806bb04d260fa035ba3743451b59e454097ce87b104a6e877e3eeb5133174cf0

Analysis

max time kernel
150s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-08-2024 21:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a83a220af3d5851fce04ea753b2e5b0c_JaffaCakes118.exe
Size

359KB
MD5

a83a220af3d5851fce04ea753b2e5b0c
SHA1

7c55ce2b64097f72fa2dad694a0a62601c2f1917
SHA256

806bb04d260fa035ba3743451b59e454097ce87b104a6e877e3eeb5133174cf0
SHA512

40f5f60d96fddd922fd15ab718c125a8f0f0de51298de0f2033aba3a56e302ec5aaa4717cedbf18e9c0ff3a1ac5c89ca69980a72be0dddd4d4140d4a42a57f7e
SSDEEP

3072:OrMyBpL/+8SbNNZ1uUAjpL/7NMcpL/7ZI/pL/7HM8pL/7j+2BPXr:OrME/ZQfLuJ/d/6/P/1h

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
856	explorer.exe
2104	explorer.exe
1900	explorer.exe
1868	explorer.exe
4164	explorer.exe
1292	explorer.exe
3080	explorer.exe
440	explorer.exe
3644	smss.exe
8	explorer.exe
1148	smss.exe
332	explorer.exe
4496	smss.exe
2524	explorer.exe
2308	explorer.exe
2292	explorer.exe
2376	smss.exe
2728	explorer.exe
4504	explorer.exe
552	explorer.exe
2220	explorer.exe
4340	smss.exe
1512	explorer.exe
2608	explorer.exe
4440	explorer.exe
1888	explorer.exe
4124	explorer.exe
2972	smss.exe
2988	explorer.exe
3232	explorer.exe
3588	explorer.exe
2188	explorer.exe
3560	explorer.exe
4708	smss.exe
3844	explorer.exe
1404	explorer.exe
4836	explorer.exe
2412	explorer.exe
4724	explorer.exe
2720	smss.exe
4136	explorer.exe
3112	explorer.exe
384	explorer.exe
520	explorer.exe
2892	explorer.exe
4704	explorer.exe
936	explorer.exe
32	explorer.exe
4092	explorer.exe
2460	smss.exe
3584	explorer.exe
872	explorer.exe
4060	explorer.exe
404	smss.exe
4008	explorer.exe
2440	explorer.exe
1576	explorer.exe
2880	explorer.exe
2948	explorer.exe
3244	explorer.exe
3000	smss.exe
3916	explorer.exe
3768	explorer.exe
1996	smss.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2288-0-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/files/0x000400000001da3a-4.dat	upx
behavioral2/memory/2288-9-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/856-13-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2104-17-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/1900-21-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/1868-25-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4164-29-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/1292-33-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/440-34-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3080-38-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/440-42-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3644-43-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/8-47-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/1148-49-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/332-50-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/552-56-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4496-55-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2524-57-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2308-59-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2292-61-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2376-64-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2728-65-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4504-67-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/552-69-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2220-71-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4340-74-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/1512-76-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2608-78-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4440-80-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/1888-82-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4124-85-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3844-86-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2972-88-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2988-90-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3232-92-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3588-94-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2188-96-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3560-98-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3112-101-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4708-100-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3844-103-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2288-104-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/1404-106-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4836-108-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2412-111-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2720-114-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4724-113-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4136-116-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3112-118-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/384-120-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3584-122-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/520-121-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/856-123-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2892-126-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4704-128-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/936-130-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/32-131-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/4092-132-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2104-133-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/2460-134-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3584-135-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3244-137-0x0000000000400000-0x000000000045B000-memory.dmp	upx
behavioral2/memory/3000-138-0x0000000000400000-0x000000000045B000-memory.dmp	upx

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	explorer.exe
File opened (read-only)	\??\h:	explorer.exe
File opened (read-only)	\??\t:	explorer.exe
File opened (read-only)	\??\m:	smss.exe
File opened (read-only)	\??\y:	explorer.exe
File opened (read-only)	\??\k:	smss.exe
File opened (read-only)	\??\q:	explorer.exe
File opened (read-only)	\??\u:	explorer.exe
File opened (read-only)	\??\g:	explorer.exe
File opened (read-only)	\??\s:	explorer.exe
File opened (read-only)	\??\x:	explorer.exe
File opened (read-only)	\??\j:	explorer.exe
File opened (read-only)	\??\u:	explorer.exe
File opened (read-only)	\??\z:	explorer.exe
File opened (read-only)	\??\w:	explorer.exe
File opened (read-only)	\??\u:	smss.exe
File opened (read-only)	\??\i:	smss.exe
File opened (read-only)	\??\k:	smss.exe
File opened (read-only)	\??\k:	explorer.exe
File opened (read-only)	\??\p:	smss.exe
File opened (read-only)	\??\z:	smss.exe
File opened (read-only)	\??\l:	explorer.exe
File opened (read-only)	\??\s:	explorer.exe
File opened (read-only)	\??\q:	explorer.exe
File opened (read-only)	\??\o:	explorer.exe
File opened (read-only)	\??\z:	explorer.exe
File opened (read-only)	\??\g:	explorer.exe
File opened (read-only)	\??\z:	smss.exe
File opened (read-only)	\??\l:	explorer.exe
File opened (read-only)	\??\p:	smss.exe
File opened (read-only)	\??\v:	explorer.exe
File opened (read-only)	\??\y:	explorer.exe
File opened (read-only)	\??\i:	explorer.exe
File opened (read-only)	\??\y:	explorer.exe
File opened (read-only)	\??\q:	explorer.exe
File opened (read-only)	\??\k:	smss.exe
File opened (read-only)	\??\j:	explorer.exe
File opened (read-only)	\??\v:	explorer.exe
File opened (read-only)	\??\k:	explorer.exe
File opened (read-only)	\??\n:	explorer.exe
File opened (read-only)	\??\p:	smss.exe
File opened (read-only)	\??\y:	explorer.exe
File opened (read-only)	\??\i:	smss.exe
File opened (read-only)	\??\g:	explorer.exe
File opened (read-only)	\??\j:	explorer.exe
File opened (read-only)	\??\y:	explorer.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\r:	explorer.exe
File opened (read-only)	\??\l:	explorer.exe
File opened (read-only)	\??\z:	smss.exe
File opened (read-only)	\??\u:	explorer.exe
File opened (read-only)	\??\o:	explorer.exe
File opened (read-only)	\??\l:	explorer.exe
File opened (read-only)	\??\k:	explorer.exe
File opened (read-only)	\??\r:	explorer.exe
File opened (read-only)	\??\s:	explorer.exe
File opened (read-only)	\??\v:	explorer.exe
File opened (read-only)	\??\j:	explorer.exe
File opened (read-only)	\??\h:	explorer.exe
File opened (read-only)	\??\h:	explorer.exe
File opened (read-only)	\??\x:	smss.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\q:	smss.exe
File opened (read-only)	\??\r:	explorer.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\albgtmnsto\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\albgtmnsto\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\albgtmnsto\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\albgtmnsto\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\albgtmnsto\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\albgtmnsto\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\albgtmnsto\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\albgtmnsto\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\albgtmnsto\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\albgtmnsto\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\albgtmnsto\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\albgtmnsto\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\albgtmnsto\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\albgtmnsto\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\albgtmnsto\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\albgtmnsto\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\albgtmnsto\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\albgtmnsto\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\albgtmnsto\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\albgtmnsto\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\albgtmnsto\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\albgtmnsto\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\albgtmnsto\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\albgtmnsto\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\albgtmnsto\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\albgtmnsto\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\albgtmnsto\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\albgtmnsto\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\albgtmnsto\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\albgtmnsto\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\albgtmnsto\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\albgtmnsto\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\albgtmnsto\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\albgtmnsto\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\albgtmnsto\smss.exe	smss.exe
File created	C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\albgtmnsto\smss.exe	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2288	a83a220af3d5851fce04ea753b2e5b0c_JaffaCakes118.exe
2288	a83a220af3d5851fce04ea753b2e5b0c_JaffaCakes118.exe
856	explorer.exe
856	explorer.exe
2104	explorer.exe
2104	explorer.exe
1900	explorer.exe
1900	explorer.exe
1868	explorer.exe
1868	explorer.exe
4164	explorer.exe
4164	explorer.exe
1292	explorer.exe
1292	explorer.exe
3080	explorer.exe
3080	explorer.exe
440	explorer.exe
440	explorer.exe
3644	smss.exe
3644	smss.exe
8	explorer.exe
8	explorer.exe
1148	smss.exe
1148	smss.exe
332	explorer.exe
332	explorer.exe
4496	smss.exe
4496	smss.exe
2524	explorer.exe
2524	explorer.exe
2308	explorer.exe
2308	explorer.exe
2292	explorer.exe
2292	explorer.exe
2376	smss.exe
2376	smss.exe
2728	explorer.exe
2728	explorer.exe
4504	explorer.exe
4504	explorer.exe
552	explorer.exe
552	explorer.exe
2220	explorer.exe
2220	explorer.exe
4340	smss.exe
4340	smss.exe
1512	explorer.exe
1512	explorer.exe
2608	explorer.exe
2608	explorer.exe
4440	explorer.exe
4440	explorer.exe
1888	explorer.exe
1888	explorer.exe
4124	explorer.exe
4124	explorer.exe
2972	smss.exe
2972	smss.exe
2988	explorer.exe
2988	explorer.exe
3232	explorer.exe
3232	explorer.exe
3588	explorer.exe
3588	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	2288	a83a220af3d5851fce04ea753b2e5b0c_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	856	explorer.exe
Token: SeLoadDriverPrivilege	2104	explorer.exe
Token: SeLoadDriverPrivilege	1900	explorer.exe
Token: SeLoadDriverPrivilege	1868	explorer.exe
Token: SeLoadDriverPrivilege	4164	explorer.exe
Token: SeLoadDriverPrivilege	1292	explorer.exe
Token: SeLoadDriverPrivilege	3080	explorer.exe
Token: SeLoadDriverPrivilege	440	explorer.exe
Token: SeLoadDriverPrivilege	3644	smss.exe
Token: SeLoadDriverPrivilege	8	explorer.exe
Token: SeLoadDriverPrivilege	1148	smss.exe
Token: SeLoadDriverPrivilege	332	explorer.exe
Token: SeLoadDriverPrivilege	4496	smss.exe
Token: SeLoadDriverPrivilege	2524	explorer.exe
Token: SeLoadDriverPrivilege	2308	explorer.exe
Token: SeLoadDriverPrivilege	2292	explorer.exe
Token: SeLoadDriverPrivilege	2376	smss.exe
Token: SeLoadDriverPrivilege	2728	explorer.exe
Token: SeLoadDriverPrivilege	4504	explorer.exe
Token: SeLoadDriverPrivilege	552	explorer.exe
Token: SeLoadDriverPrivilege	2220	explorer.exe
Token: SeLoadDriverPrivilege	4340	smss.exe
Token: SeLoadDriverPrivilege	1512	explorer.exe
Token: SeLoadDriverPrivilege	2608	explorer.exe
Token: SeLoadDriverPrivilege	4440	explorer.exe
Token: SeLoadDriverPrivilege	1888	explorer.exe
Token: SeLoadDriverPrivilege	4124	explorer.exe
Token: SeLoadDriverPrivilege	2972	smss.exe
Token: SeLoadDriverPrivilege	2988	explorer.exe
Token: SeLoadDriverPrivilege	3232	explorer.exe
Token: SeLoadDriverPrivilege	3588	explorer.exe
Token: SeLoadDriverPrivilege	2188	explorer.exe
Token: SeLoadDriverPrivilege	3560	explorer.exe
Token: SeLoadDriverPrivilege	4708	smss.exe
Token: SeLoadDriverPrivilege	3844	explorer.exe
Token: SeLoadDriverPrivilege	1404	explorer.exe
Token: SeLoadDriverPrivilege	4836	explorer.exe
Token: SeLoadDriverPrivilege	2412	explorer.exe
Token: SeLoadDriverPrivilege	4724	explorer.exe
Token: SeLoadDriverPrivilege	2720	smss.exe
Token: SeLoadDriverPrivilege	4136	explorer.exe
Token: SeLoadDriverPrivilege	3112	explorer.exe
Token: SeLoadDriverPrivilege	384	explorer.exe
Token: SeLoadDriverPrivilege	520	explorer.exe
Token: SeLoadDriverPrivilege	2892	explorer.exe
Token: SeLoadDriverPrivilege	4704	explorer.exe
Token: SeLoadDriverPrivilege	936	explorer.exe
Token: SeLoadDriverPrivilege	32	explorer.exe
Token: SeLoadDriverPrivilege	4092	explorer.exe
Token: SeLoadDriverPrivilege	2460	smss.exe
Token: SeLoadDriverPrivilege	3584	explorer.exe
Token: SeLoadDriverPrivilege	872	explorer.exe
Token: SeLoadDriverPrivilege	4060	explorer.exe
Token: SeLoadDriverPrivilege	404	smss.exe
Token: SeLoadDriverPrivilege	4008	explorer.exe
Token: SeLoadDriverPrivilege	2440	explorer.exe
Token: SeLoadDriverPrivilege	1576	explorer.exe
Token: SeLoadDriverPrivilege	2880	explorer.exe
Token: SeLoadDriverPrivilege	2948	explorer.exe
Token: SeLoadDriverPrivilege	3000	smss.exe
Token: SeLoadDriverPrivilege	3244	explorer.exe
Token: SeLoadDriverPrivilege	3916	explorer.exe
Token: SeLoadDriverPrivilege	3768	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 856	2288	a83a220af3d5851fce04ea753b2e5b0c_JaffaCakes118.exe	87
PID 2288 wrote to memory of 856	2288	a83a220af3d5851fce04ea753b2e5b0c_JaffaCakes118.exe	87
PID 2288 wrote to memory of 856	2288	a83a220af3d5851fce04ea753b2e5b0c_JaffaCakes118.exe	87
PID 856 wrote to memory of 2104	856	explorer.exe	93
PID 856 wrote to memory of 2104	856	explorer.exe	93
PID 856 wrote to memory of 2104	856	explorer.exe	93
PID 2104 wrote to memory of 1900	2104	explorer.exe	95
PID 2104 wrote to memory of 1900	2104	explorer.exe	95
PID 2104 wrote to memory of 1900	2104	explorer.exe	95
PID 1900 wrote to memory of 1868	1900	explorer.exe	98
PID 1900 wrote to memory of 1868	1900	explorer.exe	98
PID 1900 wrote to memory of 1868	1900	explorer.exe	98
PID 1868 wrote to memory of 4164	1868	explorer.exe	99
PID 1868 wrote to memory of 4164	1868	explorer.exe	99
PID 1868 wrote to memory of 4164	1868	explorer.exe	99
PID 4164 wrote to memory of 1292	4164	explorer.exe	100
PID 4164 wrote to memory of 1292	4164	explorer.exe	100
PID 4164 wrote to memory of 1292	4164	explorer.exe	100
PID 1292 wrote to memory of 3080	1292	explorer.exe	101
PID 1292 wrote to memory of 3080	1292	explorer.exe	101
PID 1292 wrote to memory of 3080	1292	explorer.exe	101
PID 3080 wrote to memory of 440	3080	explorer.exe	102
PID 3080 wrote to memory of 440	3080	explorer.exe	102
PID 3080 wrote to memory of 440	3080	explorer.exe	102
PID 2288 wrote to memory of 3644	2288	a83a220af3d5851fce04ea753b2e5b0c_JaffaCakes118.exe	104
PID 2288 wrote to memory of 3644	2288	a83a220af3d5851fce04ea753b2e5b0c_JaffaCakes118.exe	104
PID 2288 wrote to memory of 3644	2288	a83a220af3d5851fce04ea753b2e5b0c_JaffaCakes118.exe	104
PID 440 wrote to memory of 8	440	explorer.exe	107
PID 440 wrote to memory of 8	440	explorer.exe	107
PID 440 wrote to memory of 8	440	explorer.exe	107
PID 856 wrote to memory of 1148	856	explorer.exe	108
PID 856 wrote to memory of 1148	856	explorer.exe	108
PID 856 wrote to memory of 1148	856	explorer.exe	108
PID 3644 wrote to memory of 332	3644	smss.exe	109
PID 3644 wrote to memory of 332	3644	smss.exe	109
PID 3644 wrote to memory of 332	3644	smss.exe	109
PID 2104 wrote to memory of 4496	2104	explorer.exe	110
PID 2104 wrote to memory of 4496	2104	explorer.exe	110
PID 2104 wrote to memory of 4496	2104	explorer.exe	110
PID 8 wrote to memory of 2524	8	explorer.exe	111
PID 8 wrote to memory of 2524	8	explorer.exe	111
PID 8 wrote to memory of 2524	8	explorer.exe	111
PID 1148 wrote to memory of 2308	1148	smss.exe	112
PID 1148 wrote to memory of 2308	1148	smss.exe	112
PID 1148 wrote to memory of 2308	1148	smss.exe	112
PID 332 wrote to memory of 2292	332	explorer.exe	113
PID 332 wrote to memory of 2292	332	explorer.exe	113
PID 332 wrote to memory of 2292	332	explorer.exe	113
PID 1900 wrote to memory of 2376	1900	explorer.exe	114
PID 1900 wrote to memory of 2376	1900	explorer.exe	114
PID 1900 wrote to memory of 2376	1900	explorer.exe	114
PID 4496 wrote to memory of 2728	4496	smss.exe	115
PID 4496 wrote to memory of 2728	4496	smss.exe	115
PID 4496 wrote to memory of 2728	4496	smss.exe	115
PID 2524 wrote to memory of 4504	2524	explorer.exe	116
PID 2524 wrote to memory of 4504	2524	explorer.exe	116
PID 2524 wrote to memory of 4504	2524	explorer.exe	116
PID 2308 wrote to memory of 552	2308	explorer.exe	117
PID 2308 wrote to memory of 552	2308	explorer.exe	117
PID 2308 wrote to memory of 552	2308	explorer.exe	117
PID 2292 wrote to memory of 2220	2292	explorer.exe	118
PID 2292 wrote to memory of 2220	2292	explorer.exe	118
PID 2292 wrote to memory of 2220	2292	explorer.exe	118
PID 1868 wrote to memory of 4340	1868	explorer.exe	119

C:\Users\Admin\AppData\Local\Temp\a83a220af3d5851fce04ea753b2e5b0c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a83a220af3d5851fce04ea753b2e5b0c_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
  C:\Windows\system32\hjbxqidyqd\explorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
    C:\Windows\system32\hjbxqidyqd\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2104
  - - C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
      C:\Windows\system32\hjbxqidyqd\explorer.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1900
    - - C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1868
      - C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4164
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3080
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4504
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4440
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4136
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3584
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3768
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        18⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:5188
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        20⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        21⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        22⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:8156
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        24⤵
        
        PID:8684
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        25⤵
        
        PID:9892
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        26⤵
        
        PID:13260
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        27⤵
        
        PID:14904
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        28⤵
        Drops file in System32 directory
        
        PID:17348
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        29⤵
        
        PID:20428
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        23⤵
        
        PID:19688
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        22⤵
        
        PID:16868
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        23⤵
        
        PID:19800
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        21⤵
        
        PID:14540
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        22⤵
        
        PID:17052
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        23⤵
        
        PID:20020
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        20⤵
        
        PID:13072
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        21⤵
        
        PID:14840
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        22⤵
        
        PID:17364
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        23⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        19⤵
        
        PID:9788
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        20⤵
        
        PID:13108
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        21⤵
        
        PID:14832
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:17308
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        23⤵
        
        PID:20392
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        18⤵
        
        PID:8588
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        19⤵
        Enumerates connected drives
        
        PID:9772
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        20⤵
        
        PID:13040
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        21⤵
        
        PID:14704
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:17184
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        23⤵
        
        PID:20216
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:1140
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        18⤵
        
        PID:8668
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        19⤵
        
        PID:9860
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        20⤵
        
        PID:13156
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        21⤵
        
        PID:14820
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        22⤵
        
        PID:17336
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        23⤵
        
        PID:20412
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        16⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        17⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        18⤵
        
        PID:8676
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        19⤵
        
        PID:9852
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        20⤵
        
        PID:13168
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        21⤵
        
        PID:14864
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        22⤵
        Drops file in System32 directory
        
        PID:17392
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        23⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        17⤵
        
        PID:19672
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        15⤵
        
        PID:428
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        17⤵
        Drops file in System32 directory
        
        PID:8184
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        18⤵
        
        PID:8644
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        19⤵
        
        PID:9836
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        20⤵
        
        PID:13176
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        21⤵
        
        PID:14876
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        22⤵
        
        PID:17400
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        23⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        17⤵
        
        PID:19680
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        16⤵
        
        PID:16852
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        17⤵
        
        PID:19784
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        14⤵
        Drops file in System32 directory
        
        PID:5772
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:940
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        17⤵
        
        PID:8108
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        18⤵
        
        PID:8596
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        19⤵
        
        PID:9764
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        20⤵
        
        PID:13080
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        21⤵
        
        PID:14764
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        22⤵
        
        PID:17208
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        23⤵
        
        PID:20256
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        17⤵
        
        PID:19564
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        16⤵
        
        PID:16772
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        17⤵
        
        PID:19976
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        15⤵
        
        PID:14432
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        Enumerates connected drives
        
        PID:16940
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        17⤵
        
        PID:19956
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        13⤵
        
        PID:5148
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:5796
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:860
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:6988
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        17⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:8128
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:8636
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        19⤵
        
        PID:9828
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        20⤵
        Drops file in System32 directory
        
        PID:13200
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        21⤵
        
        PID:14808
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        22⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        23⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        17⤵
        
        PID:19696
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        16⤵
        
        PID:16844
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        17⤵
        
        PID:19852
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        15⤵
        
        PID:14424
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:17096
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        17⤵
        
        PID:20328
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        14⤵
        
        PID:12936
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:14584
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        Enumerates connected drives
        
        PID:17136
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        17⤵
        
        PID:20420
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        12⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:5712
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        Drops file in System32 directory
        
        PID:3204
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        17⤵
        
        PID:8028
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        18⤵
        
        PID:8532
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        19⤵
        
        PID:9672
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        20⤵
        
        PID:12984
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        21⤵
        
        PID:14728
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:17228
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        23⤵
        
        PID:20376
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        17⤵
        
        PID:19492
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        16⤵
        
        PID:16740
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        17⤵
        
        PID:19632
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:12272
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:16812
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        17⤵
        
        PID:19772
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        14⤵
        
        PID:12800
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:14468
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:16948
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        17⤵
        
        PID:19884
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        13⤵
        
        PID:9568
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        Drops file in System32 directory
        
        PID:12844
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:14568
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:17080
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        17⤵
        
        PID:20192
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        17⤵
        
        PID:8092
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        18⤵
        
        PID:8556
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        19⤵
        
        PID:9716
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        20⤵
        
        PID:13000
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        21⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:14612
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        22⤵
        
        PID:17192
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        23⤵
        Enumerates connected drives
        
        PID:20240
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        17⤵
        
        PID:19536
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        16⤵
        Enumerates connected drives
        
        PID:16764
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        17⤵
        
        PID:19656
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        15⤵
        
        PID:14400
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:16788
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        17⤵
        
        PID:19824
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        14⤵
        Drops file in System32 directory
        
        PID:12836
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        Enumerates connected drives
        
        PID:14476
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:16964
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        17⤵
        
        PID:19964
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        13⤵
        
        PID:9560
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:12856
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:14496
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:16956
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        17⤵
        
        PID:19900
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        12⤵
        
        PID:8464
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:9660
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:12920
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:14620
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        Drops file in System32 directory
        
        PID:17128
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        17⤵
        
        PID:20472
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3916
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:6644
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        18⤵
        
        PID:8716
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        19⤵
        
        PID:9916
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        20⤵
        
        PID:13280
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:15000
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        22⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        23⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        17⤵
        
        PID:19732
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        16⤵
        
        PID:16980
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        17⤵
        
        PID:19792
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        15⤵
        
        PID:14636
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:17064
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        17⤵
        
        PID:20032
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:13052
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:14696
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:17176
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        17⤵
        
        PID:20168
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        13⤵
        
        PID:9796
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:13100
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:14740
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:17300
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        17⤵
        
        PID:20384
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        12⤵
        Enumerates connected drives
        
        PID:8564
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        
        PID:9708
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:12992
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:14772
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:17236
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        17⤵
        
        PID:20452
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        11⤵
        Enumerates connected drives
        
        PID:8044
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        
        PID:8512
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        
        PID:9644
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:12928
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:14576
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:17152
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        17⤵
        
        PID:20272
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4092
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3244
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        Enumerates connected drives
        
        PID:4732
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        Drops file in System32 directory
        
        PID:6040
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        17⤵
        
        PID:8100
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        18⤵
        Enumerates connected drives
        
        PID:8604
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        19⤵
        
        PID:9756
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        20⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:13028
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        21⤵
        
        PID:14664
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        22⤵
        
        PID:17160
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        23⤵
        
        PID:20248
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        17⤵
        
        PID:19528
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        16⤵
        
        PID:16744
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        17⤵
        
        PID:19648
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        15⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:16796
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        17⤵
        
        PID:19816
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        14⤵
        Enumerates connected drives
        
        PID:12808
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:14460
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:16904
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        17⤵
        
        PID:19808
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        13⤵
        
        PID:9576
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:12864
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:14560
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:17108
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        17⤵
        
        PID:20112
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        12⤵
        
        PID:8456
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        
        PID:9620
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:12964
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:14848
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:17372
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        17⤵
        Enumerates connected drives
        
        PID:3540
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        11⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        
        PID:8500
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        
        PID:9636
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:12908
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        Drops file in System32 directory
        
        PID:14856
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:17384
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        17⤵
        
        PID:12200
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        10⤵
        Enumerates connected drives
        
        PID:6868
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        11⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        
        PID:8436
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        
        PID:9584
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:12872
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:14552
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        
        PID:17088
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        17⤵
        
        PID:20184
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        11⤵
        
        PID:19460
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4708
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:384
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4060
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        11⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        
        PID:596
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:5980
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        Drops file in System32 directory
        
        PID:6232
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        17⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        18⤵
        Enumerates connected drives
        
        PID:9000
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        19⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        20⤵
        Enumerates connected drives
        
        PID:13472
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        21⤵
        
        PID:15392
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        22⤵
        
        PID:18004
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        16⤵
        
        PID:17748
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        15⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:17852
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        14⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        Drops file in System32 directory
        
        PID:540
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:17768
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        13⤵
        
        PID:10160
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:13400
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:17876
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        12⤵
        
        PID:8936
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        
        PID:10192
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:13408
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:17924
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        11⤵
        
        PID:7512
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        
        PID:8928
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        
        PID:10184
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:13376
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:3560
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        Enumerates connected drives
        
        PID:17908
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        10⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:7408
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        
        PID:8888
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        
        PID:10172
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:13356
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:17860
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        11⤵
        
        PID:20708
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        9⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        Drops file in System32 directory
        
        PID:6312
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        11⤵
        Enumerates connected drives
        
        PID:7368
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        
        PID:8968
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:13456
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:15376
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:17996
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        10⤵
        
        PID:17640
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1404
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:3696
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:6468
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        17⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        18⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        19⤵
        
        PID:10452
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        20⤵
        
        PID:14052
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:16100
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        22⤵
        
        PID:18652
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        16⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        15⤵
        
        PID:15900
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:18512
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:13928
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        Drops file in System32 directory
        
        PID:15988
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:18496
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:10380
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:13936
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:15980
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:18532
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        12⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        
        PID:10388
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:14024
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:16068
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:18568
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        11⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        
        PID:8444
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        
        PID:10356
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:13948
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:15972
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:18484
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        10⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        11⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        
        PID:10404
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:13996
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:16000
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:18504
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        9⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        Drops file in System32 directory
        
        PID:7028
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        11⤵
        
        PID:8164
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4976
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        
        PID:10268
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:13832
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        Enumerates connected drives
        
        PID:15852
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        10⤵
        
        PID:18292
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        8⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        11⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:10372
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:13976
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:16060
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        Drops file in System32 directory
        
        PID:18584
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        10⤵
        
        PID:18356
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        9⤵
        
        PID:15736
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        
        PID:18404
      - C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4340
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4836
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4704
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1576
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        11⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2060
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        17⤵
        
        PID:7716
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        18⤵
        
        PID:9068
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        19⤵
        
        PID:10604
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        20⤵
        
        PID:14248
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        21⤵
        Enumerates connected drives
        
        PID:16344
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        22⤵
        
        PID:18972
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        16⤵
        
        PID:18824
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        15⤵
        
        PID:16232
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:18848
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        14⤵
        
        PID:14160
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:16240
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:18840
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        13⤵
        Enumerates connected drives
        
        PID:10556
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        Drops file in System32 directory
        
        PID:14200
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:16312
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:18940
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        12⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:10564
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        Drops file in System32 directory
        
        PID:14208
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:16328
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:18956
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        11⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:10572
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:14184
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:16280
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:18904
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        10⤵
        
        PID:7464
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        11⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        
        PID:10524
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:14152
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:16248
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:18856
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        9⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        
        PID:7484
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        11⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        
        PID:10532
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:14192
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        Enumerates connected drives
        
        PID:16288
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:18888
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        10⤵
        
        PID:18776
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        8⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        11⤵
        
        PID:7540
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        
        PID:10492
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:14120
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        Enumerates connected drives
        
        PID:16184
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:18800
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        10⤵
        
        PID:18716
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        9⤵
        
        PID:16148
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        
        PID:18732
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        7⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        8⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        
        PID:7416
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        11⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        
        PID:10500
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:14128
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:16192
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:18792
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        10⤵
        
        PID:18708
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        9⤵
        
        PID:16156
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        
        PID:18724
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        8⤵
        
        PID:14104
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        
        PID:16216
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        
        PID:18864
    - - C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
      - C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3232
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:936
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        11⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:7660
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:8244
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        18⤵
        
        PID:9316
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        19⤵
        
        PID:12524
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        20⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        21⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        22⤵
        
        PID:19388
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        16⤵
        
        PID:19200
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        15⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:19248
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        14⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:12316
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:19232
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        13⤵
        Drops file in System32 directory
        
        PID:12448
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:216
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        Enumerates connected drives
        
        PID:19280
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        12⤵
        
        PID:9248
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:12408
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:6540
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:19240
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        11⤵
        Drops file in System32 directory
        
        PID:8216
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        
        PID:9288
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        
        PID:12464
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:6680
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:19264
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        10⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        11⤵
        
        PID:8208
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        
        PID:9256
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        
        PID:12456
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:19352
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        9⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:7608
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        11⤵
        
        PID:232
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        
        PID:9240
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:12440
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:19344
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        10⤵
        
        PID:19044
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        8⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        
        PID:7600
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        11⤵
        
        PID:976
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        
        PID:9232
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:12416
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:1692
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:16180
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:19256
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        10⤵
        
        PID:19036
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        9⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        
        PID:19104
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        7⤵
        Enumerates connected drives
        
        PID:5536
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        8⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        11⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        
        PID:12380
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:15588
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:19184
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        10⤵
        
        PID:19068
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        9⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        
        PID:19136
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        8⤵
        
        PID:14300
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        
        PID:19124
      - C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        6⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        7⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        8⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        Drops file in System32 directory
        
        PID:6620
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:7560
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        11⤵
        
        PID:7292
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        
        PID:12376
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:15704
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:19192
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        10⤵
        Enumerates connected drives
        
        PID:19060
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        9⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        
        PID:19112
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        8⤵
        
        PID:14308
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        
        PID:19052
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        7⤵
        
        PID:12356
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        8⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        
        PID:15692
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        
        PID:19272
  - - C:\Windows\SysWOW64\albgtmnsto\smss.exe
      C:\Windows\system32\albgtmnsto\smss.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4496
    - - C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
      - C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3588
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4724
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:32
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        11⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        Drops file in System32 directory
        
        PID:1292
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        Drops file in System32 directory
        
        PID:7996
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        17⤵
        
        PID:8472
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        18⤵
        
        PID:9652
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        19⤵
        
        PID:12976
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        20⤵
        
        PID:14628
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        21⤵
        Drops file in System32 directory
        
        PID:17144
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        22⤵
        Enumerates connected drives
        
        PID:20148
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        16⤵
        
        PID:32
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        15⤵
        
        PID:16664
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:19592
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        14⤵
        Drops file in System32 directory
        
        PID:1500
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        Drops file in System32 directory
        
        PID:16700
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:19664
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        13⤵
        
        PID:12700
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:1004
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:16684
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:19600
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        12⤵
        
        PID:9500
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        
        PID:12740
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:5608
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:16884
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:19832
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        11⤵
        
        PID:8400
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        
        PID:9508
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:12732
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:14340
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:16820
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:20124
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        10⤵
        Drops file in System32 directory
        
        PID:7952
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        11⤵
        
        PID:8384
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        
        PID:9444
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        
        PID:12708
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:5580
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:16676
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:19576
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        9⤵
        
        PID:6840
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        
        PID:7968
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:8416
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        
        PID:9536
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        
        PID:12816
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:14504
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:17072
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:20176
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        10⤵
        
        PID:12204
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        8⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        
        PID:7908
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:8356
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        
        PID:9468
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        
        PID:12764
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:14376
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:16876
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        Enumerates connected drives
        
        PID:19892
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        10⤵
        
        PID:7948
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        9⤵
        
        PID:16612
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        7⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        8⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        
        PID:7924
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        11⤵
        
        PID:8344
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        
        PID:9452
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:12748
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:14440
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:16896
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:19908
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        10⤵
        Enumerates connected drives
        
        PID:7976
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        9⤵
        
        PID:16652
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        
        PID:19468
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        8⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        
        PID:16708
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        Enumerates connected drives
        
        PID:19584
      - C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        6⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        7⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        8⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        
        PID:7888
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        11⤵
        
        PID:8336
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        
        PID:9460
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        
        PID:12756
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:14368
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:16804
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:20008
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        10⤵
        
        PID:7896
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        9⤵
        
        PID:16580
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        
        PID:7244
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        8⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        
        PID:16572
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        
        PID:8016
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        7⤵
        Drops file in System32 directory
        
        PID:12664
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        8⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        
        PID:16600
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        
        PID:8120
    - - C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        5⤵
        
        PID:3576
      - C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        6⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        7⤵
        
        PID:5624
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        8⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        
        PID:7872
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        11⤵
        
        PID:8320
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        
        PID:9420
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:12672
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:16592
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:8148
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        10⤵
        
        PID:7652
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        9⤵
        
        PID:16540
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        
        PID:936
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        8⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        
        PID:16508
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        
        PID:7680
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        7⤵
        
        PID:12632
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        8⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        
        PID:16552
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        
        PID:3180
      - C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        6⤵
        
        PID:9404
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:12640
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        8⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        
        PID:16524
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        Drops file in System32 directory
        
        PID:852
- - C:\Windows\SysWOW64\albgtmnsto\smss.exe
    C:\Windows\system32\albgtmnsto\smss.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1148
  - - C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
      C:\Windows\system32\hjbxqidyqd\explorer.exe
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2308
    - - C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:552
      - C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1888
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3560
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3112
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:3100
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:5964
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:7736
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        17⤵
        
        PID:8960
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        18⤵
        
        PID:10200
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        19⤵
        
        PID:13392
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        20⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        21⤵
        
        PID:17916
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        15⤵
        
        PID:17632
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        14⤵
        
        PID:15308
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:17716
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        13⤵
        
        PID:13320
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:17732
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        12⤵
        
        PID:10116
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:5212
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:15352
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:17756
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        11⤵
        
        PID:8880
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        
        PID:10124
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:12268
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:17776
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        10⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        11⤵
        
        PID:8896
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        
        PID:10132
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        
        PID:13368
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:17788
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        9⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:7372
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        11⤵
        
        PID:8864
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:10088
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:12296
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:15324
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:17724
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        10⤵
        
        PID:20564
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        8⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        11⤵
        
        PID:8812
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        
        PID:10056
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:15268
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:17620
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        10⤵
        
        PID:20520
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        9⤵
        
        PID:17508
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        
        PID:20744
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        7⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        8⤵
        Enumerates connected drives
        
        PID:5420
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:7460
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        11⤵
        
        PID:8800
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        
        PID:10032
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:15216
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:17580
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        10⤵
        
        PID:7784
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        9⤵
        
        PID:17412
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        Enumerates connected drives
        
        PID:20612
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        8⤵
        
        PID:15108
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        
        PID:17464
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        
        PID:20684
      - C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        6⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        7⤵
        Enumerates connected drives
        
        PID:5876
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        8⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:7124
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        11⤵
        
        PID:8784
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        
        PID:10024
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:15208
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:17528
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:20716
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        10⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        9⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        
        PID:20596
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        8⤵
        
        PID:15116
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        
        PID:17444
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        
        PID:20640
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        7⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        8⤵
        
        PID:15084
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        Drops file in System32 directory
        
        PID:4892
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        
        PID:20488
    - - C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        5⤵
        
        PID:1048
      - C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        6⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        7⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        8⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        
        PID:7620
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        11⤵
        
        PID:8832
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        
        PID:10080
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:15260
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:17612
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        10⤵
        
        PID:20528
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        9⤵
        
        PID:17500
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        
        PID:20728
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        8⤵
        
        PID:15224
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        
        PID:17536
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        7⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:15148
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        
        PID:17428
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        
        PID:20604
      - C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        6⤵
        
        PID:10000
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        7⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        8⤵
        
        PID:15132
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        
        PID:17472
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        
        PID:20692
  - - C:\Windows\SysWOW64\albgtmnsto\smss.exe
      C:\Windows\system32\albgtmnsto\smss.exe
      4⤵
      Executes dropped EXE
      PID:1996
    - - C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:812
      - C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        6⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        7⤵
        Enumerates connected drives
        
        PID:5920
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        8⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        
        PID:7580
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        11⤵
        
        PID:8840
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:10072
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:15316
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        Drops file in System32 directory
        
        PID:17708
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        10⤵
        
        PID:20536
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        9⤵
        
        PID:17516
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        8⤵
        
        PID:15232
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        Enumerates connected drives
        
        PID:17544
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        7⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        8⤵
        
        PID:15140
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        
        PID:17456
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        
        PID:20700
      - C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        6⤵
        Enumerates connected drives
        
        PID:9992
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        7⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        8⤵
        
        PID:15124
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        
        PID:17420
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        
        PID:20632
    - - C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        5⤵
        
        PID:8764
      - C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        6⤵
        
        PID:9972
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        7⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        8⤵
        
        PID:15076
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        
        PID:20496
- C:\Windows\SysWOW64\albgtmnsto\smss.exe
  C:\Windows\system32\albgtmnsto\smss.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3644
- - C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
    C:\Windows\system32\hjbxqidyqd\explorer.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:332
  - - C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
      C:\Windows\system32\hjbxqidyqd\explorer.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2292
    - - C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
      - C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4124
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3844
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:520
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4008
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2700
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:5436
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:6128
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        16⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        17⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        18⤵
        
        PID:10364
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        19⤵
        
        PID:13984
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        20⤵
        
        PID:16052
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        21⤵
        
        PID:18576
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        15⤵
        
        PID:18364
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        14⤵
        
        PID:15772
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        13⤵
        
        PID:13780
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:15788
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        12⤵
        
        PID:10308
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        
        PID:13880
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:15924
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        11⤵
        Drops file in System32 directory
        
        PID:4932
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        
        PID:10276
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        
        PID:13844
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:15844
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        10⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        11⤵
        
        PID:9192
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        
        PID:10252
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        
        PID:13888
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:15908
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:18436
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        9⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        Enumerates connected drives
        
        PID:7868
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:9120
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        
        PID:10208
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        
        PID:13672
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:15612
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:18316
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        8⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        
        PID:560
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        11⤵
        
        PID:9176
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        
        PID:10244
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        
        PID:13820
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:15860
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        9⤵
        
        PID:18184
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        7⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        8⤵
        Enumerates connected drives
        
        PID:6284
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        11⤵
        
        PID:9144
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        
        PID:13720
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:15764
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:6784
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        9⤵
        
        PID:18124
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        8⤵
        
        PID:15488
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        
        PID:18100
      - C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        6⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        7⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:6316
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:9152
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:13728
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:15780
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        9⤵
        
        PID:18148
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        8⤵
        
        PID:15560
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        
        PID:18340
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        7⤵
        
        PID:13624
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        8⤵
        
        PID:15552
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        
        PID:18256
    - - C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        5⤵
        
        PID:1616
      - C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        6⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        7⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        8⤵
        Drops file in System32 directory
        
        PID:6288
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        Drops file in System32 directory
        
        PID:4068
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        
        PID:7696
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        11⤵
        
        PID:9104
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        
        PID:9984
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        
        PID:13708
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:15708
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:18396
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        9⤵
        
        PID:18132
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:15512
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        
        PID:18092
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        7⤵
        Enumerates connected drives
        
        PID:13556
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        8⤵
        
        PID:15544
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        
        PID:18200
      - C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        6⤵
        Enumerates connected drives
        
        PID:9552
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        7⤵
        Enumerates connected drives
        
        PID:13572
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        8⤵
        
        PID:15504
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        
        PID:18140
  - - C:\Windows\SysWOW64\albgtmnsto\smss.exe
      C:\Windows\system32\albgtmnsto\smss.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1400
    - - C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        5⤵
        
        PID:1100
      - C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5412
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        7⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        8⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        
        PID:7088
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        11⤵
        
        PID:556
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        
        PID:10316
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        
        PID:13896
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:15964
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:18520
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        9⤵
        
        PID:18284
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        8⤵
        Enumerates connected drives
        
        PID:15684
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        
        PID:18412
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        7⤵
        
        PID:13736
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        8⤵
        
        PID:15720
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        
        PID:18388
      - C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        6⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        7⤵
        
        PID:13788
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        8⤵
        
        PID:15816
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        
        PID:4688
    - - C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        5⤵
        
        PID:9096
      - C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        6⤵
        Drops file in System32 directory
        
        PID:5320
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        7⤵
        
        PID:13656
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        8⤵
        
        PID:15644
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        
        PID:18308
- - C:\Windows\SysWOW64\albgtmnsto\smss.exe
    C:\Windows\system32\albgtmnsto\smss.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:404
  - - C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
      C:\Windows\system32\hjbxqidyqd\explorer.exe
      4⤵
      Enumerates connected drives
      PID:3956
    - - C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        5⤵
        
        PID:4824
      - C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        6⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        7⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        8⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        Enumerates connected drives
        
        PID:6924
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        10⤵
        
        PID:8052
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        11⤵
        
        PID:9184
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        12⤵
        
        PID:10260
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:13796
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        14⤵
        
        PID:15808
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        15⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        9⤵
        
        PID:18216
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        8⤵
        
        PID:15628
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        
        PID:18332
        
        C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        7⤵
        Drops file in System32 directory
        
        PID:13648
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        8⤵
        
        PID:15620
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        
        PID:18420
      - C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        6⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        7⤵
        
        PID:13664
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        8⤵
        
        PID:15636
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        
        PID:18324
    - - C:\Windows\SysWOW64\albgtmnsto\smss.exe
        
        C:\Windows\system32\albgtmnsto\smss.exe
        5⤵
        
        PID:9060
      - C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        6⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        7⤵
        
        PID:13564
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        8⤵
        
        PID:15496
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        
        PID:18192
  - - C:\Windows\SysWOW64\albgtmnsto\smss.exe
      C:\Windows\system32\albgtmnsto\smss.exe
      4⤵
      PID:2388
    - - C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        5⤵
        
        PID:9080
      - C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        6⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:13608
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        8⤵
        
        PID:15592
        
        C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe
        
        C:\Windows\system32\hjbxqidyqd\explorer.exe
        9⤵
        
        PID:18224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hjbxqidyqd\explorer.exe

Filesize
359KB

MD5
a83a220af3d5851fce04ea753b2e5b0c

SHA1
7c55ce2b64097f72fa2dad694a0a62601c2f1917

SHA256
806bb04d260fa035ba3743451b59e454097ce87b104a6e877e3eeb5133174cf0

SHA512
40f5f60d96fddd922fd15ab718c125a8f0f0de51298de0f2033aba3a56e302ec5aaa4717cedbf18e9c0ff3a1ac5c89ca69980a72be0dddd4d4140d4a42a57f7e

Download Submit
memory/8-47-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/32-131-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/332-50-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/384-120-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/404-140-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/440-34-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/440-42-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/520-121-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/536-565-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/552-69-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/552-56-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/812-486-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/856-13-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/856-123-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/872-136-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/936-130-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1148-49-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1292-33-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1400-159-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1404-106-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1512-76-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1576-145-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1868-25-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1868-170-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1888-82-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1900-21-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1900-150-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1928-163-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1996-144-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1996-153-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2056-162-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2060-559-0x00007FF9186B0000-0x00007FF9188A5000-memory.dmp

Filesize
2.0MB

Download
memory/2104-17-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2104-133-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2180-156-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2188-96-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2220-71-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2288-0-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2288-9-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2288-104-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2292-61-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2308-59-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2376-64-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2412-111-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2440-143-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2460-134-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2524-57-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2608-78-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2640-165-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2640-155-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2720-114-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2728-65-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2784-167-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2880-146-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2892-126-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2948-147-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2972-88-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2988-90-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3000-149-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3000-138-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3080-38-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3112-101-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3112-118-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3232-92-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3244-148-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3244-137-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3260-160-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3560-98-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3576-164-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3584-122-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3584-135-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3588-94-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3644-43-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3648-166-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3696-561-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3696-161-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3768-142-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3768-152-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3792-501-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3844-103-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3844-86-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3916-151-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3956-157-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3956-551-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4008-141-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4060-139-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4064-154-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4092-132-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4124-85-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4136-116-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4164-29-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4256-509-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4340-74-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4440-80-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4496-55-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4504-67-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4704-128-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4708-100-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4724-113-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4732-158-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4732-168-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4752-169-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4836-108-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5188-549-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5220-550-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5344-505-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5536-506-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5796-512-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/6728-497-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/7408-508-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/7736-527-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/8480-553-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/8848-496-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/8852-495-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/8864-500-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/8968-507-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/9316-573-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/13556-564-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/14424-516-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/14728-521-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/17064-518-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/17228-517-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/19832-487-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/20032-510-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/20272-489-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/20328-511-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/20428-491-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/20604-529-0x00007FF9186B0000-0x00007FF9188A5000-memory.dmp

Filesize
2.0MB

Download
memory/20692-520-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/20752-524-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/20996-534-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/23640-490-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/23992-488-0x00000000756D0000-0x0000000075745000-memory.dmp

Filesize
468KB

Download
memory/24192-494-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/24244-492-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/24848-528-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/24872-530-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/24880-514-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/25004-523-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/25080-526-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/25144-525-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/25176-535-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/25184-532-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/25192-522-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/25220-531-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/25812-552-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/26008-546-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/26104-558-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/26596-566-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/26860-569-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/27120-575-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download