1596	explorer.exe	112
PID 3348 wrote to memory of 892	3348	smss.exe	113
PID 3348 wrote to memory of 892	3348	smss.exe	113
PID 3348 wrote to memory of 892	3348	smss.exe	113
PID 1696 wrote to memory of 4872	1696	explorer.exe	114
PID 1696 wrote to memory of 4872	1696	explorer.exe	114
PID 1696 wrote to memory of 4872	1696	explorer.exe	114
PID 4860 wrote to memory of 1020	4860	explorer.exe	115
PID 4860 wrote to memory of 1020	4860	explorer.exe	115
PID 4860 wrote to memory of 1020	4860	explorer.exe	115
PID 4660 wrote to memory of 4344	4660	explorer.exe	116
PID 4660 wrote to memory of 4344	4660	explorer.exe	116
PID 4660 wrote to memory of 4344	4660	explorer.exe	116
PID 2676 wrote to memory of 5084	2676	explorer.exe	117

C:\Users\Admin\AppData\Local\Temp\d22b3df36457a17f032833b7b02f0601_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d22b3df36457a17f032833b7b02f0601_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3308
- C:\Windows\SysWOW64\rgnotesftt\explorer.exe
  C:\Windows\system32\rgnotesftt\explorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3728
- - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
    C:\Windows\system32\rgnotesftt\explorer.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4440
  - - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
      C:\Windows\system32\rgnotesftt\explorer.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1596
    - - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2676
      - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3316
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:528
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4872
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3600
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3536
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:388
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3396
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        18⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        19⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        20⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        21⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        22⤵
        
        PID:6688
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        23⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        24⤵
        
        PID:8336
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:9556
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        26⤵
        
        PID:12964
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        27⤵
        
        PID:15056
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        28⤵
        Enumerates connected drives
        
        PID:17272
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        29⤵
        
        PID:20208
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        23⤵
        
        PID:19672
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        22⤵
        
        PID:16772
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        23⤵
        
        PID:20132
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:14752
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        22⤵
        
        PID:16936
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        23⤵
        
        PID:20112
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        20⤵
        
        PID:11112
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        21⤵
        
        PID:14800
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        22⤵
        
        PID:17056
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        23⤵
        
        PID:20280
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        19⤵
        Drops file in System32 directory
        
        PID:9492
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        20⤵
        
        PID:11156
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        21⤵
        
        PID:14900
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        22⤵
        
        PID:17152
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        23⤵
        
        PID:20048
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        18⤵
        
        PID:8272
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        19⤵
        
        PID:9452
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        20⤵
        
        PID:11120
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        21⤵
        
        PID:14784
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        22⤵
        
        PID:17064
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        23⤵
        
        PID:20104
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        17⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        18⤵
        
        PID:8280
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        19⤵
        
        PID:9468
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:11128
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        21⤵
        
        PID:14816
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        22⤵
        
        PID:17132
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        23⤵
        
        PID:20268
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        16⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:7304
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        18⤵
        
        PID:8244
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        19⤵
        
        PID:9424
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        20⤵
        
        PID:11052
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        21⤵
        
        PID:14792
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        22⤵
        
        PID:17164
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        23⤵
        
        PID:20124
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        17⤵
        
        PID:7384
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        15⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:7312
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        18⤵
        
        PID:8236
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        19⤵
        
        PID:9380
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        20⤵
        
        PID:11060
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:14888
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        22⤵
        
        PID:17144
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        23⤵
        
        PID:20304
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        17⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        16⤵
        
        PID:16560
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:19520
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        14⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:7256
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        18⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        19⤵
        
        PID:9336
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:10976
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        21⤵
        
        PID:14700
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        22⤵
        
        PID:16844
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        23⤵
        
        PID:19788
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        17⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        16⤵
        Enumerates connected drives
        
        PID:16516
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:19560
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        15⤵
        
        PID:14492
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:16788
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:19852
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        13⤵
        Enumerates connected drives
        
        PID:2708
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:6076
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:6524
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:7176
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        18⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        19⤵
        
        PID:9388
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        20⤵
        
        PID:11068
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:14848
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        22⤵
        
        PID:17124
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        23⤵
        
        PID:20192
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        17⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        16⤵
        
        PID:16472
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:19568
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:14372
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:16588
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:19796
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        14⤵
        
        PID:10820
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:14468
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:16672
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:20080
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        12⤵
        Enumerates connected drives
        
        PID:1532
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:2328
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:7372
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        18⤵
        
        PID:8312
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        19⤵
        
        PID:9524
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        20⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:15032
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        22⤵
        
        PID:17204
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        23⤵
        
        PID:20288
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        17⤵
        
        PID:19460
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        16⤵
        
        PID:16660
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:19608
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        15⤵
        
        PID:14616
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:16852
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:19924
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        14⤵
        
        PID:10912
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:14648
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:16828
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:20088
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        13⤵
        Drops file in System32 directory
        
        PID:9312
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:11032
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:14824
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:17000
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:20176
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:4568
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:5288
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:7236
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        18⤵
        
        PID:8208
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        19⤵
        
        PID:9344
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        20⤵
        
        PID:10984
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:14676
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        22⤵
        
        PID:16812
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        23⤵
        
        PID:19832
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        17⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        16⤵
        
        PID:16440
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:19468
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        15⤵
        
        PID:14440
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:16620
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:19600
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        14⤵
        
        PID:10812
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:14476
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:16632
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:19648
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        13⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:10756
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:14396
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:16524
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:19528
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:7932
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:10920
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:14564
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:16704
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:19484
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2476
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:448
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        Drops file in System32 directory
        
        PID:5296
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:7200
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        18⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        19⤵
        
        PID:9304
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        20⤵
        
        PID:10968
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        21⤵
        
        PID:14744
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        22⤵
        
        PID:16900
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        23⤵
        
        PID:20028
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        17⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        16⤵
        Drops file in System32 directory
        
        PID:16496
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:19536
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        15⤵
        
        PID:14364
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:16480
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:19552
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        14⤵
        
        PID:10804
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:14460
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:16688
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:19932
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        13⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:10860
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:14484
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:16644
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:19512
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        12⤵
        Drops file in System32 directory
        
        PID:7880
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:4228
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:10928
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        Drops file in System32 directory
        
        PID:14640
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:16836
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:19900
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        11⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:8088
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:10936
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:14556
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:16880
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:20096
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1440
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1428
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:620
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5368
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:7264
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:4348
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        19⤵
        
        PID:9276
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        20⤵
        
        PID:11092
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        21⤵
        
        PID:14808
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        22⤵
        
        PID:17196
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        23⤵
        
        PID:20408
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        17⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        16⤵
        
        PID:16504
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:19584
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        15⤵
        
        PID:14500
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        Drops file in System32 directory
        
        PID:16796
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:19844
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        14⤵
        
        PID:10868
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:14572
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:16740
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:20036
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        13⤵
        
        PID:9244
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:10944
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:14692
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:16804
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:19916
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        12⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:9320
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:11076
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:14908
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:17032
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:20224
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:7208
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:9284
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:10992
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:14668
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:16928
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:20016
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        Drops file in System32 directory
        
        PID:6476
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:2280
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:9292
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:11084
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:14840
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:17040
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:20184
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        11⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3968
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4944
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4648
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:648
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:7664
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        18⤵
        
        PID:8604
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        19⤵
        
        PID:9880
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        20⤵
        
        PID:13408
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        21⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        22⤵
        
        PID:17804
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        17⤵
        
        PID:20504
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        16⤵
        
        PID:17504
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        15⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:17576
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        14⤵
        
        PID:13324
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:17604
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        13⤵
        
        PID:9844
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:13348
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:17644
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        12⤵
        
        PID:8572
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:9864
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:13392
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:632
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:17700
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        11⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:8564
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:9824
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:13332
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:17628
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:8536
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:9812
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:17652
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        11⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5812
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:7556
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:8492
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:9748
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:13280
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:15304
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:17456
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        11⤵
        
        PID:20456
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4516
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:776
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:804
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:988
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:7992
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        18⤵
        
        PID:8924
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        19⤵
        
        PID:8668
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        20⤵
        
        PID:13880
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        21⤵
        
        PID:15732
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        22⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        16⤵
        
        PID:18188
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        15⤵
        
        PID:15584
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:18356
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        14⤵
        
        PID:13780
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:15700
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:18400
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:10228
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        Drops file in System32 directory
        
        PID:13844
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:15764
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:18420
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        12⤵
        
        PID:8824
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:10160
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:13796
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:15676
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        11⤵
        Drops file in System32 directory
        
        PID:7888
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:8840
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:10192
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        Drops file in System32 directory
        
        PID:13852
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:15740
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:7088
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:7904
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:8852
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:10168
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:13788
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:15668
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:18392
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:7852
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:8792
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:10128
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:13720
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:15600
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:18252
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:18028
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        8⤵
        
        PID:5648
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        Enumerates connected drives
        
        PID:7828
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:8776
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:10100
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:13712
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        Drops file in System32 directory
        
        PID:15548
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:18348
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:17972
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:18004
      - C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5084
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:660
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4804
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:3504
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        Drops file in System32 directory
        
        PID:5804
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        18⤵
        
        PID:9084
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        19⤵
        
        PID:10280
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        20⤵
        
        PID:14180
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        21⤵
        
        PID:16100
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        22⤵
        
        PID:18724
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        16⤵
        
        PID:18656
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        15⤵
        Enumerates connected drives
        
        PID:15996
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:18696
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        14⤵
        
        PID:14136
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:16044
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:18752
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        13⤵
        
        PID:10248
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:14152
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:16076
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:18732
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        12⤵
        
        PID:9068
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:10260
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:14168
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:16088
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:18768
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        11⤵
        
        PID:8116
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:9052
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:14104
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:16004
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:18688
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:8100
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:9024
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:768
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:14088
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:16028
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:18672
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:8080
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:9016
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:14112
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:16052
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:18760
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:18616
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5788
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:9000
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:14072
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:15976
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:18680
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:18560
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        
        PID:15932
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:18584
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        7⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        Drops file in System32 directory
        
        PID:2316
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:8040
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:8984
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:14052
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        Enumerates connected drives
        
        PID:15956
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:18640
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:18536
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        
        PID:15908
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:18544
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        8⤵
        
        PID:14032
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:15924
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:18592
    - - C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4084
      - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4412
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:404
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1904
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:6312
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        18⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        19⤵
        
        PID:10464
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        20⤵
        Drops file in System32 directory
        
        PID:5740
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        21⤵
        
        PID:16376
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        22⤵
        
        PID:19164
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        16⤵
        
        PID:18988
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        15⤵
        
        PID:16280
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:19080
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        14⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:16312
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:19108
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        13⤵
        
        PID:10412
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:16336
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:19100
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        12⤵
        
        PID:9192
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:10436
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:5736
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:16360
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:19124
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        11⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:9200
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:10448
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:13004
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:19212
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:10472
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:1236
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:19184
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        Drops file in System32 directory
        
        PID:6804
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:9172
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:10456
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:712
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:12972
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:19176
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:18964
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5872
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:9156
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:10404
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:16328
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:19116
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:18948
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        
        PID:16244
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:19032
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        7⤵
        
        PID:5140
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:8184
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:9140
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:10388
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:14324
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:16288
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:19060
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:18932
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        
        PID:16220
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:18996
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        8⤵
        
        PID:14284
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:16212
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:19004
      - C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        6⤵
        Drops file in System32 directory
        
        PID:2480
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        7⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:8168
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        Enumerates connected drives
        
        PID:9124
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:10368
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:14296
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:16252
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:18980
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:18900
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        
        PID:16196
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:18908
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        8⤵
        
        PID:14256
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:16172
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:18868
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        7⤵
        
        PID:10324
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:14248
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:16164
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:18876
  - - C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
      C:\Windows\system32\vuxffdbvqd\smss.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3348
    - - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:892
      - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4928
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:216
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4284
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:3428
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:7348
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        18⤵
        
        PID:9220
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        19⤵
        
        PID:10904
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        20⤵
        Drops file in System32 directory
        
        PID:14604
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        21⤵
        
        PID:16732
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        22⤵
        
        PID:19656
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        16⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        15⤵
        
        PID:16408
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:7320
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        14⤵
        
        PID:14340
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:16456
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        13⤵
        
        PID:10748
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:14404
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:16820
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:20004
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        12⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:10764
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:14388
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:16464
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:19576
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        11⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:9108
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:10724
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:14380
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:16532
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:19664
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:3040
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:7924
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:10848
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:14508
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:16680
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:19776
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:7736
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:10732
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        Drops file in System32 directory
        
        PID:4928
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:16448
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:19544
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        8⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:6412
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:10692
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:12948
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:7232
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        7⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:9120
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:10700
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:7336
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:19436
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        8⤵
        Enumerates connected drives
        
        PID:6068
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:7292
      - C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        6⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        7⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:676
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:10668
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:7300
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:19400
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        
        PID:16276
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:19452
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        8⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        7⤵
        
        PID:10640
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:7244
    - - C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        5⤵
        
        PID:4532
      - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        6⤵
        Enumerates connected drives
        
        PID:3260
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        7⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:5968
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:6368
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:7676
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4764
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:10660
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        Drops file in System32 directory
        
        PID:6120
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:16400
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:7284
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:19408
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:19388
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        8⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:7172
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        7⤵
        
        PID:10624
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:12992
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:6908
      - C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        6⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        7⤵
        Enumerates connected drives
        
        PID:10608
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:19444
- - C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
    C:\Windows\system32\vuxffdbvqd\smss.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
      C:\Windows\system32\rgnotesftt\explorer.exe
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4860
    - - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1020
      - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4212
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4264
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:6840
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        Drops file in System32 directory
        
        PID:7596
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:8508
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        18⤵
        
        PID:9740
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        19⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:13300
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        20⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        21⤵
        
        PID:17512
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        16⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        15⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        14⤵
        
        PID:15200
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        Enumerates connected drives
        
        PID:2944
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        13⤵
        Drops file in System32 directory
        
        PID:13180
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:15208
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        12⤵
        Enumerates connected drives
        
        PID:9704
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:13244
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:15312
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        Drops file in System32 directory
        
        PID:17472
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        11⤵
        Enumerates connected drives
        
        PID:8452
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:9728
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:13288
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:17584
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:7548
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:8500
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:9756
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:17568
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        Drops file in System32 directory
        
        PID:7488
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:8428
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:9664
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:13220
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:15284
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:17488
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:20324
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        8⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:7464
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:8404
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:9640
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:13172
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:15232
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:17412
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:20340
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        
        PID:17376
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:20436
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        7⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        Enumerates connected drives
        
        PID:7496
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:8460
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:9696
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:13260
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:15332
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:17464
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:20360
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        
        PID:12944
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:19496
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:15168
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:12932
      - C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        6⤵
        Drops file in System32 directory
        
        PID:2884
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        7⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:5468
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:7456
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:8420
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:9672
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:13228
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:15324
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:17620
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:20332
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        
        PID:17368
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:20428
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        8⤵
        Drops file in System32 directory
        
        PID:15132
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:16576
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        7⤵
        
        PID:13084
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:15084
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:17340
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:20384
    - - C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        5⤵
        
        PID:4592
      - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        6⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        7⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:5460
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        Enumerates connected drives
        
        PID:8388
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:9608
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:13140
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:15152
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:7480
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:20260
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        
        PID:17328
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:20392
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        8⤵
        Drops file in System32 directory
        
        PID:15124
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:12936
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        7⤵
        
        PID:13092
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        Enumerates connected drives
        
        PID:15116
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:7512
      - C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        6⤵
        
        PID:9580
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        7⤵
        
        PID:13076
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:15076
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:17360
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:20448
  - - C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
      C:\Windows\system32\vuxffdbvqd\smss.exe
      4⤵
      Executes dropped EXE
      PID:3324
    - - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        5⤵
        
        PID:3380
      - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        6⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        7⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:7536
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:8484
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:9780
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:10588
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        Drops file in System32 directory
        
        PID:4892
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        Enumerates connected drives
        
        PID:17680
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:20420
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:20548
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        8⤵
        Drops file in System32 directory
        
        PID:15240
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:17420
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        7⤵
        Drops file in System32 directory
        
        PID:13188
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:15216
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        Enumerates connected drives
        
        PID:17496
      - C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        6⤵
        
        PID:9632
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        7⤵
        Drops file in System32 directory
        
        PID:13164
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:15224
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:17428
    - - C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        5⤵
        
        PID:8372
      - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        6⤵
        
        PID:9596
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        7⤵
        Drops file in System32 directory
        
        PID:13124
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:15144
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:16416
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:4136
- C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
  C:\Windows\system32\vuxffdbvqd\smss.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1196
- - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
    C:\Windows\system32\rgnotesftt\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3076
  - - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
      C:\Windows\system32\rgnotesftt\explorer.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4660
    - - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4344
      - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1236
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4752
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        Enumerates connected drives
        
        PID:5024
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4840
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:5716
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        16⤵
        
        PID:8008
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        17⤵
        
        PID:8956
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:4396
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:13964
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        20⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:15860
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        21⤵
        
        PID:18472
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        15⤵
        
        PID:18180
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        14⤵
        
        PID:15592
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        Enumerates connected drives
        
        PID:18340
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        13⤵
        
        PID:13772
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:15692
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:18408
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        12⤵
        Drops file in System32 directory
        
        PID:10212
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:13836
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:15684
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        Enumerates connected drives
        
        PID:15472
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        11⤵
        
        PID:8888
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:13892
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:15804
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        10⤵
        
        PID:7956
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:8896
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:10220
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:13804
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:15748
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:18428
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:7096
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:7976
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:8932
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:13900
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:15812
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        Enumerates connected drives
        
        PID:6208
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        8⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:7896
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:8832
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:10200
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:13860
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:15772
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        
        PID:18040
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        7⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:6124
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:7788
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:8752
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:10068
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:13652
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:15564
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:18276
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        
        PID:17960
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        8⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:18120
      - C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        6⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        7⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:7752
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:8720
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        Enumerates connected drives
        
        PID:10032
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:13584
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:15436
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:18104
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        
        PID:17920
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        8⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:17944
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        7⤵
        
        PID:13528
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:15072
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:18080
    - - C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        5⤵
        
        PID:1640
      - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        6⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        7⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:7744
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:8712
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:10020
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:13576
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        Drops file in System32 directory
        
        PID:15452
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:18196
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        Enumerates connected drives
        
        PID:17888
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        8⤵
        Drops file in System32 directory
        
        PID:5980
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:17952
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        7⤵
        
        PID:13488
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5180
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:17928
      - C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:9944
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        7⤵
        
        PID:13496
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1476
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:17936
  - - C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
      C:\Windows\system32\vuxffdbvqd\smss.exe
      4⤵
      PID:4300
    - - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1972
      - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        6⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        7⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        
        PID:8744
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:10092
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:13680
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:15576
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:18364
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        
        PID:17912
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        8⤵
        Enumerates connected drives
        
        PID:5896
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:17880
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        7⤵
        
        PID:13520
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:18088
      - C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        6⤵
        
        PID:9984
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:13600
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:15420
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:18140
    - - C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        5⤵
        
        PID:8684
      - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        6⤵
        
        PID:9976
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        7⤵
        
        PID:13592
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:15504
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:18204
- - C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
    C:\Windows\system32\vuxffdbvqd\smss.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4680
  - - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
      C:\Windows\system32\rgnotesftt\explorer.exe
      4⤵
      PID:680
    - - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        5⤵
        Enumerates connected drives
        
        PID:4912
      - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        6⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        7⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:7076
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        10⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:8800
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        12⤵
        
        PID:10116
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        13⤵
        
        PID:13704
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        14⤵
        
        PID:15556
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        15⤵
        
        PID:18372
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        9⤵
        
        PID:18020
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        8⤵
        
        PID:15444
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:18112
        
        C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        7⤵
        
        PID:13644
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:15496
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:18168
      - C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        6⤵
        
        PID:10060
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        7⤵
        
        PID:13660
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:15512
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:18160
    - - C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
        
        C:\Windows\system32\vuxffdbvqd\smss.exe
        5⤵
        
        PID:8676
      - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        6⤵
        Enumerates connected drives
        
        PID:9968
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        7⤵
        
        PID:13544
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:15368
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:18064
  - - C:\Windows\SysWOW64\vuxffdbvqd\smss.exe
      C:\Windows\system32\vuxffdbvqd\smss.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:7720
    - - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        5⤵
        
        PID:8660
      - C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        6⤵
        
        PID:9960
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        7⤵
        Enumerates connected drives
        
        PID:13608
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        8⤵
        
        PID:15428
        
        C:\Windows\SysWOW64\rgnotesftt\explorer.exe
        
        C:\Windows\system32\rgnotesftt\explorer.exe
        9⤵
        
        PID:18148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\rgnotesftt\explorer.exe

Filesize
352KB

MD5
d22b3df36457a17f032833b7b02f0601

SHA1
1e7d1b70265d5929ff5e5f58c24f628679eff893

SHA256
f6a110db05d1d3ae9e537921a41dc8e9ad272e266ccb98b0915063e8d06bf5c7

SHA512
ed780042aa9b892dc332d3d6a4fca6c6b360ca0728f87529cec37c4f7f548c7768de1d792fab5c19d339f3f57c9c93cd737959fb68a3e1e8248c29e9998304b2

Download Submit
memory/216-113-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/216-97-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/388-117-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/404-92-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/528-48-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/648-154-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/660-90-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/680-156-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/680-144-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/776-125-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/804-141-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/892-65-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/912-571-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1020-69-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1048-110-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1056-127-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1068-43-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1196-45-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1236-87-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1236-74-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1428-134-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1440-115-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1532-166-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1596-14-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1596-22-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1596-150-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1620-130-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1696-57-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1720-131-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1832-164-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1848-34-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1892-119-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1892-103-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1904-145-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2064-587-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2092-149-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2268-140-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2336-148-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2476-147-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2604-137-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2624-112-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2648-589-0x00007FFB63070000-0x00007FFB63265000-memory.dmp

Filesize
2.0MB

Download
memory/2676-26-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2676-169-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2720-151-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2748-153-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2784-80-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2804-50-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2804-41-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2820-157-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2820-165-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2872-73-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2872-86-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2936-559-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2952-168-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2980-160-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/2992-132-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3044-557-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3052-133-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3076-52-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3308-167-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3308-0-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3308-107-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3308-9-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3316-38-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3324-152-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3348-55-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3396-136-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3428-163-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3536-96-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3600-82-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3728-123-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3728-13-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3824-560-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3968-101-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3972-170-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4084-63-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4212-84-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4252-158-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4264-99-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4284-146-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4300-143-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4300-155-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4324-161-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4344-72-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4412-78-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4440-18-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4440-135-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4516-105-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4532-162-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4648-138-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4660-61-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4680-139-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4752-106-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4784-30-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4804-142-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4860-59-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4872-67-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4928-94-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4944-121-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5024-159-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5084-76-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/7064-492-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/7704-542-0x00007FFB63070000-0x00007FFB63265000-memory.dmp

Filesize
2.0MB

Download
memory/7968-547-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/8168-573-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/9052-534-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/9124-556-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/16796-491-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/17888-575-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/18696-570-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/19568-478-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/19796-496-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/21332-569-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/22228-563-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/22324-564-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/23716-479-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/23724-487-0x00007FFB63070000-0x00007FFB63265000-memory.dmp

Filesize
2.0MB

Download
memory/23880-476-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/23888-477-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/24032-494-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/24212-493-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/24252-489-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/24800-515-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/24832-517-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/24984-518-0x00007FFB63070000-0x00007FFB63265000-memory.dmp

Filesize
2.0MB

Download
memory/25008-520-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/25016-512-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/25088-550-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/25132-511-0x00007FFB63070000-0x00007FFB63265000-memory.dmp

Filesize
2.0MB

Download
memory/25132-510-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/25204-536-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/25236-513-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/25624-537-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/25844-533-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/25972-541-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/26164-572-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/26184-574-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/26480-567-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/26644-562-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/26652-555-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/26700-552-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/29580-535-0x00007FFB63070000-0x00007FFB63265000-memory.dmp

Filesize
2.0MB

Download