34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

Analysis

max time kernel
156s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2022 07:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8.exe
Size

82KB
MD5

20a1dbf272a6cd17a2e9aa1cb892385b
SHA1

30489508fece5cdd08db01a15b83a3de542a12b6
SHA256

34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8
SHA512

18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f
SSDEEP

1536:pZVW2ToLXm/SA83JEJzmkPUVWneaiQBg6:pZVuyKZ5UmCuQepH6

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
420	explorer.exe
4324	explorer.exe
4780	explorer.exe
4712	explorer.exe
2224	explorer.exe
4992	explorer.exe
500	explorer.exe
1676	explorer.exe
4036	smss.exe
212	smss.exe
3748	smss.exe
616	explorer.exe
1836	explorer.exe
2272	explorer.exe
2344	smss.exe
2160	explorer.exe
1968	explorer.exe
3492	explorer.exe
5112	explorer.exe
4388	smss.exe
2300	explorer.exe
1452	explorer.exe
4088	explorer.exe
4920	explorer.exe
4204	smss.exe
3324	explorer.exe
1304	explorer.exe
2480	explorer.exe
2512	explorer.exe
3648	smss.exe
3512	explorer.exe
2356	explorer.exe
3084	explorer.exe
908	explorer.exe
376	explorer.exe
3024	explorer.exe
1840	explorer.exe
1776	smss.exe
3700	explorer.exe
2440	explorer.exe
1672	explorer.exe
4432	explorer.exe
1576	explorer.exe
3420	explorer.exe
4444	explorer.exe
4692	explorer.exe
4748	explorer.exe
4828	explorer.exe
3684	explorer.exe
1300	explorer.exe
2248	explorer.exe
1884	explorer.exe
4048	explorer.exe
4776	explorer.exe
5056	explorer.exe
3600	explorer.exe
3200	explorer.exe
3012	smss.exe
3440	explorer.exe
4592	smss.exe
3532	smss.exe
2196	explorer.exe
1520	explorer.exe
4892	explorer.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4608-132-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x000300000000072f-134.dat	upx
behavioral2/files/0x000300000000072f-135.dat	upx
behavioral2/memory/420-136-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x0003000000000731-137.dat	upx
behavioral2/files/0x000300000000072f-139.dat	upx
behavioral2/memory/4324-140-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x0004000000000731-141.dat	upx
behavioral2/files/0x000300000000072f-143.dat	upx
behavioral2/memory/4780-144-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/4608-145-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/420-146-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x000500000000a3c1-147.dat	upx
behavioral2/files/0x000300000000072f-149.dat	upx
behavioral2/memory/4712-150-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/4324-151-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x000600000000a3c1-152.dat	upx
behavioral2/files/0x000300000000072f-154.dat	upx
behavioral2/memory/2224-155-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/4780-156-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x000700000000a3c1-157.dat	upx
behavioral2/files/0x000300000000072f-159.dat	upx
behavioral2/memory/4712-160-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x000800000000a3c1-161.dat	upx
behavioral2/files/0x000300000000072f-163.dat	upx
behavioral2/memory/500-164-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/2224-165-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x000900000000a3c1-166.dat	upx
behavioral2/files/0x000300000000072f-168.dat	upx
behavioral2/memory/4992-169-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x000400000001629c-172.dat	upx
behavioral2/files/0x000400000001629c-173.dat	upx
behavioral2/files/0x000400000001629c-174.dat	upx
behavioral2/memory/500-175-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/4036-176-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/212-177-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x000400000001629c-179.dat	upx
behavioral2/memory/3748-180-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/1676-181-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x000300000000072f-183.dat	upx
behavioral2/files/0x000300000000072f-187.dat	upx
behavioral2/files/0x000300000000072f-186.dat	upx
behavioral2/memory/616-188-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/1836-189-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/2272-190-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x000400000001629c-192.dat	upx
behavioral2/memory/2344-193-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x000300000000072f-195.dat	upx
behavioral2/memory/2160-196-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x000300000000072f-198.dat	upx
behavioral2/files/0x000300000000072f-200.dat	upx
behavioral2/files/0x000300000000072f-202.dat	upx
behavioral2/memory/4036-203-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/212-204-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/5112-207-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/3492-206-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/1968-205-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x000400000001629c-209.dat	upx
behavioral2/memory/4388-210-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x000300000000072f-212.dat	upx
behavioral2/memory/2300-213-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/files/0x000300000000072f-215.dat	upx
behavioral2/memory/3748-216-0x0000000000400000-0x0000000000458000-memory.dmp	upx
behavioral2/memory/1452-217-0x0000000000400000-0x0000000000458000-memory.dmp	upx

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\o:	explorer.exe
File opened (read-only)	\??\v:	smss.exe
File opened (read-only)	\??\f:	smss.exe
File opened (read-only)	\??\y:	explorer.exe
File opened (read-only)	\??\i:	smss.exe
File opened (read-only)	\??\l:	explorer.exe
File opened (read-only)	\??\l:	explorer.exe
File opened (read-only)	\??\u:	explorer.exe
File opened (read-only)	\??\x:	smss.exe
File opened (read-only)	\??\e:	explorer.exe
File opened (read-only)	\??\f:	smss.exe
File opened (read-only)	\??\t:	smss.exe
File opened (read-only)	\??\v:	explorer.exe
File opened (read-only)	\??\v:	explorer.exe
File opened (read-only)	\??\n:	smss.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\x:	explorer.exe
File opened (read-only)	\??\u:	explorer.exe
File opened (read-only)	\??\o:	explorer.exe
File opened (read-only)	\??\j:	explorer.exe
File opened (read-only)	\??\r:	smss.exe
File opened (read-only)	\??\w:	smss.exe
File opened (read-only)	\??\p:	explorer.exe
File opened (read-only)	\??\i:	smss.exe
File opened (read-only)	\??\o:	explorer.exe
File opened (read-only)	\??\k:	explorer.exe
File opened (read-only)	\??\n:	smss.exe
File opened (read-only)	\??\i:	explorer.exe
File opened (read-only)	\??\f:	explorer.exe
File opened (read-only)	\??\w:	explorer.exe
File opened (read-only)	\??\w:	smss.exe
File opened (read-only)	\??\m:	explorer.exe
File opened (read-only)	\??\v:	explorer.exe
File opened (read-only)	\??\m:	explorer.exe
File opened (read-only)	\??\k:	smss.exe
File opened (read-only)	\??\h:	explorer.exe
File opened (read-only)	\??\m:	smss.exe
File opened (read-only)	\??\e:	explorer.exe
File opened (read-only)	\??\z:	explorer.exe
File opened (read-only)	\??\j:	explorer.exe
File opened (read-only)	\??\q:	smss.exe
File opened (read-only)	\??\f:	explorer.exe
File opened (read-only)	\??\j:	smss.exe
File opened (read-only)	\??\h:	explorer.exe
File opened (read-only)	\??\l:	explorer.exe
File opened (read-only)	\??\w:	explorer.exe
File opened (read-only)	\??\o:	explorer.exe
File opened (read-only)	\??\y:	explorer.exe
File opened (read-only)	\??\x:	explorer.exe
File opened (read-only)	\??\n:	explorer.exe
File opened (read-only)	\??\r:	explorer.exe
File opened (read-only)	\??\o:	explorer.exe
File opened (read-only)	\??\l:	explorer.exe
File opened (read-only)	\??\n:	smss.exe
File opened (read-only)	\??\z:	explorer.exe
File opened (read-only)	\??\z:	explorer.exe
File opened (read-only)	\??\x:	smss.exe
File opened (read-only)	\??\x:	explorer.exe
File opened (read-only)	\??\n:	explorer.exe
File opened (read-only)	\??\g:	explorer.exe
File opened (read-only)	\??\q:	explorer.exe
File opened (read-only)	\??\r:	explorer.exe
File opened (read-only)	\??\s:	smss.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\puusvfejjx\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\puusvfejjx\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\puusvfejjx\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\puusvfejjx\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\puusvfejjx\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\puusvfejjx\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\puusvfejjx\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\puusvfejjx\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\puusvfejjx\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\puusvfejjx\smss.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\puusvfejjx\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\puusvfejjx\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\puusvfejjx\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\puusvfejjx\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\puusvfejjx\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\puusvfejjx\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\puusvfejjx\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\puusvfejjx\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\puusvfejjx\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\puusvfejjx\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\puusvfejjx\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\puusvfejjx\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\puusvfejjx\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\puusvfejjx\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe	smss.exe
File created	C:\Windows\SysWOW64\puusvfejjx\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\puusvfejjx\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe	explorer.exe
File created	C:\Windows\SysWOW64\puusvfejjx\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\puusvfejjx\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\puusvfejjx\smss.exe	explorer.exe
File created	C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4608	34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8.exe
4608	34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8.exe
420	explorer.exe
420	explorer.exe
4324	explorer.exe
4324	explorer.exe
4780	explorer.exe
4780	explorer.exe
4712	explorer.exe
4712	explorer.exe
2224	explorer.exe
2224	explorer.exe
4992	explorer.exe
4992	explorer.exe
500	explorer.exe
500	explorer.exe
1676	explorer.exe
1676	explorer.exe
212	smss.exe
4036	smss.exe
212	smss.exe
4036	smss.exe
3748	smss.exe
3748	smss.exe
616	explorer.exe
616	explorer.exe
2272	explorer.exe
2272	explorer.exe
1836	explorer.exe
1836	explorer.exe
2344	smss.exe
2344	smss.exe
2160	explorer.exe
2160	explorer.exe
1968	explorer.exe
1968	explorer.exe
3492	explorer.exe
3492	explorer.exe
5112	explorer.exe
5112	explorer.exe
4388	smss.exe
4388	smss.exe
2300	explorer.exe
2300	explorer.exe
1452	explorer.exe
1452	explorer.exe
4088	explorer.exe
4088	explorer.exe
4920	explorer.exe
4920	explorer.exe
4204	smss.exe
4204	smss.exe
3324	explorer.exe
3324	explorer.exe
1304	explorer.exe
1304	explorer.exe
2480	explorer.exe
2480	explorer.exe
2512	explorer.exe
2512	explorer.exe
3648	smss.exe
3648	smss.exe
3512	explorer.exe
3512	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	4608	34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8.exe
Token: SeLoadDriverPrivilege	420	explorer.exe
Token: SeLoadDriverPrivilege	4324	explorer.exe
Token: SeLoadDriverPrivilege	4780	explorer.exe
Token: SeLoadDriverPrivilege	4712	explorer.exe
Token: SeLoadDriverPrivilege	2224	explorer.exe
Token: SeLoadDriverPrivilege	4992	explorer.exe
Token: SeLoadDriverPrivilege	500	explorer.exe
Token: SeLoadDriverPrivilege	1676	explorer.exe
Token: SeLoadDriverPrivilege	4036	smss.exe
Token: SeLoadDriverPrivilege	212	smss.exe
Token: SeLoadDriverPrivilege	3748	smss.exe
Token: SeLoadDriverPrivilege	616	explorer.exe
Token: SeLoadDriverPrivilege	2272	explorer.exe
Token: SeLoadDriverPrivilege	1836	explorer.exe
Token: SeLoadDriverPrivilege	2344	smss.exe
Token: SeLoadDriverPrivilege	2160	explorer.exe
Token: SeLoadDriverPrivilege	1968	explorer.exe
Token: SeLoadDriverPrivilege	3492	explorer.exe
Token: SeLoadDriverPrivilege	5112	explorer.exe
Token: SeLoadDriverPrivilege	4388	smss.exe
Token: SeLoadDriverPrivilege	2300	explorer.exe
Token: SeLoadDriverPrivilege	1452	explorer.exe
Token: SeLoadDriverPrivilege	4088	explorer.exe
Token: SeLoadDriverPrivilege	4920	explorer.exe
Token: SeLoadDriverPrivilege	4204	smss.exe
Token: SeLoadDriverPrivilege	3324	explorer.exe
Token: SeLoadDriverPrivilege	1304	explorer.exe
Token: SeLoadDriverPrivilege	2480	explorer.exe
Token: SeLoadDriverPrivilege	2512	explorer.exe
Token: SeLoadDriverPrivilege	3648	smss.exe
Token: SeLoadDriverPrivilege	3512	explorer.exe
Token: SeLoadDriverPrivilege	2356	explorer.exe
Token: SeLoadDriverPrivilege	3084	explorer.exe
Token: SeLoadDriverPrivilege	908	explorer.exe
Token: SeLoadDriverPrivilege	376	explorer.exe
Token: SeLoadDriverPrivilege	3024	explorer.exe
Token: SeLoadDriverPrivilege	1840	explorer.exe
Token: SeLoadDriverPrivilege	1776	smss.exe
Token: SeLoadDriverPrivilege	3700	explorer.exe
Token: SeLoadDriverPrivilege	2440	explorer.exe
Token: SeLoadDriverPrivilege	1672	explorer.exe
Token: SeLoadDriverPrivilege	4432	explorer.exe
Token: SeLoadDriverPrivilege	1576	explorer.exe
Token: SeLoadDriverPrivilege	3420	explorer.exe
Token: SeLoadDriverPrivilege	4444	explorer.exe
Token: SeLoadDriverPrivilege	4692	explorer.exe
Token: SeLoadDriverPrivilege	4748	explorer.exe
Token: SeLoadDriverPrivilege	4828	explorer.exe
Token: SeLoadDriverPrivilege	3684	explorer.exe
Token: SeLoadDriverPrivilege	1300	explorer.exe
Token: SeLoadDriverPrivilege	2248	explorer.exe
Token: SeLoadDriverPrivilege	1884	explorer.exe
Token: SeLoadDriverPrivilege	4048	explorer.exe
Token: SeLoadDriverPrivilege	4776	explorer.exe
Token: SeLoadDriverPrivilege	5056	explorer.exe
Token: SeLoadDriverPrivilege	3600	explorer.exe
Token: SeLoadDriverPrivilege	3200	explorer.exe
Token: SeLoadDriverPrivilege	3012	smss.exe
Token: SeLoadDriverPrivilege	3440	explorer.exe
Token: SeLoadDriverPrivilege	3532	smss.exe
Token: SeLoadDriverPrivilege	4592	smss.exe
Token: SeLoadDriverPrivilege	2196	explorer.exe
Token: SeLoadDriverPrivilege	1520	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4608 wrote to memory of 420	4608	34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8.exe	80
PID 4608 wrote to memory of 420	4608	34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8.exe	80
PID 4608 wrote to memory of 420	4608	34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8.exe	80
PID 420 wrote to memory of 4324	420	explorer.exe	81
PID 420 wrote to memory of 4324	420	explorer.exe	81
PID 420 wrote to memory of 4324	420	explorer.exe	81
PID 4324 wrote to memory of 4780	4324	explorer.exe	82
PID 4324 wrote to memory of 4780	4324	explorer.exe	82
PID 4324 wrote to memory of 4780	4324	explorer.exe	82
PID 4780 wrote to memory of 4712	4780	explorer.exe	83
PID 4780 wrote to memory of 4712	4780	explorer.exe	83
PID 4780 wrote to memory of 4712	4780	explorer.exe	83
PID 4712 wrote to memory of 2224	4712	explorer.exe	84
PID 4712 wrote to memory of 2224	4712	explorer.exe	84
PID 4712 wrote to memory of 2224	4712	explorer.exe	84
PID 2224 wrote to memory of 4992	2224	explorer.exe	85
PID 2224 wrote to memory of 4992	2224	explorer.exe	85
PID 2224 wrote to memory of 4992	2224	explorer.exe	85
PID 4992 wrote to memory of 500	4992	explorer.exe	87
PID 4992 wrote to memory of 500	4992	explorer.exe	87
PID 4992 wrote to memory of 500	4992	explorer.exe	87
PID 500 wrote to memory of 1676	500	explorer.exe	92
PID 500 wrote to memory of 1676	500	explorer.exe	92
PID 500 wrote to memory of 1676	500	explorer.exe	92
PID 4608 wrote to memory of 4036	4608	34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8.exe	94
PID 4608 wrote to memory of 4036	4608	34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8.exe	94
PID 4608 wrote to memory of 4036	4608	34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8.exe	94
PID 420 wrote to memory of 212	420	explorer.exe	93
PID 420 wrote to memory of 212	420	explorer.exe	93
PID 420 wrote to memory of 212	420	explorer.exe	93
PID 4324 wrote to memory of 3748	4324	explorer.exe	96
PID 4324 wrote to memory of 3748	4324	explorer.exe	96
PID 4324 wrote to memory of 3748	4324	explorer.exe	96
PID 1676 wrote to memory of 616	1676	explorer.exe	97
PID 1676 wrote to memory of 616	1676	explorer.exe	97
PID 1676 wrote to memory of 616	1676	explorer.exe	97
PID 4036 wrote to memory of 1836	4036	smss.exe	101
PID 4036 wrote to memory of 1836	4036	smss.exe	101
PID 4036 wrote to memory of 1836	4036	smss.exe	101
PID 212 wrote to memory of 2272	212	smss.exe	100
PID 212 wrote to memory of 2272	212	smss.exe	100
PID 212 wrote to memory of 2272	212	smss.exe	100
PID 4780 wrote to memory of 2344	4780	explorer.exe	102
PID 4780 wrote to memory of 2344	4780	explorer.exe	102
PID 4780 wrote to memory of 2344	4780	explorer.exe	102
PID 3748 wrote to memory of 2160	3748	smss.exe	103
PID 3748 wrote to memory of 2160	3748	smss.exe	103
PID 3748 wrote to memory of 2160	3748	smss.exe	103
PID 616 wrote to memory of 1968	616	explorer.exe	104
PID 616 wrote to memory of 1968	616	explorer.exe	104
PID 616 wrote to memory of 1968	616	explorer.exe	104
PID 2272 wrote to memory of 3492	2272	explorer.exe	105
PID 2272 wrote to memory of 3492	2272	explorer.exe	105
PID 2272 wrote to memory of 3492	2272	explorer.exe	105
PID 1836 wrote to memory of 5112	1836	explorer.exe	106
PID 1836 wrote to memory of 5112	1836	explorer.exe	106
PID 1836 wrote to memory of 5112	1836	explorer.exe	106
PID 4712 wrote to memory of 4388	4712	explorer.exe	107
PID 4712 wrote to memory of 4388	4712	explorer.exe	107
PID 4712 wrote to memory of 4388	4712	explorer.exe	107
PID 2344 wrote to memory of 2300	2344	smss.exe	108
PID 2344 wrote to memory of 2300	2344	smss.exe	108
PID 2344 wrote to memory of 2300	2344	smss.exe	108
PID 2160 wrote to memory of 1452	2160	explorer.exe	109

C:\Users\Admin\AppData\Local\Temp\34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8.exe
"C:\Users\Admin\AppData\Local\Temp\34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
  C:\Windows\system32\ojvpmkymsg\explorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:420
- - C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
    C:\Windows\system32\ojvpmkymsg\explorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4324
  - - C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
      C:\Windows\system32\ojvpmkymsg\explorer.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4780
    - - C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4712
      - C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2224
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:500
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:616
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4088
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3512
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3684
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3440
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        17⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        18⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        19⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        20⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        21⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        22⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        23⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        24⤵
        
        PID:8748
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        25⤵
        
        PID:10348
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        26⤵
        
        PID:12044
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        27⤵
        
        PID:14800
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        28⤵
        
        PID:17892
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        22⤵
        
        PID:17128
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        21⤵
        
        PID:13892
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        22⤵
        
        PID:16456
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        20⤵
        
        PID:12280
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        21⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        19⤵
        Enumerates connected drives
        
        PID:3996
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        20⤵
        Enumerates connected drives
        
        PID:12240
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        21⤵
        
        PID:13864
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        22⤵
        
        PID:16464
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        18⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        19⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        20⤵
        
        PID:11364
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        21⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        17⤵
        
        PID:7292
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        18⤵
        
        PID:428
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        19⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        20⤵
        
        PID:11372
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        21⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        16⤵
        Drops file in System32 directory
        
        PID:6608
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        17⤵
        
        PID:7308
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        18⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        19⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        20⤵
        
        PID:11384
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        21⤵
        
        PID:6356
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        15⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        17⤵
        
        PID:7336
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        18⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        19⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        20⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        21⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        16⤵
        
        PID:16888
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        14⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        17⤵
        
        PID:7240
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        18⤵
        Drops file in System32 directory
        
        PID:8440
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        19⤵
        
        PID:388
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        20⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        21⤵
        
        PID:6420
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        22⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        16⤵
        
        PID:16844
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        15⤵
        
        PID:14156
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:17252
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        13⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        17⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        18⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        19⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        20⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        21⤵
        
        PID:14288
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        16⤵
        
        PID:16872
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        15⤵
        
        PID:14064
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:17192
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        14⤵
        
        PID:11984
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:14168
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:17288
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        12⤵
        Enumerates connected drives
        
        PID:2188
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        Drops file in System32 directory
        
        PID:5704
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:6068
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        17⤵
        
        PID:7284
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        18⤵
        Drops file in System32 directory
        
        PID:8456
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        19⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        20⤵
        
        PID:11712
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        21⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        16⤵
        
        PID:16852
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        15⤵
        
        PID:14216
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:17176
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        14⤵
        Enumerates connected drives
        
        PID:12068
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:14332
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        13⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:12196
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        11⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        Enumerates connected drives
        
        PID:6532
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        17⤵
        
        PID:8184
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        18⤵
        Drops file in System32 directory
        
        PID:8416
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        19⤵
        Enumerates connected drives
        
        PID:9988
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        20⤵
        
        PID:12264
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        21⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        16⤵
        
        PID:16788
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        15⤵
        
        PID:14016
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:17076
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        14⤵
        
        PID:11932
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:14148
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:17320
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        13⤵
        
        PID:9628
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:12116
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        12⤵
        Drops file in System32 directory
        
        PID:1796
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:4080
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:12188
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        Enumerates connected drives
        
        PID:1664
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:5268
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:6524
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        17⤵
        
        PID:7192
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        18⤵
        Enumerates connected drives
        
        PID:8408
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        19⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        20⤵
        
        PID:12272
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        21⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        16⤵
        
        PID:16776
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        15⤵
        
        PID:14024
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:17088
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        14⤵
        
        PID:11944
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:14136
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:17244
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        13⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:9612
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:12076
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:14312
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        12⤵
        
        PID:9208
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        
        PID:788
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:12180
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:13856
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        11⤵
        
        PID:8148
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        
        PID:9844
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:12232
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:13876
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:6604
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1776
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4748
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3600
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        Enumerates connected drives
        
        PID:5508
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        17⤵
        Drops file in System32 directory
        
        PID:7068
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        18⤵
        
        PID:7936
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        19⤵
        
        PID:8972
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        20⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        21⤵
        
        PID:11672
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        22⤵
        
        PID:13800
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        23⤵
        
        PID:16576
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        18⤵
        
        PID:7864
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        17⤵
        
        PID:16352
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        16⤵
        
        PID:13492
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        17⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        15⤵
        Enumerates connected drives
        
        PID:11456
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:13588
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        17⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        14⤵
        
        PID:9280
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:11496
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:13616
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        17⤵
        
        PID:16364
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        13⤵
        
        PID:8828
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:9464
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:11564
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:13716
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        17⤵
        
        PID:16508
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        12⤵
        
        PID:7856
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        
        PID:8896
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:9532
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        Enumerates connected drives
        
        PID:11580
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:13708
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        17⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        11⤵
        Enumerates connected drives
        
        PID:6956
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        
        PID:7872
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        
        PID:8912
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        Drops file in System32 directory
        
        PID:9556
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:11632
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:13764
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        17⤵
        
        PID:16476
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        10⤵
        Enumerates connected drives
        
        PID:6004
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        
        PID:7904
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        
        PID:8944
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        Drops file in System32 directory
        
        PID:9564
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        Enumerates connected drives
        
        PID:11624
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:13772
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        17⤵
        
        PID:16516
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        12⤵
        
        PID:7812
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        11⤵
        
        PID:16268
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3648
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3700
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4828
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3200
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:5252
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        17⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        18⤵
        
        PID:8116
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        19⤵
        
        PID:9200
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        20⤵
        
        PID:628
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        21⤵
        
        PID:12156
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        22⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        17⤵
        
        PID:16656
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        16⤵
        
        PID:13972
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        17⤵
        
        PID:17116
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        15⤵
        
        PID:11780
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:13996
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        17⤵
        
        PID:17008
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        14⤵
        Drops file in System32 directory
        
        PID:10024
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:11904
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:14088
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        17⤵
        
        PID:17296
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        13⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:9104
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:10068
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:11912
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:14072
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        17⤵
        
        PID:17140
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        12⤵
        
        PID:8044
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        
        PID:9132
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        Enumerates connected drives
        
        PID:11896
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:14176
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        17⤵
        
        PID:17312
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        11⤵
        Enumerates connected drives
        
        PID:7100
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        
        PID:8056
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        
        PID:9124
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:10056
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:11880
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:14080
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        17⤵
        
        PID:17304
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        10⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:8092
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        
        PID:9168
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:12136
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        17⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        11⤵
        
        PID:16628
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        9⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        
        PID:8084
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        
        PID:9160
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:9588
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:12084
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:14320
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        17⤵
        
        PID:17184
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        11⤵
        
        PID:16640
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        10⤵
        
        PID:13920
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        
        PID:16712
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4204
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        8⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        
        PID:3084
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4432
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:4860
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        Drops file in System32 directory
        
        PID:5940
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        17⤵
        
        PID:7172
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        18⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        19⤵
        
        PID:9328
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        20⤵
        
        PID:10884
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        21⤵
        
        PID:12812
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        22⤵
        
        PID:14776
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        23⤵
        
        PID:18568
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        16⤵
        
        PID:14560
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        17⤵
        
        PID:17608
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        15⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:14724
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        17⤵
        
        PID:17928
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        14⤵
        
        PID:10516
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:12428
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:14828
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        13⤵
        
        PID:9084
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:10560
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:12512
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:15080
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        12⤵
        
        PID:7736
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        
        PID:792
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:10600
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:12520
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:15088
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        17⤵
        
        PID:18284
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        11⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        
        PID:7720
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:10624
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:12564
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:15072
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        10⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        
        PID:9236
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:10756
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:12692
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:15308
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        17⤵
        
        PID:18624
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        9⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:6256
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        
        PID:7460
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        
        PID:9352
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:10852
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:12668
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:15172
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        10⤵
        
        PID:14492
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        8⤵
        Enumerates connected drives
        
        PID:5020
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        Drops file in System32 directory
        
        PID:6232
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:8024
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        
        PID:456
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:10828
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:12708
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:15300
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        17⤵
        
        PID:18560
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        11⤵
        
        PID:17336
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        10⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        9⤵
        
        PID:11744
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:14468
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        
        PID:17540
      - C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4388
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1304
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:376
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3420
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4048
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:6680
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        17⤵
        
        PID:7432
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        18⤵
        Drops file in System32 directory
        
        PID:8332
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        19⤵
        
        PID:9764
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        20⤵
        
        PID:11120
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        21⤵
        
        PID:13232
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        22⤵
        
        PID:15856
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        17⤵
        
        PID:18320
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        16⤵
        
        PID:15504
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        17⤵
        
        PID:18532
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        15⤵
        
        PID:13044
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:15420
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        14⤵
        
        PID:11200
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:13012
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:15432
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        17⤵
        
        PID:18988
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        13⤵
        
        PID:9632
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:11252
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:13072
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:15512
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        17⤵
        
        PID:18544
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        12⤵
        
        PID:8228
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:9644
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:11244
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:13096
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:15668
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        17⤵
        
        PID:18896
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        11⤵
        
        PID:7368
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        
        PID:8244
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        
        PID:9680
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:13112
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:15588
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        17⤵
        
        PID:18972
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        10⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:7352
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        
        PID:8260
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:9696
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:10540
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:13168
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:15652
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        17⤵
        
        PID:18996
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        11⤵
        
        PID:18044
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        9⤵
        Enumerates connected drives
        
        PID:6116
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        
        PID:7408
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        
        PID:8308
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:9728
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:116
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:13192
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:15660
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        17⤵
        
        PID:18888
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        10⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        
        PID:18360
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        8⤵
        Enumerates connected drives
        
        PID:5180
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        Drops file in System32 directory
        
        PID:6648
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        
        PID:8276
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        
        PID:9672
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:13140
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:15716
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        17⤵
        
        PID:18980
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        10⤵
        
        PID:14568
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        
        PID:18516
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        9⤵
        
        PID:12900
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:15456
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        
        PID:18648
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        7⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        8⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        
        PID:7360
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        
        PID:8252
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        
        PID:9664
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:204
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:13184
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:15636
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        11⤵
        
        PID:18036
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        10⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        
        PID:18524
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        9⤵
        
        PID:12948
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:15448
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        
        PID:18552
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        8⤵
        
        PID:11136
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        
        PID:12980
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:15440
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        
        PID:19004
    - - C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2344
      - C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4444
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4776
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:1208
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        Enumerates connected drives
        
        PID:5344
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        17⤵
        
        PID:7672
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        18⤵
        Drops file in System32 directory
        
        PID:8604
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        19⤵
        Enumerates connected drives
        
        PID:10092
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        20⤵
        
        PID:928
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        21⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        22⤵
        
        PID:16368
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        16⤵
        
        PID:15848
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        15⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:16000
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        17⤵
        
        PID:19364
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        14⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:16008
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        17⤵
        
        PID:7848
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        13⤵
        Drops file in System32 directory
        
        PID:9852
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:11176
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:12776
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:16080
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        12⤵
        
        PID:8500
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:9912
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:10328
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:13260
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:16168
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        17⤵
        
        PID:7880
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        11⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        Drops file in System32 directory
        
        PID:8476
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        
        PID:9888
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:11172
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:12860
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:16072
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        10⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        
        PID:7620
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        
        PID:8548
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:9972
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:10636
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:16152
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        9⤵
        Enumerates connected drives
        
        PID:5272
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:6752
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        Enumerates connected drives
        
        PID:7580
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        
        PID:8492
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        
        PID:9924
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:11232
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:13040
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:16096
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        10⤵
        
        PID:15764
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        8⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:7588
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        
        PID:8484
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        
        PID:9876
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:11216
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:13008
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:16104
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        10⤵
        
        PID:15772
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        
        PID:18872
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        9⤵
        
        PID:13240
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:15868
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        7⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        8⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        Enumerates connected drives
        
        PID:5284
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        Enumerates connected drives
        
        PID:6800
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        
        PID:7628
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        
        PID:8540
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        
        PID:9964
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:5336
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:16160
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        11⤵
        
        PID:18768
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        10⤵
        
        PID:15808
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        9⤵
        
        PID:13252
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:15896
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        
        PID:19236
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        8⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        
        PID:13304
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:15944
      - C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        6⤵
        
        PID:816
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        7⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        8⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        
        PID:7656
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        
        PID:8572
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:10076
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:868
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:16296
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        10⤵
        
        PID:15832
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        9⤵
        
        PID:13284
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:15916
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        
        PID:19392
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        8⤵
        Drops file in System32 directory
        
        PID:11156
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        
        PID:13296
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:15908
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        7⤵
        
        PID:9796
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        8⤵
        
        PID:540
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        
        PID:12536
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:16016
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        
        PID:19372
  - - C:\Windows\SysWOW64\puusvfejjx\smss.exe
      C:\Windows\system32\puusvfejjx\smss.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3748
    - - C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2160
      - C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1452
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2512
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1840
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4692
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        
        PID:5056
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        17⤵
        Enumerates connected drives
        
        PID:7920
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        18⤵
        
        PID:8960
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        19⤵
        
        PID:9592
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        20⤵
        
        PID:11656
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        21⤵
        
        PID:13792
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        22⤵
        
        PID:16568
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        16⤵
        
        PID:16320
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        17⤵
        
        PID:7944
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        15⤵
        
        PID:13500
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        14⤵
        
        PID:11408
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:13532
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        13⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:10224
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:11464
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:13556
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:15748
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        12⤵
        
        PID:8800
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        
        PID:10184
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:11400
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:13524
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        11⤵
        Drops file in System32 directory
        
        PID:7760
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        
        PID:8768
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        
        PID:10176
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:11392
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:13540
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        10⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        
        PID:7776
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        
        PID:8816
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        
        PID:8352
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:11488
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:13604
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        9⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        Enumerates connected drives
        
        PID:7824
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        
        PID:8856
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        
        PID:9476
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:11528
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:13652
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:16408
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        10⤵
        
        PID:16228
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        
        PID:7896
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        8⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:7832
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        
        PID:8872
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        
        PID:9444
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:11536
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:13644
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        10⤵
        
        PID:16240
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        
        PID:18688
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        9⤵
        
        PID:13348
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:828
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        7⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        8⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        
        PID:7884
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        
        PID:8904
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        
        PID:9524
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:11588
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:13700
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:7144
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        11⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        10⤵
        
        PID:16276
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        9⤵
        
        PID:13396
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        8⤵
        
        PID:11316
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        
        PID:13472
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:4848
      - C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        6⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        7⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        8⤵
        Enumerates connected drives
        
        PID:5432
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        Drops file in System32 directory
        
        PID:2968
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:6904
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        
        PID:7804
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        
        PID:8836
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        
        PID:9484
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:11520
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:13660
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:16500
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        10⤵
        
        PID:16212
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        
        PID:18836
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        9⤵
        
        PID:13356
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        8⤵
        
        PID:11276
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        
        PID:13436
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        7⤵
        
        PID:10132
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        8⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        
        PID:13324
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:16328
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        
        PID:19084
    - - C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        5⤵
        
        PID:1144
      - C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        6⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        7⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        8⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        Drops file in System32 directory
        
        PID:6872
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        Enumerates connected drives
        
        PID:7768
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        
        PID:8784
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:10196
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:11440
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:13548
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        10⤵
        
        PID:16204
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        
        PID:7912
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        9⤵
        
        PID:13340
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        8⤵
        
        PID:11284
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        
        PID:13444
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        7⤵
        
        PID:10124
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        8⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        
        PID:13332
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:16380
      - C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        6⤵
        
        PID:8636
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        7⤵
        
        PID:10148
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        8⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        
        PID:13428
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:6824
- - C:\Windows\SysWOW64\puusvfejjx\smss.exe
    C:\Windows\system32\puusvfejjx\smss.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:212
  - - C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
      C:\Windows\system32\ojvpmkymsg\explorer.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2272
    - - C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3492
      - C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        6⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4920
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1300
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:2768
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        Drops file in System32 directory
        
        PID:5948
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        Drops file in System32 directory
        
        PID:7196
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        17⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        18⤵
        
        PID:9388
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        19⤵
        
        PID:10868
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        20⤵
        
        PID:12844
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        21⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        22⤵
        
        PID:18504
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        15⤵
        
        PID:14688
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:17820
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        14⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:14716
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        13⤵
        
        PID:10528
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:12464
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:14820
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        12⤵
        Enumerates connected drives
        
        PID:9076
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        
        PID:10468
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:12420
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:15160
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:18352
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        11⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        Enumerates connected drives
        
        PID:4316
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:10508
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:12504
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:15104
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:18292
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        10⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        
        PID:9040
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        Drops file in System32 directory
        
        PID:10416
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:12384
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:14856
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:17984
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        9⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:7752
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        
        PID:10580
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:12496
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:15112
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        10⤵
        
        PID:17272
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        8⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        Enumerates connected drives
        
        PID:9052
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        
        PID:10460
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:12320
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:14868
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:18020
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        10⤵
        
        PID:17228
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        9⤵
        
        PID:6396
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        7⤵
        Drops file in System32 directory
        
        PID:1240
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        8⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        
        PID:9220
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        
        PID:10740
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:12676
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:15268
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        9⤵
        
        PID:14484
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        8⤵
        
        PID:11808
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        
        PID:14548
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:17676
      - C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        6⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        7⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        8⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        
        PID:8016
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        
        PID:8700
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        
        PID:10700
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:12864
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:6628
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:18576
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        10⤵
        
        PID:17388
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        9⤵
        
        PID:14352
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        8⤵
        
        PID:11752
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        
        PID:14476
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        7⤵
        
        PID:10292
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        8⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        
        PID:14652
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:17860
    - - C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        5⤵
        
        PID:3004
      - C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        6⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        7⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        8⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        Drops file in System32 directory
        
        PID:6248
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        Drops file in System32 directory
        
        PID:7044
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        Enumerates connected drives
        
        PID:1412
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:10764
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:12796
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:18608
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        10⤵
        
        PID:17344
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        9⤵
        
        PID:14360
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        8⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        
        PID:14512
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:17684
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        7⤵
        
        PID:10300
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        8⤵
        
        PID:900
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        
        PID:14880
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:17828
      - C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        6⤵
        
        PID:8692
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        7⤵
        
        PID:10436
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        8⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        
        PID:14896
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:17960
  - - C:\Windows\SysWOW64\puusvfejjx\smss.exe
      C:\Windows\system32\puusvfejjx\smss.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3532
    - - C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        5⤵
        
        PID:5084
      - C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        6⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        7⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        8⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        
        PID:9248
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        
        PID:10732
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:12700
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:15260
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        10⤵
        
        PID:17380
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        9⤵
        
        PID:14440
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:17556
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        8⤵
        
        PID:11776
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        
        PID:14520
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:17668
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        7⤵
        
        PID:10364
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        8⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        
        PID:14748
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:17844
      - C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        6⤵
        
        PID:8728
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        7⤵
        
        PID:10400
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        8⤵
        
        PID:12344
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        
        PID:14732
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:17876
    - - C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        5⤵
        
        PID:7496
      - C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        6⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        7⤵
        Drops file in System32 directory
        
        PID:10428
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        8⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        
        PID:14840
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:18004
- C:\Windows\SysWOW64\puusvfejjx\smss.exe
  C:\Windows\system32\puusvfejjx\smss.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4036
- - C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
    C:\Windows\system32\ojvpmkymsg\explorer.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1836
  - - C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
      C:\Windows\system32\ojvpmkymsg\explorer.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5112
    - - C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3324
      - C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:908
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        
        PID:1576
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1884
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4892
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        Enumerates connected drives
        
        PID:5972
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:6476
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:7256
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        16⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        17⤵
        
        PID:9448
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        18⤵
        
        PID:10952
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        19⤵
        
        PID:12836
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        20⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        21⤵
        
        PID:18584
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        15⤵
        
        PID:17640
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        14⤵
        
        PID:14936
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:17936
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        13⤵
        
        PID:12368
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:14780
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:17868
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        12⤵
        
        PID:10644
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        
        PID:12456
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:15096
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:18632
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        11⤵
        Drops file in System32 directory
        
        PID:9036
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:10724
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        
        PID:12684
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:15324
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        10⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        
        PID:10616
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        
        PID:12600
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:15184
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:18368
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        9⤵
        Enumerates connected drives
        Drops file in System32 directory
        
        PID:1908
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:8008
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        
        PID:10588
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        
        PID:12528
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:15064
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:18676
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        8⤵
        
        PID:6376
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        Enumerates connected drives
        
        PID:9272
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        
        PID:10796
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        
        PID:12852
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        9⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        7⤵
        Enumerates connected drives
        
        PID:5916
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        8⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        
        PID:9360
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        
        PID:10860
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        
        PID:12660
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:15316
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:18600
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        8⤵
        
        PID:14660
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        
        PID:17632
      - C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        6⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        7⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        8⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        Enumerates connected drives
        
        PID:9260
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        
        PID:10804
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        
        PID:12636
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:15236
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        8⤵
        
        PID:14644
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        
        PID:17648
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        7⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        8⤵
        
        PID:14604
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        
        PID:17800
    - - C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        5⤵
        
        PID:4184
      - C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        6⤵
        Enumerates connected drives
        
        PID:3204
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        7⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        8⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        
        PID:9320
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        
        PID:10876
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        
        PID:12820
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:18592
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        8⤵
        
        PID:14460
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        
        PID:17616
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        7⤵
        
        PID:11844
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        8⤵
        
        PID:14584
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        
        PID:17548
      - C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        6⤵
        Enumerates connected drives
        
        PID:10372
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        7⤵
        
        PID:12292
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        8⤵
        
        PID:14740
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        
        PID:17852
  - - C:\Windows\SysWOW64\puusvfejjx\smss.exe
      C:\Windows\system32\puusvfejjx\smss.exe
      4⤵
      PID:4308
    - - C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        5⤵
        
        PID:4004
      - C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        6⤵
        Drops file in System32 directory
        
        PID:1048
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        7⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        8⤵
        Enumerates connected drives
        
        PID:6272
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        Drops file in System32 directory
        
        PID:3472
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        Drops file in System32 directory
        
        PID:7968
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        
        PID:10748
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        
        PID:12828
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:18640
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        9⤵
        
        PID:17352
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        8⤵
        
        PID:14368
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        7⤵
        
        PID:11840
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        8⤵
        
        PID:14536
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        
        PID:17836
      - C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        6⤵
        
        PID:10308
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        7⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        8⤵
        
        PID:14596
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        
        PID:17624
    - - C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        5⤵
        Drops file in System32 directory
        
        PID:8684
      - C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        6⤵
        
        PID:10284
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        7⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        8⤵
        
        PID:14612
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        
        PID:17784
- - C:\Windows\SysWOW64\puusvfejjx\smss.exe
    C:\Windows\system32\puusvfejjx\smss.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4592
  - - C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
      C:\Windows\system32\ojvpmkymsg\explorer.exe
      4⤵
      PID:4900
    - - C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        5⤵
        
        PID:440
      - C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        6⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        7⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        8⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        Drops file in System32 directory
        
        PID:1676
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        10⤵
        
        PID:520
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        11⤵
        Drops file in System32 directory
        
        PID:9288
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        12⤵
        
        PID:10772
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        13⤵
        
        PID:12804
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        14⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        15⤵
        
        PID:18664
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        9⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        8⤵
        
        PID:14452
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        
        PID:17576
        
        C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        7⤵
        
        PID:11868
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        8⤵
        
        PID:14624
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        
        PID:17884
      - C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        6⤵
        
        PID:10384
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        7⤵
        
        PID:11740
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        8⤵
        
        PID:14888
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        
        PID:18012
    - - C:\Windows\SysWOW64\puusvfejjx\smss.exe
        
        C:\Windows\system32\puusvfejjx\smss.exe
        5⤵
        Enumerates connected drives
        
        PID:8760
      - C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        6⤵
        
        PID:10408
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        7⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        8⤵
        
        PID:14904
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        
        PID:17968
  - - C:\Windows\SysWOW64\puusvfejjx\smss.exe
      C:\Windows\system32\puusvfejjx\smss.exe
      4⤵
      PID:7480
    - - C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        5⤵
        Drops file in System32 directory
        
        PID:8720
      - C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        6⤵
        
        PID:10356
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        7⤵
        
        PID:12408
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        8⤵
        
        PID:14924
        
        C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe
        
        C:\Windows\system32\ojvpmkymsg\explorer.exe
        9⤵
        
        PID:17976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\ojvpmkymsg\explorer.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\puusvfejjx\smss.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\puusvfejjx\smss.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\puusvfejjx\smss.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\puusvfejjx\smss.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\puusvfejjx\smss.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\puusvfejjx\smss.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\puusvfejjx\smss.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\puusvfejjx\smss.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\puusvfejjx\smss.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\puusvfejjx\smss.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\puusvfejjx\smss.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\puusvfejjx\smss.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\puusvfejjx\smss.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\puusvfejjx\smss.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\puusvfejjx\smss.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
C:\Windows\SysWOW64\puusvfejjx\smss.exe

Filesize
82KB

MD5
20a1dbf272a6cd17a2e9aa1cb892385b

SHA1
30489508fece5cdd08db01a15b83a3de542a12b6

SHA256
34dce87070fc2513d17e835a2bc8733d6c524568416f6d1a2e5285437183d6d8

SHA512
18723e7a1602f3810e42590622aba5f71d328849d4723d19abe8bf09d247a567e7b4ff7727fdb4f5598e24203bb1e674d4a962ac829faf6bd83d6e49c652720f

Download Submit
memory/212-177-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/212-171-0x0000000000000000-mapping.dmp

Download
memory/212-204-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/376-262-0x0000000000000000-mapping.dmp

Download
memory/376-265-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/420-136-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/420-146-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/420-133-0x0000000000000000-mapping.dmp

Download
memory/500-164-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/500-175-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/500-162-0x0000000000000000-mapping.dmp

Download
memory/616-182-0x0000000000000000-mapping.dmp

Download
memory/616-188-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/616-226-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/908-253-0x0000000000000000-mapping.dmp

Download
memory/908-261-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1300-319-0x0000000000000000-mapping.dmp

Download
memory/1304-235-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1304-233-0x0000000000000000-mapping.dmp

Download
memory/1452-214-0x0000000000000000-mapping.dmp

Download
memory/1452-217-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1452-274-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1520-358-0x0000000000000000-mapping.dmp

Download
memory/1576-286-0x0000000000000000-mapping.dmp

Download
memory/1672-282-0x0000000000000000-mapping.dmp

Download
memory/1676-167-0x0000000000000000-mapping.dmp

Download
memory/1676-181-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1776-276-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1776-272-0x0000000000000000-mapping.dmp

Download
memory/1836-227-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1836-189-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1836-184-0x0000000000000000-mapping.dmp

Download
memory/1840-275-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1840-270-0x0000000000000000-mapping.dmp

Download
memory/1884-323-0x0000000000000000-mapping.dmp

Download
memory/1968-197-0x0000000000000000-mapping.dmp

Download
memory/1968-205-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1968-255-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2160-242-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2160-194-0x0000000000000000-mapping.dmp

Download
memory/2160-196-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2196-357-0x0000000000000000-mapping.dmp

Download
memory/2224-165-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2224-155-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2224-153-0x0000000000000000-mapping.dmp

Download
memory/2248-321-0x0000000000000000-mapping.dmp

Download
memory/2272-190-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2272-228-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2272-185-0x0000000000000000-mapping.dmp

Download
memory/2300-213-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2300-268-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2300-211-0x0000000000000000-mapping.dmp

Download
memory/2344-191-0x0000000000000000-mapping.dmp

Download
memory/2344-193-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2344-238-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2356-249-0x0000000000000000-mapping.dmp

Download
memory/2356-259-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2440-280-0x0000000000000000-mapping.dmp

Download
memory/2480-239-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2480-236-0x0000000000000000-mapping.dmp

Download
memory/2512-240-0x0000000000000000-mapping.dmp

Download
memory/2512-243-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3012-350-0x0000000000000000-mapping.dmp

Download
memory/3024-266-0x0000000000000000-mapping.dmp

Download
memory/3024-269-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3084-251-0x0000000000000000-mapping.dmp

Download
memory/3084-260-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3200-349-0x0000000000000000-mapping.dmp

Download
memory/3324-224-0x0000000000000000-mapping.dmp

Download
memory/3324-232-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3420-296-0x0000000000000000-mapping.dmp

Download
memory/3440-354-0x0000000000000000-mapping.dmp

Download
memory/3492-206-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3492-199-0x0000000000000000-mapping.dmp

Download
memory/3492-256-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3512-247-0x0000000000000000-mapping.dmp

Download
memory/3512-258-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3532-356-0x0000000000000000-mapping.dmp

Download
memory/3600-344-0x0000000000000000-mapping.dmp

Download
memory/3648-244-0x0000000000000000-mapping.dmp

Download
memory/3648-246-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3684-315-0x0000000000000000-mapping.dmp

Download
memory/3700-277-0x0000000000000000-mapping.dmp

Download
memory/3700-279-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3748-178-0x0000000000000000-mapping.dmp

Download
memory/3748-216-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3748-180-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4036-203-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4036-176-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4036-170-0x0000000000000000-mapping.dmp

Download
memory/4048-333-0x0000000000000000-mapping.dmp

Download
memory/4088-288-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4088-229-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4088-218-0x0000000000000000-mapping.dmp

Download
memory/4204-222-0x0000000000000000-mapping.dmp

Download
memory/4204-231-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4204-290-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4324-138-0x0000000000000000-mapping.dmp

Download
memory/4324-140-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4324-151-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4388-210-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4388-264-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4388-208-0x0000000000000000-mapping.dmp

Download
memory/4432-284-0x0000000000000000-mapping.dmp

Download
memory/4444-300-0x0000000000000000-mapping.dmp

Download
memory/4592-355-0x0000000000000000-mapping.dmp

Download
memory/4608-132-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4608-145-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4692-304-0x0000000000000000-mapping.dmp

Download
memory/4712-148-0x0000000000000000-mapping.dmp

Download
memory/4712-160-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4712-150-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4748-306-0x0000000000000000-mapping.dmp

Download
memory/4776-337-0x0000000000000000-mapping.dmp

Download
memory/4780-144-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4780-142-0x0000000000000000-mapping.dmp

Download
memory/4780-156-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4828-311-0x0000000000000000-mapping.dmp

Download
memory/4892-359-0x0000000000000000-mapping.dmp

Download
memory/4920-220-0x0000000000000000-mapping.dmp

Download
memory/4920-230-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4920-289-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4992-158-0x0000000000000000-mapping.dmp

Download
memory/4992-169-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/5056-342-0x0000000000000000-mapping.dmp

Download
memory/5112-207-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/5112-257-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/5112-201-0x0000000000000000-mapping.dmp

Download