66082411bf39944e9ccaf1c82a6ef6f15b53782c0893c3053f8813533b710c19

Analysis

max time kernel
7s
max time network
125s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
10-01-2024 02:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f63b9002845c129f1c90ccc0532dc2b.exe
Size

1.3MB
MD5

4f63b9002845c129f1c90ccc0532dc2b
SHA1

d786f63d1798c5785411bd28c1c285298717d9f6
SHA256

66082411bf39944e9ccaf1c82a6ef6f15b53782c0893c3053f8813533b710c19
SHA512

7ac6a73d7f5e6bfb3d8c2738bf67318892c8e9a1eee16b737f22cb8e35e9590e81721c83dac494ebce1f831c0e27fb88d96820efb93f108ac6a55bd690c7e6d7
SSDEEP

24576:XLQorMNmCi/aa0UdHF7yRA3OzirGC/un56N2IbaNzNcJoJi:XcUMN+qiHOA3O2GC/unMN2Qsi

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 26 IoCs

pid	Process
2560	B820A2.EXE
2512	B820A2.EXE
1684	B820A2.EXE
2688	B820A2.EXE
2304	B820A2.EXE
1880	B820A2.EXE
776	B820A2.EXE
788	B820A2.EXE
2120	B820A2.EXE
2532	B820A2.EXE
3064	B820A2.EXE
2852	B820A2.EXE
2256	B820A2.EXE
1604	B820A2.EXE
2804	B820A2.EXE
1300	B820A2.EXE
2304	B820A2.EXE
2624	B820A2.EXE
240	B820A2.EXE
1208	B820A2.EXE
3064	B820A2.EXE
3020	B820A2.EXE
2116	B820A2.EXE
3028	B820A2.EXE
2656	explorer.exe
1380	explorer.exe

Loads dropped DLL 64 IoCs

pid	Process
2904	4f63b9002845c129f1c90ccc0532dc2b.exe
2904	4f63b9002845c129f1c90ccc0532dc2b.exe
2904	4f63b9002845c129f1c90ccc0532dc2b.exe
2904	4f63b9002845c129f1c90ccc0532dc2b.exe
2904	4f63b9002845c129f1c90ccc0532dc2b.exe
2904	4f63b9002845c129f1c90ccc0532dc2b.exe
2560	B820A2.EXE
2560	B820A2.EXE
2560	B820A2.EXE
2560	B820A2.EXE
2560	B820A2.EXE
2560	B820A2.EXE
2512	B820A2.EXE
2512	B820A2.EXE
2512	B820A2.EXE
2512	B820A2.EXE
2512	B820A2.EXE
2512	B820A2.EXE
1684	B820A2.EXE
1684	B820A2.EXE
1684	B820A2.EXE
1684	B820A2.EXE
1684	B820A2.EXE
1684	B820A2.EXE
2688	B820A2.EXE
2688	B820A2.EXE
2688	B820A2.EXE
2688	B820A2.EXE
2688	B820A2.EXE
2688	B820A2.EXE
2304	B820A2.EXE
2304	B820A2.EXE
2304	B820A2.EXE
2304	B820A2.EXE
2304	B820A2.EXE
2304	B820A2.EXE
1880	B820A2.EXE
1880	B820A2.EXE
1880	B820A2.EXE
1880	B820A2.EXE
1880	B820A2.EXE
1880	B820A2.EXE
776	B820A2.EXE
776	B820A2.EXE
776	B820A2.EXE
776	B820A2.EXE
776	B820A2.EXE
776	B820A2.EXE
788	B820A2.EXE
788	B820A2.EXE
788	B820A2.EXE
788	B820A2.EXE
788	B820A2.EXE
788	B820A2.EXE
2120	B820A2.EXE
2120	B820A2.EXE
2120	B820A2.EXE
2120	B820A2.EXE
2120	B820A2.EXE
2120	B820A2.EXE
2532	B820A2.EXE
2532	B820A2.EXE
2532	B820A2.EXE
2532	B820A2.EXE

Writes to the Master Boot Record (MBR) 1 TTPs 25 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	explorer.exe
File opened for modification	\??\PhysicalDrive0	4f63b9002845c129f1c90ccc0532dc2b.exe
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	explorer.exe
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\B5A29B\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\3CA4E3\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B5A29B\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\D42343\	explorer.exe
File opened for modification	C:\Windows\SysWOW64\B5A29B\	B820A2.EXE
File created	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\D42343\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\	explorer.exe
File opened for modification	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File created	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\	B820A2.EXE
File created	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\3CA4E3\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B5A29B\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\3CA4E3\	B820A2.EXE
File created	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B5A29B\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\3CA4E3\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\3CA4E3\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\3CA4E3\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\	4f63b9002845c129f1c90ccc0532dc2b.exe
File opened for modification	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\D42343\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File created	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B5A29B\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\D42343\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\3CA4E3\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\3CA4E3\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\D42343\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\D42343\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\D42343\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\3CA4E3\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B5A29B\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\3CA4E3\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File created	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\3CA4E3\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\	B820A2.EXE
File created	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B5A29B\	explorer.exe
File opened for modification	C:\Windows\SysWOW64\D42343\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\D42343\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B5A29B\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\3CA4E3\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\D42343\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\D42343\	B820A2.EXE
File created	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\D42343\	B820A2.EXE
File created	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\3CA4E3\	B820A2.EXE

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 44 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 200000001a00eebbfe2300001000d09ad3fd8f23af46adb46c85480369c700000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000f00000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2904	4f63b9002845c129f1c90ccc0532dc2b.exe
2904	4f63b9002845c129f1c90ccc0532dc2b.exe
2904	4f63b9002845c129f1c90ccc0532dc2b.exe
2904	4f63b9002845c129f1c90ccc0532dc2b.exe
2904	4f63b9002845c129f1c90ccc0532dc2b.exe
2904	4f63b9002845c129f1c90ccc0532dc2b.exe
2560	B820A2.EXE
2560	B820A2.EXE
2560	B820A2.EXE
2560	B820A2.EXE
2560	B820A2.EXE
2560	B820A2.EXE
2512	B820A2.EXE
2512	B820A2.EXE
2512	B820A2.EXE
2512	B820A2.EXE
2512	B820A2.EXE
2512	B820A2.EXE
1684	B820A2.EXE
1684	B820A2.EXE
1684	B820A2.EXE
1684	B820A2.EXE
1684	B820A2.EXE
1684	B820A2.EXE
2688	B820A2.EXE
2688	B820A2.EXE
2688	B820A2.EXE
2688	B820A2.EXE
2688	B820A2.EXE
2688	B820A2.EXE
2304	B820A2.EXE
2304	B820A2.EXE
2304	B820A2.EXE
2304	B820A2.EXE
2304	B820A2.EXE
2304	B820A2.EXE
1880	B820A2.EXE
1880	B820A2.EXE
1880	B820A2.EXE
1880	B820A2.EXE
1880	B820A2.EXE
1880	B820A2.EXE
776	B820A2.EXE
776	B820A2.EXE
776	B820A2.EXE
776	B820A2.EXE
776	B820A2.EXE
776	B820A2.EXE
788	B820A2.EXE
788	B820A2.EXE
788	B820A2.EXE
788	B820A2.EXE
788	B820A2.EXE
788	B820A2.EXE
2120	B820A2.EXE
2120	B820A2.EXE
2120	B820A2.EXE
2120	B820A2.EXE
2120	B820A2.EXE
2120	B820A2.EXE
2532	B820A2.EXE
2532	B820A2.EXE
2532	B820A2.EXE
2532	B820A2.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 1208	2904	4f63b9002845c129f1c90ccc0532dc2b.exe	64
PID 2904 wrote to memory of 1208	2904	4f63b9002845c129f1c90ccc0532dc2b.exe	64
PID 2904 wrote to memory of 1208	2904	4f63b9002845c129f1c90ccc0532dc2b.exe	64
PID 2904 wrote to memory of 1208	2904	4f63b9002845c129f1c90ccc0532dc2b.exe	64
PID 2904 wrote to memory of 2560	2904	4f63b9002845c129f1c90ccc0532dc2b.exe	269
PID 2904 wrote to memory of 2560	2904	4f63b9002845c129f1c90ccc0532dc2b.exe	269
PID 2904 wrote to memory of 2560	2904	4f63b9002845c129f1c90ccc0532dc2b.exe	269
PID 2904 wrote to memory of 2560	2904	4f63b9002845c129f1c90ccc0532dc2b.exe	269
PID 2560 wrote to memory of 2732	2560	B820A2.EXE	256
PID 2560 wrote to memory of 2732	2560	B820A2.EXE	256
PID 2560 wrote to memory of 2732	2560	B820A2.EXE	256
PID 2560 wrote to memory of 2732	2560	B820A2.EXE	256
PID 2560 wrote to memory of 2512	2560	B820A2.EXE	249
PID 2560 wrote to memory of 2512	2560	B820A2.EXE	249
PID 2560 wrote to memory of 2512	2560	B820A2.EXE	249
PID 2560 wrote to memory of 2512	2560	B820A2.EXE	249
PID 2512 wrote to memory of 2500	2512	B820A2.EXE	244
PID 2512 wrote to memory of 2500	2512	B820A2.EXE	244
PID 2512 wrote to memory of 2500	2512	B820A2.EXE	244
PID 2512 wrote to memory of 2500	2512	B820A2.EXE	244
PID 2512 wrote to memory of 1684	2512	B820A2.EXE	237
PID 2512 wrote to memory of 1684	2512	B820A2.EXE	237
PID 2512 wrote to memory of 1684	2512	B820A2.EXE	237
PID 2512 wrote to memory of 1684	2512	B820A2.EXE	237
PID 1684 wrote to memory of 2176	1684	B820A2.EXE	224
PID 1684 wrote to memory of 2176	1684	B820A2.EXE	224
PID 1684 wrote to memory of 2176	1684	B820A2.EXE	224
PID 1684 wrote to memory of 2176	1684	B820A2.EXE	224
PID 1684 wrote to memory of 2688	1684	B820A2.EXE	30
PID 1684 wrote to memory of 2688	1684	B820A2.EXE	30
PID 1684 wrote to memory of 2688	1684	B820A2.EXE	30
PID 1684 wrote to memory of 2688	1684	B820A2.EXE	30
PID 2688 wrote to memory of 1440	2688	B820A2.EXE	210
PID 2688 wrote to memory of 1440	2688	B820A2.EXE	210
PID 2688 wrote to memory of 1440	2688	B820A2.EXE	210
PID 2688 wrote to memory of 1440	2688	B820A2.EXE	210
PID 2688 wrote to memory of 2304	2688	B820A2.EXE	193
PID 2688 wrote to memory of 2304	2688	B820A2.EXE	193
PID 2688 wrote to memory of 2304	2688	B820A2.EXE	193
PID 2688 wrote to memory of 2304	2688	B820A2.EXE	193
PID 2304 wrote to memory of 1220	2304	B820A2.EXE	31
PID 2304 wrote to memory of 1220	2304	B820A2.EXE	31
PID 2304 wrote to memory of 1220	2304	B820A2.EXE	31
PID 2304 wrote to memory of 1220	2304	B820A2.EXE	31
PID 2304 wrote to memory of 1880	2304	B820A2.EXE	32
PID 2304 wrote to memory of 1880	2304	B820A2.EXE	32
PID 2304 wrote to memory of 1880	2304	B820A2.EXE	32
PID 2304 wrote to memory of 1880	2304	B820A2.EXE	32
PID 1880 wrote to memory of 1136	1880	B820A2.EXE	173
PID 1880 wrote to memory of 1136	1880	B820A2.EXE	173
PID 1880 wrote to memory of 1136	1880	B820A2.EXE	173
PID 1880 wrote to memory of 1136	1880	B820A2.EXE	173
PID 1880 wrote to memory of 776	1880	B820A2.EXE	168
PID 1880 wrote to memory of 776	1880	B820A2.EXE	168
PID 1880 wrote to memory of 776	1880	B820A2.EXE	168
PID 1880 wrote to memory of 776	1880	B820A2.EXE	168
PID 776 wrote to memory of 964	776	B820A2.EXE	167
PID 776 wrote to memory of 964	776	B820A2.EXE	167
PID 776 wrote to memory of 964	776	B820A2.EXE	167
PID 776 wrote to memory of 964	776	B820A2.EXE	167
PID 776 wrote to memory of 788	776	B820A2.EXE	160
PID 776 wrote to memory of 788	776	B820A2.EXE	160
PID 776 wrote to memory of 788	776	B820A2.EXE	160
PID 776 wrote to memory of 788	776	B820A2.EXE	160

C:\Users\Admin\AppData\Local\Temp\4f63b9002845c129f1c90ccc0532dc2b.exe
"C:\Users\Admin\AppData\Local\Temp\4f63b9002845c129f1c90ccc0532dc2b.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\SysWOW64\explorer.exe
  explorer C:\Users\Admin\AppData\Local\Temp\4f63b9002845c129f1c90ccc0532dc2b
  2⤵
  PID:1208
- C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
  C:\Windows\system32\B3A6A3\B820A2.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2560

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:2556

C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
C:\Windows\system32\B3A6A3\B820A2.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
  C:\Windows\system32\B3A6A3\B820A2.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2304
- C:\Windows\SysWOW64\explorer.exe
  explorer C:\Windows\SysWOW64\B3A6A3\B820A2
  2⤵
  PID:1440

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\B3A6A3\B820A2
1⤵
PID:1220

C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
C:\Windows\system32\B3A6A3\B820A2.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
  C:\Windows\system32\B3A6A3\B820A2.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:776
- C:\Windows\SysWOW64\explorer.exe
  explorer C:\Windows\SysWOW64\B3A6A3\B820A2
  2⤵
  PID:1136

C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
C:\Windows\system32\B3A6A3\B820A2.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:2120
- C:\Windows\SysWOW64\explorer.exe
  explorer C:\Windows\SysWOW64\B3A6A3\B820A2
  2⤵
  PID:2584
- C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
  C:\Windows\system32\B3A6A3\B820A2.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  PID:2532
- - C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
    C:\Windows\system32\B3A6A3\B820A2.EXE
    3⤵
    PID:3064
  - - C:\Windows\SysWOW64\explorer.exe
      explorer C:\Windows\SysWOW64\B3A6A3\B820A2
      4⤵
      PID:2624
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        5⤵
        
        PID:564
    - - C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        5⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:240
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        6⤵
        
        PID:856
      - C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        6⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:1208
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        7⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        7⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:3064
  - - C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
      C:\Windows\system32\B3A6A3\B820A2.EXE
      4⤵
      Executes dropped EXE
      Writes to the Master Boot Record (MBR)
      Drops file in System32 directory
      PID:2852
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        5⤵
        
        PID:2704
    - - C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        5⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:2256
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        6⤵
        
        PID:1828
      - C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        6⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:1604
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        7⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        7⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:2804
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        8⤵
        
        PID:716
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        8⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:1300
  - - C:\Windows\SysWOW64\explorer.exe
      explorer C:\Windows\SysWOW64\B3A6A3\B820A2
      4⤵
      PID:716
  - - C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
      C:\Windows\system32\B3A6A3\B820A2.EXE
      4⤵
      Executes dropped EXE
      Writes to the Master Boot Record (MBR)
      Drops file in System32 directory
      PID:3020
    - - C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        5⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:2116
- - C:\Windows\SysWOW64\explorer.exe
    explorer C:\Windows\SysWOW64\B3A6A3\B820A2
    3⤵
    PID:2496

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3052

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2616

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1772

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:1216

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:1672

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2728

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:2632

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2732

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\B3A6A3\B820A2
1⤵
PID:1232

C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
C:\Windows\system32\B3A6A3\B820A2.EXE
1⤵
PID:2304
- C:\Windows\SysWOW64\explorer.exe
  explorer C:\Windows\SysWOW64\B3A6A3\B820A2
  2⤵
  PID:2824
- C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
  C:\Windows\system32\B3A6A3\B820A2.EXE
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  PID:2624

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:3024

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2664

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:888

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:2372

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\B3A6A3\B820A2
1⤵
PID:2840

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:1580

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\B3A6A3\B820A2
1⤵
PID:2972

C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
C:\Windows\system32\B3A6A3\B820A2.EXE
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:3028
- C:\Windows\SysWOW64\explorer.exe
  explorer C:\Windows\SysWOW64\B3A6A3\B820A2
  2⤵
  PID:1756
- C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
  C:\Windows\system32\B3A6A3\B820A2.EXE
  2⤵
  PID:2656
- - C:\Windows\SysWOW64\explorer.exe
    explorer C:\Windows\SysWOW64\B3A6A3\B820A2
    3⤵
    PID:2684
- - C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
    C:\Windows\system32\B3A6A3\B820A2.EXE
    3⤵
    PID:1380

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:584

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2756

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\B3A6A3\B820A2
1⤵
PID:3076

C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
C:\Windows\system32\B3A6A3\B820A2.EXE
1⤵
PID:3136
- C:\Windows\SysWOW64\explorer.exe
  explorer C:\Windows\SysWOW64\B3A6A3\B820A2
  2⤵
  PID:3164
- C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
  C:\Windows\system32\B3A6A3\B820A2.EXE
  2⤵
  PID:3300
- - C:\Windows\SysWOW64\explorer.exe
    explorer C:\Windows\SysWOW64\B3A6A3\B820A2
    3⤵
    PID:3388
- - C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
    C:\Windows\system32\B3A6A3\B820A2.EXE
    3⤵
    PID:3476
  - - C:\Windows\SysWOW64\explorer.exe
      explorer C:\Windows\SysWOW64\B3A6A3\B820A2
      4⤵
      PID:3524
  - - C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
      C:\Windows\system32\B3A6A3\B820A2.EXE
      4⤵
      PID:3608

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3180

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3248

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3344

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1300

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:1776

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3488

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3648

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\B3A6A3\B820A2
1⤵
PID:3640

C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
C:\Windows\system32\B3A6A3\B820A2.EXE
1⤵
PID:3704
- C:\Windows\SysWOW64\explorer.exe
  explorer C:\Windows\SysWOW64\B3A6A3\B820A2
  2⤵
  PID:3740
- C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
  C:\Windows\system32\B3A6A3\B820A2.EXE
  2⤵
  PID:3800
- - C:\Windows\SysWOW64\explorer.exe
    explorer C:\Windows\SysWOW64\B3A6A3\B820A2
    3⤵
    PID:3832
- - C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
    C:\Windows\system32\B3A6A3\B820A2.EXE
    3⤵
    PID:3904
  - - C:\Windows\SysWOW64\explorer.exe
      explorer C:\Windows\SysWOW64\B3A6A3\B820A2
      4⤵
      PID:3940
  - - C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
      C:\Windows\system32\B3A6A3\B820A2.EXE
      4⤵
      PID:4032
    - - C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        5⤵
        
        PID:3152

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3768

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3932

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\B3A6A3\B820A2
1⤵
PID:2900

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\B3A6A3\B820A2
1⤵
PID:4072

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4040

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\B3A6A3\B820A2
1⤵
PID:3048

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1072

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\B3A6A3\B820A2
1⤵
PID:3128

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3104

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\B3A6A3\B820A2
1⤵
PID:3464

C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
C:\Windows\system32\B3A6A3\B820A2.EXE
1⤵
PID:3428
- C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
  C:\Windows\system32\B3A6A3\B820A2.EXE
  2⤵
  PID:3472
- - C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
    C:\Windows\system32\B3A6A3\B820A2.EXE
    3⤵
    PID:3880
  - - C:\Windows\SysWOW64\explorer.exe
      explorer C:\Windows\SysWOW64\B3A6A3\B820A2
      4⤵
      PID:3760
  - - C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
      C:\Windows\system32\B3A6A3\B820A2.EXE
      4⤵
      PID:3132

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3508

C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
C:\Windows\system32\B3A6A3\B820A2.EXE
1⤵
PID:3316

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\B3A6A3\B820A2
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:1380

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3820

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3172

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1264

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\B3A6A3\B820A2
1⤵
PID:3480

C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
C:\Windows\system32\B3A6A3\B820A2.EXE
1⤵
PID:3388
- C:\Windows\SysWOW64\explorer.exe
  explorer C:\Windows\SysWOW64\B3A6A3\B820A2
  2⤵
  PID:3080
- C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
  C:\Windows\system32\B3A6A3\B820A2.EXE
  2⤵
  PID:3840
- - C:\Windows\SysWOW64\explorer.exe
    explorer C:\Windows\SysWOW64\B3A6A3\B820A2
    3⤵
    PID:4036
- - C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
    C:\Windows\system32\B3A6A3\B820A2.EXE
    3⤵
    PID:3776

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3392

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4064

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3908

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\B3A6A3\B820A2
1⤵
PID:3924

C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
C:\Windows\system32\B3A6A3\B820A2.EXE
1⤵
PID:2972
- C:\Windows\SysWOW64\explorer.exe
  explorer C:\Windows\SysWOW64\B3A6A3\B820A2
  2⤵
  PID:2988
- C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
  C:\Windows\system32\B3A6A3\B820A2.EXE
  2⤵
  PID:4032
- - C:\Windows\SysWOW64\explorer.exe
    explorer C:\Windows\SysWOW64\B3A6A3\B820A2
    3⤵
    PID:3696
- - C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
    C:\Windows\system32\B3A6A3\B820A2.EXE
    3⤵
    PID:3704
  - - C:\Windows\SysWOW64\explorer.exe
      explorer C:\Windows\SysWOW64\B3A6A3\B820A2
      4⤵
      PID:4148
  - - C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
      C:\Windows\system32\B3A6A3\B820A2.EXE
      4⤵
      PID:4180
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        5⤵
        
        PID:4260
    - - C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        5⤵
        
        PID:4292

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:2656

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3708

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3744

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4172

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3700

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4304

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\B3A6A3\B820A2
1⤵
PID:4336

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4396

C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
C:\Windows\system32\B3A6A3\B820A2.EXE
1⤵
PID:4388
- C:\Windows\SysWOW64\explorer.exe
  explorer C:\Windows\SysWOW64\B3A6A3\B820A2
  2⤵
  PID:4476
- C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
  C:\Windows\system32\B3A6A3\B820A2.EXE
  2⤵
  PID:4532
- - C:\Windows\SysWOW64\explorer.exe
    explorer C:\Windows\SysWOW64\B3A6A3\B820A2
    3⤵
    PID:4600
- - C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
    C:\Windows\system32\B3A6A3\B820A2.EXE
    3⤵
    PID:4660
  - - C:\Windows\SysWOW64\explorer.exe
      explorer C:\Windows\SysWOW64\B3A6A3\B820A2
      4⤵
      PID:4732
  - - C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
      C:\Windows\system32\B3A6A3\B820A2.EXE
      4⤵
      PID:4772
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        5⤵
        
        PID:4872
    - - C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        5⤵
        
        PID:4920
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        6⤵
        
        PID:5020
      - C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        6⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        7⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        7⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        8⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        8⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        9⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        9⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        10⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        10⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        11⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        11⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        12⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        12⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        13⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        13⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        14⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        14⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        15⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        15⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        16⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        16⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        17⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        17⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        18⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        18⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        19⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        19⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        20⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        20⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        21⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        21⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        22⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        22⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        23⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        23⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        24⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        24⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        25⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        25⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        26⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        26⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        27⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        27⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        28⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        28⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        29⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        29⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        30⤵
        
        PID:5804
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        30⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        31⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        31⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        32⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        32⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        33⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        33⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        34⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        34⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        35⤵
        
        PID:5164
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        35⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        36⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        36⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        37⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        37⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        38⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        38⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        39⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        39⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        40⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        40⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        41⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        41⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        42⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        42⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        43⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        43⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        44⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        44⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        45⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        45⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        46⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        46⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        47⤵
        
        PID:6788
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        47⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        48⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        48⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        49⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        49⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        50⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        50⤵
        
        PID:7172
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        51⤵
        
        PID:7540
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        51⤵
        
        PID:7556
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        52⤵
        
        PID:7748

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:1668

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4524

C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
C:\Windows\system32\B3A6A3\B820A2.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:788

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4652

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4780

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\B3A6A3\B820A2
1⤵
PID:964

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2432

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4912

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:652

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5072

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4228

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4260

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4624

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4768

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4900

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:1652

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4200

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4680

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4980

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4556

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4628

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4888

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5204

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2776

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5332

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5448

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\B3A6A3\B820A2
1⤵
PID:2176

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5596

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5704

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5812

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5916

C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
C:\Windows\system32\B3A6A3\B820A2.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6024

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6136

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\B3A6A3\B820A2
1⤵
PID:2500

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4676

C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
C:\Windows\system32\B3A6A3\B820A2.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2512

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4872

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:2504

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5688

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\B3A6A3\B820A2
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:2732

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5940

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4408

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5404

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5724

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:1332

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6116

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5896

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5700

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5460

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6256

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6408

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6512

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6644

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6768

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6920

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7036

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6032

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6440

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6836

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6332

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6240

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5456

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E_N4\cnvpe.fne

Filesize
60KB

MD5
8aa2a84ef3844ecd1cf9a788265b7f6b

SHA1
919d23ccfc02c27318281dae2b43900b9bcbe0c3

SHA256
afdaf830326a61053d3efa16fca809828f82adc628d4530b61ff89b99bcd6510

SHA512
2b79ce934b95466cf300ea5d3a67337e6285d4b9063991f42345ab4a86166a7cd0192f869b230d5609c733787aaa76a0a59009b34e443b3a198009de3502b142

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\eAPI.fne

Filesize
316KB

MD5
4e6d281f1dcfcfa7a048b721a8ff5867

SHA1
0206fea20b3c6350712b38454777c1f0235d5fa9

SHA256
e0834c7c5806d0a0383a2b408fbf11aa70e6ee5c6c84b5eaec71d0b0c7b389f0

SHA512
20bcd8c7f688fed57d2b45399fe7e59b5da55d9ad18efa13c654206aa87350d8527e541b60179682c2ff0bb05a008e4218058dc718dcb519302b15baff09f944

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\internet.fne

Filesize
180KB

MD5
c60e785fb00f7a6849f6fad4d3358b85

SHA1
fce7c0ff96c477328cd17f727386648166de1b77

SHA256
0af7861b9a2eb32c0ac639d296bd77090ac50a2cc0f194fd9021aecab816546a

SHA512
1e1cc0e774f238c7696f4dc72844f1661396e795670d4470f8916f3660930a80e38e3c3db9de489f82eab44db8228eca2ff8496713651a722f5b8936ceaeb0d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\spec.fne

Filesize
72KB

MD5
65bf4f2f88ae37d0b3fb139427fc9eeb

SHA1
14d3eb82e15bef7d72105011ae25808abd3be751

SHA256
ee3061a6ebe8f1b3e78b893715369443aa4d7ea253055668fa31927233be03a7

SHA512
cca6da28015c45c0da80f20c6791bb116e9c3cde227e7bc99b2f3619b0337e761fa44c53423f752e32eabc99e4131cc84c71ae071dd652eb4eb75bd1e9d79713

Download Submit
C:\Windows\SysWOW64\B3A6A3\B820A2.EXE

Filesize
675KB

MD5
5820836449e8f518ffcc98353450c792

SHA1
582081f8591271b02a9962b6b62b5753f3984fea

SHA256
f9f06346b1fa04b08c0007b84fe5e857b63de3f617ce4987b1a252c0e0e2537f

SHA512
39dcea368aec597dda5055f7d9f6ad5e6920b7e6fa9dd499713a017eb59978d6450d674f96780952f781f8db1f85ca7a7dbb7c2f7f47f87a96fc4683750a517c

Download Submit
C:\Windows\SysWOW64\B3A6A3\B820A2.EXE

Filesize
1.3MB

MD5
4f63b9002845c129f1c90ccc0532dc2b

SHA1
d786f63d1798c5785411bd28c1c285298717d9f6

SHA256
66082411bf39944e9ccaf1c82a6ef6f15b53782c0893c3053f8813533b710c19

SHA512
7ac6a73d7f5e6bfb3d8c2738bf67318892c8e9a1eee16b737f22cb8e35e9590e81721c83dac494ebce1f831c0e27fb88d96820efb93f108ac6a55bd690c7e6d7

Download Submit
C:\Windows\SysWOW64\B3A6A3\B820A2.EXE

Filesize
45KB

MD5
3ec1427e56ec1d94e092d9bd3fd315c9

SHA1
18599d1ce49c7aa69d52f1a6f9da9805c9aacd99

SHA256
fc18aa816f054fd171ddbc90ba1c9fcddec593eb6be8534992ca25ffe2fb0902

SHA512
8a1e27b5f5f0541f1fb817850a09d036a143cf705f8301c000101150f6556aa613c2b075089cb41b0e93ec2103e71be3fe073c7a092068f60777c6a509000607

Download Submit
C:\Windows\SysWOW64\B3A6A3\B820A2.EXE

Filesize
122KB

MD5
e154f0c206f260615edabc04016472e2

SHA1
be885574855df536134ac7462bfe4e093f017280

SHA256
09de38985c9b45b697dbdff655b45c52c0a0ade9744607141d7b2e2f7a21b8e2

SHA512
3d6e2e46b34c862cc42b01a8b26fb553e0b3c32f708c03f4a70c1600d244d9674dd95b08d9c23d9dd0db19278520f103bfc7b30d4161b4986a04d8d01425baf9

Download Submit
C:\Windows\SysWOW64\B3A6A3\B820A2.EXE

Filesize
1.0MB

MD5
360299ab717264bd355e61f4ac40dcf9

SHA1
1d46439afffd940767132f814b9bcdc4f0c0b53d

SHA256
d277a8ece4c6d78a210fe68e33a804f54bf6b298d17c90b8e2b3a55d7fd35a3d

SHA512
23191d8091231c5abcb9df2e1d6aba24f0e484de9ae1287567172722602dee0765b51de65caa3adfd86f16a5a2d4259d5d4492c954b9b3a8c5988d3676aa5aa8

Download Submit
C:\Windows\SysWOW64\B3A6A3\B820A2.EXE

Filesize
957KB

MD5
2ca62179650e36980fbc1ea1ae6f47f8

SHA1
5d69baff5220ae5391cb26edbaf3ba164f5f0e78

SHA256
c15e2aa241087d25cbd6a7f90f545f5a8739273a61ff0c82d495163e62479211

SHA512
384d26e951213de6ff27132c347f88242c89b7eed85ceeefbb1261cb8455d46296197aa58e5ad1e8af2a25fdd53d808db41abff6619547500270118133d8fd83

Download Submit
C:\Windows\SysWOW64\B3A6A3\B820A2.EXE

Filesize
745KB

MD5
74c465177f32db7c8a0fa18180a7d0f6

SHA1
b105f8e36a4f3c5d7d020381b0335a9197e4365e

SHA256
1cceeb4dfd740638c925ffad26cde3f455fafb27a839b81d176ac7e99d666c3a

SHA512
dd76379dc2bf66b17d731d9611e19258cc2ce206edc517e3e3fc13a54233ad01298b46400c45cc202535bcbe3fb0b2002a47ad39ecf08c6100f88d5e252694bf

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\HtmlView.fne

Filesize
103KB

MD5
e734f79a514211477ec6e99b3b29b8f5

SHA1
14e096f74385a6ce8889811ca4b32a2da279d545

SHA256
f6f3c15c202fe2f8bb3e9774ae117a76a1e9b8526891d56608040cf131e3aabf

SHA512
09a2b13d2ee00e13d99adfcf061a365d38693e4ae41cd1e06a5d6e769a4ccc8d32a1838b5be2d451f7b46bfcec01434903f55016e37df29cafa76f4de63f5743

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\HtmlView.fne

Filesize
212KB

MD5
54fde4d7a8373abc13a285b5e0069874

SHA1
3f86f75ae4a4f1c9e26ba2eb53929602f8c526e6

SHA256
53e8a5890495b13812c6bb8414056af468bcf9a9be113f33fb2c1c57b312ae22

SHA512
5956293a05f72ee125e6e59b53c94c813714e399243d605cfea99476cd9039e8d81d450463b45760abc0ce2286f3fe1ff924b2ac5e3f49773c32a369e67223cb

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\dp1.fne

Filesize
33KB

MD5
37b19ddde0394d67ad1a4cda892bf6d8

SHA1
a4fbef00970061db4f4012de4219faab5f065d80

SHA256
33298b8906b644ce3120e9aab61b07f85da8ad07f433643a7be03bbac0cf8fb9

SHA512
b908485ef833b065e71a65f67ea1a9c5a321837cadbf276f6e2c3cbd88ef05fc402ae272bb7122e8c5bf976e8026cd1ed27bda1e629df3447d19d2617db61342

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\dp1.fne

Filesize
112KB

MD5
30d56b62c55eca56c20ff2cc4323c054

SHA1
f036fdb21e9773b1cec97be0d450d2dac0ef711f

SHA256
7ecece18790d308e5ec66cfe5f1a57fe896c6c331b82a01430d2d34c63f3d059

SHA512
961b865aaeb4d26b9c5eff28319619d5825001198dbb40647d46999f7525da83aa0cc7ca0c8a9ea3df08cd85c39270ef25ff2df9ec27b98a73df8ffc0e9f3f3a

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\dp1.fne

Filesize
57KB

MD5
ae452d0d8f27c92588fbd58c64061441

SHA1
c03b4d371f5db17eda77dd5648bfef1de29e6e55

SHA256
f50c472e8b4ecd230f19035bf2e59fbe656ca227907fcda48360e42a56bd7e24

SHA512
72e346c3727993bb8305b57057a258d02dd5a9b030dea6511becc67561d70a2ea75b5e4ac61e08789f4c7bfaf99ef8f87fb65650e88f41f04e9afb71ef800466

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\dp1.fne

Filesize
64KB

MD5
396a16e11dcb781f1b40f6b1fbf1bda7

SHA1
c48ef915c1e219530a326f7d913467d9bd08e39e

SHA256
f5c8e2f5988a5bde3fb784f048e4bb1af2ad31341d3d9b778dadca649bc895f7

SHA512
513d4df382daea125e2822aad10cabce7d1a82086b651a11ef939229c5eb55b8c3d78d4524c064095be318f4f159a12d7b0a00f6870e5f401ee2aaea02ef469c

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

Filesize
859KB

MD5
25d3712db4a72f0471cb4a0fb1be164c

SHA1
750774d5c6ff2dca80f3be5107a215d58702d04a

SHA256
72320a8da972ced66c6fd933d50176ab063a5e8d60b91f0b95665a0ac3b4c82d

SHA512
fdc9faeb4787bed8e511fac0d9af1403a3d2e80f5b432385d084bf53befe6ae8954c4071007d571bb9affc0814847924529ed31eb286bb5bd847c908c01f71ec

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

Filesize
30KB

MD5
4af17326f7d5eb16be6d7a7d18b2566c

SHA1
43dcc04a606a024f50f60d0d58fc858b5c96dc9c

SHA256
b19107487cda09ebfa7a45c2f7fee07e5dd8ae1c98406bb47416d9a251a71093

SHA512
ad6076484a4f2d8a16e650307bcbc48909f4c05fb34fa10a3ee43b1319c18474cc3d38bbdbb98937ff551cfb4c1841cb9a40d9e4b2c97c88003b921a91af138a

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

Filesize
1.1MB

MD5
ad28a69d49cb72559a4273fe95bc25c5

SHA1
1b1d41f10cf63a62b30b49215edb1bbef72ef66a

SHA256
3c0cda3bc176becfe766b49312c11573ec92cfb0ad1ec570fad01431d6c12c9a

SHA512
2bddaab70136f3d2bc658f4df88ca2bfdbbb2a432dfeed8259dd2fecf6db12402b6c240778e5ec23c544ece002087b1b02b4a8daf724e86eb6970de9bc5f929c

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

Filesize
1.0MB

MD5
10ca6b50a5c5843c583d1021d847e142

SHA1
893b310c3b6ee24108a8f53df8c195cd4159a5a0

SHA256
99ad4902a6c85793870c92ce49c899e3fa13cf16ebf86583e214621f156f9114

SHA512
bff9b7cf89c326f09db602299adfcf68e433a45a65b879b7b17a42e6aa11363ee4c3dafadb87a794d00d5111c51536d73b0b24c4058a88c93636b91d81793afe

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

Filesize
908KB

MD5
dbc5ed4d60c05cd750503c392e1c9ab1

SHA1
1f50ebb3982096813ff834509df13211e1496ee6

SHA256
746deec09d16a6c78dc20fcb09af93d7134bdd1e1a3b4f7d439d9beb796b811e

SHA512
1cb1d3a461e08d5f2e5e1c95520c16dda886dcd0778f29d0880cca122daf056e89942b5e4329668416e12b649c53376989547ba646301108d660e8ade699e059

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

Filesize
589KB

MD5
c0269d324dc08fcecc7f35f33dc29a36

SHA1
85699a628d087ebfef90bbac3def5a2be5b4d57c

SHA256
54a4e67f19d92cd9a5c8e4d0fd05465910af1c0763716fa9c7924f2a6147c690

SHA512
994c3332b599151f0259dd7c5afb8d2535f9a5d6d95446f82680d471c5eeba4452d164c02833fcd607aa75f70673f3e7cf2c90adec569c1a3de9af599c9a6e8d

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\shell.fne

Filesize
13KB

MD5
44f15cc35327751ab6e9e9a69a5ab512

SHA1
2dc89d715cdaa5ee97c638e953ac6858f817e09a

SHA256
f0e0eee92f2e7144898e072b14b49491bba892e80f00e0f70c9d241edb064957

SHA512
e9fc6e8d3932a4e8b969bf88fa9f9c3b662875c9764c9f871b9bab71be2fe017d70bbfd25c0dec53edef4bff6bd1020d20f63b8e6dee80b785fd5fb9917e1496

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\shell.fne

Filesize
40KB

MD5
ca0e38f4a666d3156eb48b99369ebaec

SHA1
62f75dd559636e754a7f0c3ff95d2f6debd13c85

SHA256
52d72ed763a59904a215631df9bc37a1db9a03f45a32c24df5d7c780b983ecf3

SHA512
4cd17a869554a6b0aef733289e3789dec99ffa38f3e5aec606a6a421b2efcde322d4a00b7b996a7cd3df6472d8bf82540500213cfc1846a31c79622ac6f6cf96

Download Submit
\Windows\SysWOW64\B3A6A3\B820A2.EXE

Filesize
775KB

MD5
341debba034650c3fa923e5cc9486b32

SHA1
25378214cdd75c15767fe2d990ea386765a1a949

SHA256
29f655fc1055b6fa1d2e81f5d4d30a897c3485d6f15bcae37ff5f4147ec98b2b

SHA512
5059acd98a8bb6783fd5c99f0239b0e601c267acd41e904a12e6c504d0ebc1ab27f41805481e5233fe11a37a89cbfd203326cd6d19724c0e981cb3a56f7770be

Download Submit
\Windows\SysWOW64\B3A6A3\B820A2.EXE

Filesize
8KB

MD5
af095af2de9f3f865f37d9a0e39a55e0

SHA1
d8542775d8803f6bc74636fc9d1d7ee51d1aa140

SHA256
5272de5a018ae8919c9fd29d5eb2ff43faf81231f6f4613114cdfa411becb317

SHA512
2776d663f8fe8ef9b052e1b78ea7c05952088a66f4aa21c5943bf3fab82d623768a04f847ec44e2e3cbf48c22cef4b1d24dbdbc54e805fd922570b801b4755c6

Download Submit
\Windows\SysWOW64\B3A6A3\B820A2.EXE

Filesize
1.0MB

MD5
dd3a53486b0a3c782e36ffbcf01d5609

SHA1
115a808451e642398dd26775c2bb8313c879bd04

SHA256
ee98ef9ede2f9c47107f1df61249c63671988d460d961c2d5d1ce9099e071a6e

SHA512
368c5a6905de51fddf812f6ea3c849e46b0a950acb0ec8077090c7bec0d9b3c59fa23730c1da2ac48e45c35fdee40725796aa8fd484c1e92fbdc3fd099824573

Download Submit
\Windows\SysWOW64\B3A6A3\B820A2.EXE

Filesize
79KB

MD5
2d2ffacc684f376e5ae1fa2a663a05dc

SHA1
0260283a60ab643d5a2d4e26b73eeb12b7035256

SHA256
01c73d58af9720b00a7b9210f67ad0297278560d1d54b0dbda3bf2b1182f3315

SHA512
11897881a173fcc104faf6880ee8eff454d718f1455dbed1508209818faf537df3229b5942921c1a0c916541138300ddc579765d605b71def1b3b4fed8c96a2b

Download Submit
\Windows\SysWOW64\B3A6A3\B820A2.EXE

Filesize
1000KB

MD5
8f9e8c7359e02af2c7a686ae72d42992

SHA1
ba379c4c8b3dc2d3373da46b3f94a8649d2f1297

SHA256
8ced57b5d15bfc8efe843e24ec9a2315adc739e7f1164773aa1ce33a7afd7f05

SHA512
a092c6043aa57a41868183560e98ce68672c7cce468c10db9ab2904aa53e5318f98e00484c9fc25dc3a7a6dc14323492c60e9c0c63ec3c97701bf7528060a106

Download Submit
\Windows\SysWOW64\B3A6A3\B820A2.EXE

Filesize
54KB

MD5
8c7b007942fe761c87f5347843b7ad5a

SHA1
c2714f243505ba047bc4ef52cdf26e9fc91ff954

SHA256
a5149d89646f03a1f7ebae04709a71f3c807228e1f73fc83f2b37b238e631f7f

SHA512
d5292342709c3bae64194d95d4925d0cb96bed0cb4cb7bac3ba97031d7fda66afe8b8c5308fc8b284dcaa304efd6d7f8cb9b9ff491dbc14ddec9cef58bb1881f

Download Submit
\Windows\SysWOW64\B3A6A3\B820A2.EXE

Filesize
1.0MB

MD5
d62b23b4f826793a8a84ebb0293b725f

SHA1
63d72fc4815d228aad77957ea0a85f2e90924099

SHA256
9779ff30e5f0bf00db006033666326172a74f9753806576f9592fdfffc5835c7

SHA512
d27ac8a72304215c86c4bf672146fc77193962fb56558b66f5e842a9a1060ae21733233a6469dbde5d01252807c71e415a461ae6ef19f914111a39251918e69b

Download Submit
\Windows\SysWOW64\B3A6A3\B820A2.EXE

Filesize
899KB

MD5
a531f10e4c887786e6f957bacda9edbf

SHA1
96888ab8562d4ce6e658cea202c4373598d8b2d4

SHA256
5726c4129f030b02d3c838568697acbf7335d97b9a460bea873b79675bf42cd7

SHA512
4bdf33e3ef2f88054fafefc8ac64d5c349696563858a6384216b99f62d6153f8509d4e43074deb78ea3c1e8d918593337e7025b9d8f77d9a9564f24755945db1

Download Submit
\Windows\SysWOW64\B3A6A3\B820A2.EXE

Filesize
872KB

MD5
d50da6693035909b330031e8da0c6a4c

SHA1
3b133fcd021268a48afccc845085be1cb840db9c

SHA256
1e8f2df3884a64b90f8cabe27a43d10d23494f4a2a1a8bf17dfc60a42981f6cd

SHA512
14611c8e123517f0b2a5bbbfdf47a01bbe7be772772324d0ce5ffe3b9185a210692ce5c463c1f250d6cdd4948295a8fbdcc00e397e86ac2db8e7075250cee96d

Download Submit
\Windows\SysWOW64\B3A6A3\B820A2.EXE

Filesize
21KB

MD5
a5c6aa97fd033402c74e94862194836d

SHA1
f902ca182c3498408a6a29e4a659fe89efa706df

SHA256
4725d06027d0cc2dc424b895eedcef85df2de8d5dc6f726513276bbafac5988f

SHA512
6792ce3b5e47757d9a81af5791b23928d839c75d3448e52c1ae31c2bbf7330077210be4de9af85397a0eacdc28e6bd71f3efc2b0b00c5ec03fbe86098a41f0ca

Download Submit
memory/776-167-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/776-166-0x00000000006F0000-0x000000000070E000-memory.dmp

Filesize
120KB

Download
memory/776-164-0x0000000000440000-0x0000000000478000-memory.dmp

Filesize
224KB

Download
memory/776-174-0x00000000021B0000-0x00000000021E1000-memory.dmp

Filesize
196KB

Download
memory/776-178-0x00000000021B0000-0x00000000021E1000-memory.dmp

Filesize
196KB

Download
memory/776-165-0x00000000006C0000-0x00000000006D1000-memory.dmp

Filesize
68KB

Download
memory/776-163-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/788-182-0x00000000003B0000-0x00000000003CE000-memory.dmp

Filesize
120KB

Download
memory/788-181-0x0000000000390000-0x00000000003A1000-memory.dmp

Filesize
68KB

Download
memory/788-180-0x0000000000230000-0x0000000000268000-memory.dmp

Filesize
224KB

Download
memory/788-179-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/788-175-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/1332-71-0x0000000003A90000-0x0000000003AA0000-memory.dmp

Filesize
64KB

Download
memory/1332-74-0x0000000003A80000-0x0000000003A81000-memory.dmp

Filesize
4KB

Download
memory/1652-156-0x0000000003B80000-0x0000000003B81000-memory.dmp

Filesize
4KB

Download
memory/1684-94-0x00000000003D0000-0x00000000003E1000-memory.dmp

Filesize
68KB

Download
memory/1684-96-0x0000000002070000-0x00000000020A1000-memory.dmp

Filesize
196KB

Download
memory/1684-88-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1684-116-0x0000000002070000-0x00000000020A1000-memory.dmp

Filesize
196KB

Download
memory/1684-93-0x0000000000240000-0x0000000000278000-memory.dmp

Filesize
224KB

Download
memory/1684-92-0x0000000000740000-0x000000000075E000-memory.dmp

Filesize
120KB

Download
memory/1684-91-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/1880-158-0x00000000004D0000-0x0000000000501000-memory.dmp

Filesize
196KB

Download
memory/1880-153-0x0000000000280000-0x00000000002B8000-memory.dmp

Filesize
224KB

Download
memory/1880-148-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1880-150-0x00000000003D0000-0x00000000003E1000-memory.dmp

Filesize
68KB

Download
memory/1880-151-0x00000000004B0000-0x00000000004CE000-memory.dmp

Filesize
120KB

Download
memory/1880-149-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/1880-157-0x00000000004D0000-0x0000000000501000-memory.dmp

Filesize
196KB

Download
memory/2304-142-0x0000000000460000-0x0000000000471000-memory.dmp

Filesize
68KB

Download
memory/2304-134-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2304-138-0x0000000000480000-0x000000000049E000-memory.dmp

Filesize
120KB

Download
memory/2304-143-0x00000000004A0000-0x00000000004D1000-memory.dmp

Filesize
196KB

Download
memory/2304-141-0x00000000002F0000-0x0000000000328000-memory.dmp

Filesize
224KB

Download
memory/2304-123-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2504-118-0x0000000003B00000-0x0000000003B01000-memory.dmp

Filesize
4KB

Download
memory/2512-70-0x00000000003D0000-0x00000000003E1000-memory.dmp

Filesize
68KB

Download
memory/2512-56-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2512-72-0x0000000000540000-0x000000000055E000-memory.dmp

Filesize
120KB

Download
memory/2512-69-0x00000000002C0000-0x00000000002F8000-memory.dmp

Filesize
224KB

Download
memory/2512-73-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2556-139-0x0000000003A80000-0x0000000003A81000-memory.dmp

Filesize
4KB

Download
memory/2560-50-0x0000000000490000-0x00000000004A1000-memory.dmp

Filesize
68KB

Download
memory/2560-52-0x00000000003A0000-0x00000000003D8000-memory.dmp

Filesize
224KB

Download
memory/2560-32-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2560-177-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2560-49-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2560-51-0x00000000004C0000-0x00000000004DE000-memory.dmp

Filesize
120KB

Download
memory/2560-176-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2688-115-0x0000000000590000-0x00000000005AE000-memory.dmp

Filesize
120KB

Download
memory/2688-133-0x0000000002180000-0x00000000021B1000-memory.dmp

Filesize
196KB

Download
memory/2688-117-0x00000000003C0000-0x00000000003F8000-memory.dmp

Filesize
224KB

Download
memory/2688-113-0x0000000000550000-0x0000000000561000-memory.dmp

Filesize
68KB

Download
memory/2688-112-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2688-120-0x0000000002180000-0x00000000021B1000-memory.dmp

Filesize
196KB

Download
memory/2688-109-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2776-154-0x0000000003B00000-0x0000000003B01000-memory.dmp

Filesize
4KB

Download
memory/2904-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2904-169-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2904-19-0x00000000002C0000-0x00000000002D1000-memory.dmp

Filesize
68KB

Download
memory/2904-168-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2904-20-0x0000000000300000-0x000000000031E000-memory.dmp

Filesize
120KB

Download
memory/2904-14-0x0000000000220000-0x0000000000258000-memory.dmp

Filesize
224KB

Download
memory/2904-28-0x0000000000320000-0x0000000000351000-memory.dmp

Filesize
196KB

Download
memory/2904-11-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads