66082411bf39944e9ccaf1c82a6ef6f15b53782c0893c3053f8813533b710c19

Analysis

max time kernel
37s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10/01/2024, 02:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f63b9002845c129f1c90ccc0532dc2b.exe
Size

1.3MB
MD5

4f63b9002845c129f1c90ccc0532dc2b
SHA1

d786f63d1798c5785411bd28c1c285298717d9f6
SHA256

66082411bf39944e9ccaf1c82a6ef6f15b53782c0893c3053f8813533b710c19
SHA512

7ac6a73d7f5e6bfb3d8c2738bf67318892c8e9a1eee16b737f22cb8e35e9590e81721c83dac494ebce1f831c0e27fb88d96820efb93f108ac6a55bd690c7e6d7
SSDEEP

24576:XLQorMNmCi/aa0UdHF7yRA3OzirGC/un56N2IbaNzNcJoJi:XcUMN+qiHOA3O2GC/unMN2Qsi

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 20 IoCs

pid	Process
3552	B820A2.EXE
4456	B820A2.EXE
1772	B820A2.EXE
2200	B820A2.EXE
3568	B820A2.EXE
3156	B820A2.EXE
5028	explorer.exe
4228	B820A2.EXE
4784	B820A2.EXE
4932	B820A2.EXE
4256	explorer.exe
3076	B820A2.EXE
5292	B820A2.EXE
5436	B820A2.EXE
5628	B820A2.EXE
5864	B820A2.EXE
6036	B820A2.EXE
2712	B820A2.EXE
5464	B820A2.EXE
5960	B820A2.EXE

Loads dropped DLL 64 IoCs

pid	Process
3124	4f63b9002845c129f1c90ccc0532dc2b.exe
3124	4f63b9002845c129f1c90ccc0532dc2b.exe
3124	4f63b9002845c129f1c90ccc0532dc2b.exe
3124	4f63b9002845c129f1c90ccc0532dc2b.exe
3124	4f63b9002845c129f1c90ccc0532dc2b.exe
3124	4f63b9002845c129f1c90ccc0532dc2b.exe
3124	4f63b9002845c129f1c90ccc0532dc2b.exe
3552	B820A2.EXE
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
4456	B820A2.EXE
4456	B820A2.EXE
4456	B820A2.EXE
4456	B820A2.EXE
4456	B820A2.EXE
4456	B820A2.EXE
4456	B820A2.EXE
1772	B820A2.EXE
1772	B820A2.EXE
1772	B820A2.EXE
1772	B820A2.EXE
1772	B820A2.EXE
1772	B820A2.EXE
1772	B820A2.EXE
2200	B820A2.EXE
2200	B820A2.EXE
2200	B820A2.EXE
2200	B820A2.EXE
2200	B820A2.EXE
2200	B820A2.EXE
2200	B820A2.EXE
3568	B820A2.EXE
3568	B820A2.EXE
3568	B820A2.EXE
3568	B820A2.EXE
3568	B820A2.EXE
3568	B820A2.EXE
3568	B820A2.EXE
3156	B820A2.EXE
3156	B820A2.EXE
3156	B820A2.EXE
3156	B820A2.EXE
3156	B820A2.EXE
3156	B820A2.EXE
3156	B820A2.EXE
5028	explorer.exe
5028	explorer.exe
5028	explorer.exe
5028	explorer.exe
5028	explorer.exe
5028	explorer.exe
5028	explorer.exe
4228	B820A2.EXE
4228	B820A2.EXE
4228	B820A2.EXE
4228	B820A2.EXE
4228	B820A2.EXE
4228	B820A2.EXE
4228	B820A2.EXE
4784	B820A2.EXE

Writes to the Master Boot Record (MBR) 1 TTPs 20 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	explorer.exe
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	4f63b9002845c129f1c90ccc0532dc2b.exe
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	explorer.exe
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	B820A2.EXE
File opened for modification	\??\PhysicalDrive0	explorer.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\D42343\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\3CA4E3\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\3CA4E3\	B820A2.EXE
File created	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\D42343\	explorer.exe
File opened for modification	C:\Windows\SysWOW64\B3A6A3\	B820A2.EXE
File created	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B5A29B\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B5A29B\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B5A29B\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\3CA4E3\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B5A29B\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\D42343\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\D42343\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B5A29B\	B820A2.EXE
File created	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\3CA4E3\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\D42343\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\D42343\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\D42343\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\	explorer.exe
File opened for modification	C:\Windows\SysWOW64\D42343\	B820A2.EXE
File created	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B5A29B\	B820A2.EXE
File created	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\3CA4E3\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\3CA4E3\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\3CA4E3\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\	4f63b9002845c129f1c90ccc0532dc2b.exe
File opened for modification	C:\Windows\SysWOW64\B3A6A3\	B820A2.EXE
File created	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	4f63b9002845c129f1c90ccc0532dc2b.exe
File opened for modification	C:\Windows\SysWOW64\D42343\	B820A2.EXE
File created	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	explorer.exe
File created	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\D42343\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\D42343\	explorer.exe
File opened for modification	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\	B820A2.EXE
File created	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	explorer.exe
File opened for modification	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	explorer.exe
File opened for modification	C:\Windows\SysWOW64\B5A29B\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B5A29B\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\D42343\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	explorer.exe
File created	C:\Windows\SysWOW64\B3A6A3\B820A2.EXE	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\3CA4E3\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\3CA4E3\	B820A2.EXE
File opened for modification	C:\Windows\SysWOW64\D42343\	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe

Suspicious behavior: AddClipboardFormatListener 17 IoCs

pid	Process
1836	explorer.exe
908	explorer.exe
992	explorer.exe
932	explorer.exe
2148	explorer.exe
4336	explorer.exe
3204	explorer.exe
1492	explorer.exe
1560	explorer.exe
4756	explorer.exe
804	explorer.exe
5028	explorer.exe
5328	explorer.exe
5472	explorer.exe
5636	explorer.exe
5892	explorer.exe
6052	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3124	4f63b9002845c129f1c90ccc0532dc2b.exe
3124	4f63b9002845c129f1c90ccc0532dc2b.exe
3124	4f63b9002845c129f1c90ccc0532dc2b.exe
3124	4f63b9002845c129f1c90ccc0532dc2b.exe
3124	4f63b9002845c129f1c90ccc0532dc2b.exe
3124	4f63b9002845c129f1c90ccc0532dc2b.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
3552	explorer.exe
1836	explorer.exe
1836	explorer.exe
4456	B820A2.EXE
4456	B820A2.EXE
4456	B820A2.EXE
4456	B820A2.EXE
4456	B820A2.EXE
4456	B820A2.EXE
908	explorer.exe
908	explorer.exe
1772	B820A2.EXE
1772	B820A2.EXE
1772	B820A2.EXE
1772	B820A2.EXE
1772	B820A2.EXE
1772	B820A2.EXE
2200	B820A2.EXE
2200	B820A2.EXE
2200	B820A2.EXE
2200	B820A2.EXE
2200	B820A2.EXE
2200	B820A2.EXE
932	explorer.exe
932	explorer.exe
992	explorer.exe
992	explorer.exe
3568	B820A2.EXE
3568	B820A2.EXE
3568	B820A2.EXE
3568	B820A2.EXE
3568	B820A2.EXE
3568	B820A2.EXE
2148	explorer.exe
2148	explorer.exe
3156	B820A2.EXE
3156	B820A2.EXE
3156	B820A2.EXE
3156	B820A2.EXE
3156	B820A2.EXE
3156	B820A2.EXE
5028	explorer.exe
5028	explorer.exe
5028	explorer.exe
5028	explorer.exe
5028	explorer.exe
5028	explorer.exe
4336	explorer.exe
4336	explorer.exe
3204	explorer.exe
3204	explorer.exe
4228	B820A2.EXE
4228	B820A2.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3124 wrote to memory of 4444	3124	4f63b9002845c129f1c90ccc0532dc2b.exe	91
PID 3124 wrote to memory of 4444	3124	4f63b9002845c129f1c90ccc0532dc2b.exe	91
PID 3124 wrote to memory of 4444	3124	4f63b9002845c129f1c90ccc0532dc2b.exe	91
PID 3124 wrote to memory of 3552	3124	4f63b9002845c129f1c90ccc0532dc2b.exe	93
PID 3124 wrote to memory of 3552	3124	4f63b9002845c129f1c90ccc0532dc2b.exe	93
PID 3124 wrote to memory of 3552	3124	4f63b9002845c129f1c90ccc0532dc2b.exe	93
PID 3552 wrote to memory of 4520	3552	explorer.exe	140
PID 3552 wrote to memory of 4520	3552	explorer.exe	140
PID 3552 wrote to memory of 4520	3552	explorer.exe	140
PID 3552 wrote to memory of 4456	3552	explorer.exe	95
PID 3552 wrote to memory of 4456	3552	explorer.exe	95
PID 3552 wrote to memory of 4456	3552	explorer.exe	95
PID 4456 wrote to memory of 676	4456	B820A2.EXE	97
PID 4456 wrote to memory of 676	4456	B820A2.EXE	97
PID 4456 wrote to memory of 676	4456	B820A2.EXE	97
PID 4456 wrote to memory of 1772	4456	B820A2.EXE	103
PID 4456 wrote to memory of 1772	4456	B820A2.EXE	103
PID 4456 wrote to memory of 1772	4456	B820A2.EXE	103
PID 1772 wrote to memory of 396	1772	B820A2.EXE	126
PID 1772 wrote to memory of 396	1772	B820A2.EXE	126
PID 1772 wrote to memory of 396	1772	B820A2.EXE	126
PID 1772 wrote to memory of 2200	1772	B820A2.EXE	100
PID 1772 wrote to memory of 2200	1772	B820A2.EXE	100
PID 1772 wrote to memory of 2200	1772	B820A2.EXE	100
PID 2200 wrote to memory of 4412	2200	B820A2.EXE	106
PID 2200 wrote to memory of 4412	2200	B820A2.EXE	106
PID 2200 wrote to memory of 4412	2200	B820A2.EXE	106
PID 2200 wrote to memory of 3568	2200	B820A2.EXE	105
PID 2200 wrote to memory of 3568	2200	B820A2.EXE	105
PID 2200 wrote to memory of 3568	2200	B820A2.EXE	105
PID 3568 wrote to memory of 1576	3568	B820A2.EXE	107
PID 3568 wrote to memory of 1576	3568	B820A2.EXE	107
PID 3568 wrote to memory of 1576	3568	B820A2.EXE	107
PID 3568 wrote to memory of 3156	3568	B820A2.EXE	109
PID 3568 wrote to memory of 3156	3568	B820A2.EXE	109
PID 3568 wrote to memory of 3156	3568	B820A2.EXE	109
PID 3156 wrote to memory of 1296	3156	B820A2.EXE	111
PID 3156 wrote to memory of 1296	3156	B820A2.EXE	111
PID 3156 wrote to memory of 1296	3156	B820A2.EXE	111
PID 3156 wrote to memory of 5028	3156	B820A2.EXE	131
PID 3156 wrote to memory of 5028	3156	B820A2.EXE	131
PID 3156 wrote to memory of 5028	3156	B820A2.EXE	131
PID 5028 wrote to memory of 4872	5028	explorer.exe	116
PID 5028 wrote to memory of 4872	5028	explorer.exe	116
PID 5028 wrote to memory of 4872	5028	explorer.exe	116
PID 5028 wrote to memory of 4228	5028	explorer.exe	119
PID 5028 wrote to memory of 4228	5028	explorer.exe	119
PID 5028 wrote to memory of 4228	5028	explorer.exe	119
PID 4228 wrote to memory of 4256	4228	B820A2.EXE	134
PID 4228 wrote to memory of 4256	4228	B820A2.EXE	134
PID 4228 wrote to memory of 4256	4228	B820A2.EXE	134
PID 4228 wrote to memory of 4784	4228	B820A2.EXE	122
PID 4228 wrote to memory of 4784	4228	B820A2.EXE	122
PID 4228 wrote to memory of 4784	4228	B820A2.EXE	122
PID 4784 wrote to memory of 396	4784	B820A2.EXE	126
PID 4784 wrote to memory of 396	4784	B820A2.EXE	126
PID 4784 wrote to memory of 396	4784	B820A2.EXE	126
PID 4784 wrote to memory of 4932	4784	B820A2.EXE	124
PID 4784 wrote to memory of 4932	4784	B820A2.EXE	124
PID 4784 wrote to memory of 4932	4784	B820A2.EXE	124
PID 4932 wrote to memory of 2712	4932	B820A2.EXE	152
PID 4932 wrote to memory of 2712	4932	B820A2.EXE	152
PID 4932 wrote to memory of 2712	4932	B820A2.EXE	152
PID 4932 wrote to memory of 4256	4932	B820A2.EXE	134

C:\Users\Admin\AppData\Local\Temp\4f63b9002845c129f1c90ccc0532dc2b.exe
"C:\Users\Admin\AppData\Local\Temp\4f63b9002845c129f1c90ccc0532dc2b.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3124
- C:\Windows\SysWOW64\explorer.exe
  explorer C:\Users\Admin\AppData\Local\Temp\4f63b9002845c129f1c90ccc0532dc2b
  2⤵
  PID:4444
- C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
  C:\Windows\system32\B3A6A3\B820A2.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3552
- - C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
    C:\Windows\system32\B3A6A3\B820A2.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4456
  - - C:\Windows\SysWOW64\explorer.exe
      explorer C:\Windows\SysWOW64\B3A6A3\B820A2
      4⤵
      PID:676
  - - C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
      C:\Windows\system32\B3A6A3\B820A2.EXE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      Drops file in System32 directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1772
- - C:\Windows\SysWOW64\explorer.exe
    explorer C:\Windows\SysWOW64\B3A6A3\B820A2
    3⤵
    PID:4520

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1836

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:908

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:932

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:992

C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
C:\Windows\system32\B3A6A3\B820A2.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
  C:\Windows\system32\B3A6A3\B820A2.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3568
- - C:\Windows\SysWOW64\explorer.exe
    explorer C:\Windows\SysWOW64\B3A6A3\B820A2
    3⤵
    PID:1576
- - C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
    C:\Windows\system32\B3A6A3\B820A2.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3156
  - - C:\Windows\SysWOW64\explorer.exe
      explorer C:\Windows\SysWOW64\B3A6A3\B820A2
      4⤵
      PID:1296
  - - C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
      C:\Windows\system32\B3A6A3\B820A2.EXE
      4⤵
      PID:5028
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        5⤵
        
        PID:4872
    - - C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4228
      - C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4784
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        7⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        8⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        8⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        9⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        9⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:3076
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        10⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        10⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:5292
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        11⤵
        
        PID:5372
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        11⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:5436
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        12⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        12⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:5628
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        13⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        13⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:5864
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        14⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        14⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:6036
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        15⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        15⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:2712
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        16⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        16⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:5464
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        17⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        17⤵
        Executes dropped EXE
        
        PID:5960
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        18⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        18⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        19⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        19⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        20⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        20⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        21⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        21⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        22⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        22⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        23⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        23⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        24⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        24⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        25⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        25⤵
        
        PID:6840
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        26⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        26⤵
        
        PID:7060
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        27⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        27⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        28⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        28⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        29⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        29⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        30⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        30⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        31⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        31⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        32⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        32⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        33⤵
        
        PID:6216
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        33⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        34⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        34⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        35⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        35⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        36⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        36⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        37⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        37⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        38⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        38⤵
        
        PID:7312
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        39⤵
        
        PID:7440
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        39⤵
        
        PID:7496
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        40⤵
        
        PID:7604
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        40⤵
        
        PID:7676
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        41⤵
        
        PID:7804
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        41⤵
        
        PID:7868
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        42⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        42⤵
        
        PID:8048
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        43⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        43⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        44⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        44⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        45⤵
        
        PID:7316
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        45⤵
        
        PID:8004
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        46⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        46⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        47⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        47⤵
        
        PID:1264
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        48⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        48⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        49⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        49⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        50⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        50⤵
        
        PID:7440
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        51⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        51⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        52⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        52⤵
        
        PID:7372
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        53⤵
        
        PID:8244
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        53⤵
        
        PID:8292
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        54⤵
        
        PID:8400
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        54⤵
        
        PID:8476
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        55⤵
        
        PID:8576
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        55⤵
        
        PID:8660
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        56⤵
        
        PID:9160
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        56⤵
        
        PID:9196
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        57⤵
        
        PID:7512
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        57⤵
        
        PID:8460
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        58⤵
        
        PID:9024
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        58⤵
        
        PID:9056
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        59⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        59⤵
        
        PID:8208
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        60⤵
        
        PID:8708
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        60⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        61⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        61⤵
        
        PID:7524
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        62⤵
        
        PID:9176
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        62⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        63⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        63⤵
        
        PID:8724
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        64⤵
        
        PID:636
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        64⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        65⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        65⤵
        
        PID:9060
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        66⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\B3A6A3\B820A2.EXE
        
        C:\Windows\system32\B3A6A3\B820A2.EXE
        66⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        7⤵
        
        PID:396
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B3A6A3\B820A2
        6⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:4256
- C:\Windows\SysWOW64\explorer.exe
  explorer C:\Windows\SysWOW64\B3A6A3\B820A2
  2⤵
  PID:4412

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\B3A6A3\B820A2
1⤵
PID:396

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2148

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4336

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3204

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:1492

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:1560

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:4756

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:804

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5028

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:5328

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:5472

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:5636

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:5892

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:6052

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3892

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4852

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5356

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5252

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5860

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2188

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5692

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6332

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6516

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6708

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6860

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7068

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:924

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6468

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3552

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6976

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3476

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6660

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6476

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6788

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3844

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6816

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5928

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7332

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7504

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7704

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7884

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8056

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6060

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7764

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1804

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7428

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7860

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:736

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1704

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8044

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8072

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7904

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8300

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8484

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8688

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9188

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7372

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9048

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9156

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7652

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7392

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8632

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6320

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3280

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8864

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E_N4\HtmlView.fne

Filesize
77KB

MD5
0dafb90f482941192c67ad0cb642ff12

SHA1
3ed46989202a31bd292f497e18a9eafa6316428e

SHA256
44f9905d70b973b04ac4ca2b3fc4db727f80721cf533c0e1b361ce14fec580db

SHA512
8f3bbc689a5d7aea336152d873b69a34def21306d2262a73a1925402e174a6bda1a549150c450b751c66cc84a288c2e5b043ad509c83e947f0d2775c488a10f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\HtmlView.fne

Filesize
36KB

MD5
dc85a1ea293933d1ef3d3b30e847252b

SHA1
d28c2e50efadeb8d32fafc6b78b1b66113787952

SHA256
f1ddd6605be56576e02c5ba7c5b3806d0cf47bba5034bc83fcca681d6d4096c6

SHA512
a6978b2b2b0d2a62ec59de2678e62027d91a940edd9e67e6338ab188e57fa9cc168f00db1246c57234deaa0f3bd6c1741bd82eb104cf0ceee71c63a76a9c481d

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\HtmlView.fne

Filesize
212KB

MD5
54fde4d7a8373abc13a285b5e0069874

SHA1
3f86f75ae4a4f1c9e26ba2eb53929602f8c526e6

SHA256
53e8a5890495b13812c6bb8414056af468bcf9a9be113f33fb2c1c57b312ae22

SHA512
5956293a05f72ee125e6e59b53c94c813714e399243d605cfea99476cd9039e8d81d450463b45760abc0ce2286f3fe1ff924b2ac5e3f49773c32a369e67223cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\HtmlView.fne

Filesize
106KB

MD5
34301c116f4f19d898ace841a7748d10

SHA1
95e7e97d010a565f867ca779fb228dccff96838c

SHA256
ff7f704689ac9c6b574c68a8fff71383c51a504a247c79d159b48c1199d58cd2

SHA512
4dd237737c2677881926b169a8d6133269caac7a24a28e7736731c5ef75046a1836abf94113e0c60c6372f4aa21501e573e20d796da6bd32b5766e838df061e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\HtmlView.fne

Filesize
76KB

MD5
613457d583af1040338258dc91841733

SHA1
85d3db7852825778727375f507411d192f1ddee9

SHA256
7f3b09ef863c068e2792fa8f363cb99fef07abd2593214bcdeebc670dc5e9b32

SHA512
510ad59dabb72c27054c707d76d9a402d88e4064714a8782ffe6443041490761313d4b25b183a0d38b3b26a3b4952d183bf7de0b63f4defe34dece4fa312f5a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\HtmlView.fne

Filesize
180KB

MD5
56c066cfcb6e4ddf4beed09fe5a3c3b6

SHA1
b455b3e14793279707f256bacf40a36878c4fb40

SHA256
5e92b3db44667451ecb3d680350e7a81f3988493d68c17a2d3e1f71e9f23eed6

SHA512
77639f233481be7bd3caa2e0b9e6192599d0ba9b1e20be1a8fc94f178e7a5b0b807bce9949cfcef3db97c50615bcc93be1d18cb832841d9715c40a684062e774

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\HtmlView.fne

Filesize
43KB

MD5
bcffb14f2c84283e3eca0cc8f5d5bb1c

SHA1
1bda0f7ba57c2617fb9730722a73367439a8f3f9

SHA256
477c1b1c27734f0392b7705c08640464d3a5c220bc34a9be472a0ce932590907

SHA512
a03a41463be17b091fa71548dfa26b629d24bcfea966d64e17a231e2ade4212c4a3692c3aef8334d59f3d5d9b64c8c6aa27e908c107f304d563dd8123cf9c99e

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\cnvpe.fne

Filesize
30KB

MD5
8c18b8911845a97dd9ab400861ddefe9

SHA1
be7afe03dcabc6bbb7141b42082f1bdb06d5e4e5

SHA256
466db0619f3848e37df12dbeef6a1948f135552baec5ad019b0b2fc098c14cac

SHA512
4b1ece8f9fe6acd8f0473c0757d0ad6f9bb36ad8edf6b4d3a1c7c13fda38d8c8fa0fa5e5632e7cacdf2232ac274e86885fca2f7a2007c9dc6ac9ab48c0ace193

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\cnvpe.fne

Filesize
4KB

MD5
098a30bf3ba66d2b5e1b588d344d195e

SHA1
2ab28440b6ca9a0a1d3745241aed7208545980d9

SHA256
b6ceb1a7d69845dd7ee9581cd0c72fe383f815e73f223c05b50ff89b6adb50a2

SHA512
5b8a2837cc6d8a666094653157acff48087436432099745fd7052e40ac12c54ab2b28830a0b63bf36ad53ce8210f563e1f55a0fef371b53be0fe0c959a7e9eed

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\cnvpe.fne

Filesize
60KB

MD5
8aa2a84ef3844ecd1cf9a788265b7f6b

SHA1
919d23ccfc02c27318281dae2b43900b9bcbe0c3

SHA256
afdaf830326a61053d3efa16fca809828f82adc628d4530b61ff89b99bcd6510

SHA512
2b79ce934b95466cf300ea5d3a67337e6285d4b9063991f42345ab4a86166a7cd0192f869b230d5609c733787aaa76a0a59009b34e443b3a198009de3502b142

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\dp1.fne

Filesize
112KB

MD5
30d56b62c55eca56c20ff2cc4323c054

SHA1
f036fdb21e9773b1cec97be0d450d2dac0ef711f

SHA256
7ecece18790d308e5ec66cfe5f1a57fe896c6c331b82a01430d2d34c63f3d059

SHA512
961b865aaeb4d26b9c5eff28319619d5825001198dbb40647d46999f7525da83aa0cc7ca0c8a9ea3df08cd85c39270ef25ff2df9ec27b98a73df8ffc0e9f3f3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\dp1.fne

Filesize
4KB

MD5
583750d891a0ab321cf7fef3379f4726

SHA1
e7bfd9718d6585722f3f49797597a55bf2abcb61

SHA256
f7b8d7386dc81d07bdfd5b03503bce392e1187d4e3ef756034ab8eaeaa35f6dd

SHA512
92520e8bbc78b7b99b8635a6557383eb84662b3d120c464fd973ee6288d27f250af20270f0c7e1b22f7c000433252a98815ad1641231b6dc73e66d43be8dbf94

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\dp1.fne

Filesize
33KB

MD5
a85fd67dba0889f29ae62e415af664e0

SHA1
3629ccc13327eddc67b34ad8a96b407cd78ce0e3

SHA256
443331ff526fef6b37722b7a15496c320b2f2fd3e4348c94e6f1a86572592a6e

SHA512
e002df02caebe33fe8b683dd5d8b7b3667b55ed025cace0b25381b95ee7541e6931b17ad27a895a29b51cd5be766d55de710351ee7ed2f754c5a7679b7c05eaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\dp1.fne

Filesize
21KB

MD5
84750853f2148c3a95848ac4f47250a1

SHA1
f5d728d0c93efd65333f3411bf33d7e33fee47ad

SHA256
624e3849aca6204f235b16af8850e209f7e97ced1b4ac1eb3c415f33b6fc0d21

SHA512
f120ffd860ef545038b47a7948d70d6e04afa371e9f522ce82567f91e5eefd214fedb1cd2ac9786149e1395731933791dd0ac1f9b5b9c7fcc191bacf354ea976

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\eAPI.fne

Filesize
67KB

MD5
a424492d96a7776aa3dec875b8881ede

SHA1
e7d280969a66a9fe6ae76b71f2ba11913aa8b961

SHA256
ccd468289ca397c638bc2ed5bde69b452b92135b3cc11de7a5c83868dcba031d

SHA512
89a01a7e2b8e697ffaf2b5e14b0aecce1b231bde0b7ba2eb741329cafa1a23c0f9074b049df17f40d0c46a5ccf434a239b5d7abfcefc5e6073510d20b9f57673

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\eAPI.fne

Filesize
148KB

MD5
5091e28bead3632c71ffc3abed35f209

SHA1
7396501978f72023ac14ecf7835c3bd403e469cf

SHA256
f663c4dcde0fe247f244844988eeaf24b8f5ac068770e0ca39cd14f56a1070b6

SHA512
555f84107d553b26447815ea0a3db0967e3c07e985585426936644ea5894afac99cf5b2cd8f9e6e1f14467f1a3624d1ec75344ac05c35b2c93f8bcf449afc71a

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\eAPI.fne

Filesize
288KB

MD5
511e2830cc9417b2717c18d6fa67296d

SHA1
4d2dcd6c7cbba8f35fefa3d9b81e5fa6be4d6a3e

SHA256
916e07ab1000ce46ca4678a4108712c30e22e32b4923007ca92df769aa15d8ec

SHA512
a1d6415044bdc2a02fe483c1133354d524b56d8ea28302010c90937937c96513e258599443e345df4fa076f283c04be0f12fc06a434b7d848b5866d726b68884

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\eAPI.fne

Filesize
316KB

MD5
4e6d281f1dcfcfa7a048b721a8ff5867

SHA1
0206fea20b3c6350712b38454777c1f0235d5fa9

SHA256
e0834c7c5806d0a0383a2b408fbf11aa70e6ee5c6c84b5eaec71d0b0c7b389f0

SHA512
20bcd8c7f688fed57d2b45399fe7e59b5da55d9ad18efa13c654206aa87350d8527e541b60179682c2ff0bb05a008e4218058dc718dcb519302b15baff09f944

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\eAPI.fne

Filesize
19KB

MD5
75ce78c93517151041dc9b0b8310983a

SHA1
9cd5dfa4a7ff23d47a4afb317bddcf3bc4d2c016

SHA256
d7cf23e45b2ce353e1a3ad9fa28a06dd10eda55226328287c997570ada5a8487

SHA512
3afb5bcb7975ff45b77d4a753dddef79c88cff2d9d7b9f4ae285da093c305325fa816b3e5589234147bfb91a85670152901de0676a93c1cd296c847762c19d75

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\internet.fne

Filesize
137KB

MD5
2d93fbb0ae611a6cde2c461dd26994c4

SHA1
e1381a3b7b5a937d86dd176a3e3a2e8f87b52179

SHA256
9b82c732d141755940878524744662e460fbde7a4e26b09d2d24f149c2595ed6

SHA512
cc49880ef183096378878f87675ebeea3260765cdbee2ce925b82c3bffd77e44c2be347ccc8f4b8fd81d8a1b820fef0fc8e72a4a467957650b48befb0fefe109

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\internet.fne

Filesize
47KB

MD5
585987072c49808eb4914acf8038d004

SHA1
5f6dddf82d7234468c57a6f77da2bb00d61b819d

SHA256
c3570687e4584b400cadf40e5b4fdf4efe9d2bfda6b6c646424d8a24ad3444ae

SHA512
1c4ec3cb5e77a882056b287b67de601d2c0b34b4a5769bec5f83f49e7a6741de8bf2d7c706947d06f7397290f75e3d0ae2a6b47b27002586d0f3c5a00578a22f

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\internet.fne

Filesize
180KB

MD5
c60e785fb00f7a6849f6fad4d3358b85

SHA1
fce7c0ff96c477328cd17f727386648166de1b77

SHA256
0af7861b9a2eb32c0ac639d296bd77090ac50a2cc0f194fd9021aecab816546a

SHA512
1e1cc0e774f238c7696f4dc72844f1661396e795670d4470f8916f3660930a80e38e3c3db9de489f82eab44db8228eca2ff8496713651a722f5b8936ceaeb0d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\internet.fne

Filesize
179KB

MD5
6c6d1c0a4448ad80c26125b0bbff3aad

SHA1
59768ebcec9a52bc24e373207ee812d5d2383e34

SHA256
d9f5d629aeffa5212cec866acda108066dbd0a547be86212cdb35457f15658bb

SHA512
6a8c937ed7e7153a38edbdf6887a2bab20d62d5723032954bd60bc08d6dd1d3b6b4e1b28fe1636b4b7e15a0d50c63505c05eaf0c5a69b526b4052969f5271b49

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

Filesize
36KB

MD5
e7f799101e1b383b22c04c5d7e80a7e3

SHA1
6de2a781516a440447c751cbe7ff74258dfcc62e

SHA256
a2265e9525b9666ab38a32da76e6195491f648c199b9c6b53eb5ed32af2ba6a2

SHA512
cfd0f3f830926dcee3642014d76d1e35b591822b2b63476c50c782c2b7b8791a3284ad1ae0f9165e4f0a873e6c17c533321f7400ea4b4e00388c8e86e0dda28d

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

Filesize
496KB

MD5
1770a27339de854601df8daff9b21128

SHA1
e3dcf2380ae05b969b0036167a30d7a5a803e7ba

SHA256
7b73127bdd726b6365477eff7912a603875cafe70b78bc89e70e843cebfd3205

SHA512
116e658768e415716d0dccc4432e5c2f9bf3a0d837d1beca89ce0d92e36a49078342f2d48c8727f9f017f7b1d984b9442a03140bfaeb2b23862b96c8aad0dca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

Filesize
423KB

MD5
b2570ad25379f0f82b9264413e3a1d02

SHA1
c4f85d01400088afed604d9a9460f9c8d47d42d1

SHA256
f5034e8bedf515df513eb56fb91381282f389e45854303f5535eae6ac720fedc

SHA512
293f628a6c589ff0a5ee294692bdbcf9ab3eb676f4419f849c5d700d3d2e0f25f99167bb89b70d64e4aecad06622153212ad2bd35e03a32ca50ebd95e12f81bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

Filesize
147KB

MD5
9da4e0b675456e127148f1caebf2e30d

SHA1
cfc368458d42fc52252d41bf3e2ae917c250d5aa

SHA256
b6dafda8021eaadd86e8b1f65d945b88fca23fd891378da6574506491762eab9

SHA512
c26210536245f65ac15a83fbf0cfad343f9fc66b28097619b39917379376ad938bfc866bb7b94d133038b97e8c1dbfd5d5275014e62a92f4e0b4561036883d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

Filesize
1.1MB

MD5
ad28a69d49cb72559a4273fe95bc25c5

SHA1
1b1d41f10cf63a62b30b49215edb1bbef72ef66a

SHA256
3c0cda3bc176becfe766b49312c11573ec92cfb0ad1ec570fad01431d6c12c9a

SHA512
2bddaab70136f3d2bc658f4df88ca2bfdbbb2a432dfeed8259dd2fecf6db12402b6c240778e5ec23c544ece002087b1b02b4a8daf724e86eb6970de9bc5f929c

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

Filesize
30KB

MD5
155c032458d4696147a660f4e66f8815

SHA1
e1a1ad5a77f377b98eef7448efee99a0ba44ce03

SHA256
1830b2bd34e4b31c80cb93e683b9c5b555ac16e45cf599720b8e85e6894f20ff

SHA512
eedb2dff9af812b3951667d2417525375005d1af005bc4b52f363e3632a30dfa730494bfe6db2493b3fc65c29cfe93d5e2d038a9749e0f9a5299c68962b87f47

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\shell.fne

Filesize
40KB

MD5
ca0e38f4a666d3156eb48b99369ebaec

SHA1
62f75dd559636e754a7f0c3ff95d2f6debd13c85

SHA256
52d72ed763a59904a215631df9bc37a1db9a03f45a32c24df5d7c780b983ecf3

SHA512
4cd17a869554a6b0aef733289e3789dec99ffa38f3e5aec606a6a421b2efcde322d4a00b7b996a7cd3df6472d8bf82540500213cfc1846a31c79622ac6f6cf96

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\shell.fne

Filesize
4KB

MD5
76baf1df51174f1e7bb867f89b175641

SHA1
3b74a84d52c4529b1ea8de506eac047bfe0cc36a

SHA256
ea9bb635c1597e0e29164f851c6b5053c28551d68a3f3beb6e5e50d39c9f784f

SHA512
ab3ac42505d162895760521a1134fb162dbed47cbda5489bd9415c026d9823dc206f04381574f07b8d75d256f9860a5d3096e0817efdb342d0934a26ee96c7e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\spec.fne

Filesize
32KB

MD5
5756486164757415aab1c01ba2c3e4a1

SHA1
c1bd744921580f00ceb3e7a275e4ffb575761f9e

SHA256
44fd5013f9f3745083d96716d371dbbfb1f20941af41ee8a67edc05733d691d6

SHA512
e2db106eeb564409a948d5da187681c0f17dabcc62a131e0ac60a6fed467cbf1abd54d074f8446a7dc4be7053d631524b7d2ce141bfa791e218769e56de33edf

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\spec.fne

Filesize
10KB

MD5
3a6e23a1d2f1d9cadf9e5d8fb4fd2c5c

SHA1
5b7f4da11b16201bbb8683628326c09c46982b89

SHA256
2957e8d33b2c1741a9ca464df831728d0939a2502555ada73e5d0931b6977ac4

SHA512
b9166a06fae21ad80dcec7873eaa42017c0ec35cb5ce0b60e2376268871ceb1cae9919a7548e1bf3fa1a4ac1f339da70fbdf2cc9c4b4ce2632796ab717c3b9df

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\spec.fne

Filesize
72KB

MD5
65bf4f2f88ae37d0b3fb139427fc9eeb

SHA1
14d3eb82e15bef7d72105011ae25808abd3be751

SHA256
ee3061a6ebe8f1b3e78b893715369443aa4d7ea253055668fa31927233be03a7

SHA512
cca6da28015c45c0da80f20c6791bb116e9c3cde227e7bc99b2f3619b0337e761fa44c53423f752e32eabc99e4131cc84c71ae071dd652eb4eb75bd1e9d79713

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\spec.fne

Filesize
14KB

MD5
933a6b533ce5f5e4971d55009a757677

SHA1
f27f27c9dfb78078b8aaab2bccefe4b22bc3a764

SHA256
2be8dc1d811c71243acbd970a6984db831daae2de2bfb4e4171aa5344a6c6495

SHA512
93c13f90dcbbdfb67d0107cdcc042412ed6ab1c4fb4c0cdfc113aea4b4450ea5c8fb9e35fccefc4e6b47a621ab4fb41a3dbc4df9e96726bc84e6d3081f546f08

Download Submit
C:\Windows\SysWOW64\B3A6A3\B820A2.EXE

Filesize
23KB

MD5
4874eb2079524572bb6985ce10b22b6d

SHA1
96e79b16c1fb54d50a614a9425bf00b7b2a99ac3

SHA256
512e8bea0a626722132c6c9bc65fd3a4c28f8012a8db6b2cd8820992835ed1e6

SHA512
62094afbf34d1066fd871e436cb08dbc00eedeb8a6a052bb73f1ec3a737d03fc452b48d6566a7a30397a9a57e0150bb2cfafb021dc815f8da4250e9110943392

Download Submit
C:\Windows\SysWOW64\B3A6A3\B820A2.EXE

Filesize
365KB

MD5
e7d3e436d070883ea669c273e86068ab

SHA1
d366778b5e3ea4788fd53540166e2d241f70ae56

SHA256
f610f85859a8acbd8ad50b0cf24dfc998947b95f055861c1ae1d6bc3762da7a4

SHA512
1d34edd8115aa4eb70f1065e4d54e40376e32093517d26ab5c124496b36a720049e2b2b8cb005def9e467ba4456a85cdb452139fc69df29a393bd41ec7666d8f

Download Submit
C:\Windows\SysWOW64\B3A6A3\B820A2.EXE

Filesize
1.3MB

MD5
4f63b9002845c129f1c90ccc0532dc2b

SHA1
d786f63d1798c5785411bd28c1c285298717d9f6

SHA256
66082411bf39944e9ccaf1c82a6ef6f15b53782c0893c3053f8813533b710c19

SHA512
7ac6a73d7f5e6bfb3d8c2738bf67318892c8e9a1eee16b737f22cb8e35e9590e81721c83dac494ebce1f831c0e27fb88d96820efb93f108ac6a55bd690c7e6d7

Download Submit
C:\Windows\SysWOW64\B3A6A3\B820A2.EXE

Filesize
409KB

MD5
7076d36272ad5686654f0ec5d2e66fe0

SHA1
d03a63108f33dba7b6afd899287c422b9164ad4d

SHA256
3d25601858fcafae4e0b8b14d58080fc764aba959c7b3efe509d0a6b34fe71c4

SHA512
b5b4d4b6d8a624705ed70205d69fe648377cc497f5e176e1d418cb1ecb00ccfba14f9af2f2905b985bb2066243be0df3604e61c425e14126b51bd8345241d7ca

Download Submit
C:\Windows\SysWOW64\B3A6A3\B820A2.EXE

Filesize
517KB

MD5
981d59e50dc2fbe521c43f26203089b4

SHA1
9f7e4488bd50b6a71aa9245a709cda6ae96d4467

SHA256
8c809610a54f2d140787297fdcc5881436b8b8adc9f125659339277b1a12d182

SHA512
2c8e0ae2eb2b80b0bf167abb891c23687787a93cdb6349e04f431ef2f7e986d6499da57dbe6a6f0a6d82cb0b2808e56ca929a1e5f27769c90655bad75bea7f4e

Download Submit
C:\Windows\SysWOW64\B3A6A3\B820A2.EXE

Filesize
154KB

MD5
5c516a5e885cfd25be56fbf48860ab8f

SHA1
4ca947cf6ab4ea6e1bc069e0be86b201a4803688

SHA256
aa10cf2983b702590041c77b19003f5a27b3de4c4fafe5d582377f7b6cf394ae

SHA512
7d02644cb376807d3d7aa96d6c79e8e14ba2d3c5b4c0e3f6f5d13013b1c3571eff9c37d8c7b6366f6cd0b09c92c6fe5dce6e6bd257bbd32251d956150fbdda69

Download Submit
memory/1772-82-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1772-127-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/1772-101-0x00000000029E0000-0x00000000029FE000-memory.dmp

Filesize
120KB

Download
memory/1772-95-0x0000000002420000-0x0000000002458000-memory.dmp

Filesize
224KB

Download
memory/1772-92-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/1772-100-0x0000000002860000-0x0000000002871000-memory.dmp

Filesize
68KB

Download
memory/1772-131-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2200-118-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2200-120-0x0000000002190000-0x00000000021C8000-memory.dmp

Filesize
224KB

Download
memory/2200-121-0x0000000002390000-0x00000000023A1000-memory.dmp

Filesize
68KB

Download
memory/2200-119-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2200-157-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2200-124-0x00000000023B0000-0x00000000023CE000-memory.dmp

Filesize
120KB

Download
memory/3124-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3124-128-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3124-10-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/3124-24-0x00000000026D0000-0x00000000026E1000-memory.dmp

Filesize
68KB

Download
memory/3124-18-0x00000000023C0000-0x00000000023F8000-memory.dmp

Filesize
224KB

Download
memory/3124-132-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/3124-30-0x00000000026F0000-0x000000000270E000-memory.dmp

Filesize
120KB

Download
memory/3156-154-0x0000000002750000-0x0000000002761000-memory.dmp

Filesize
68KB

Download
memory/3156-156-0x00000000028C0000-0x00000000028DE000-memory.dmp

Filesize
120KB

Download
memory/3156-155-0x00000000028C0000-0x00000000028DE000-memory.dmp

Filesize
120KB

Download
memory/3156-176-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3156-177-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/3156-152-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/3156-149-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3156-153-0x0000000002330000-0x0000000002368000-memory.dmp

Filesize
224KB

Download
memory/3552-130-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/3552-59-0x0000000002310000-0x000000000232E000-memory.dmp

Filesize
120KB

Download
memory/3552-58-0x00000000022E0000-0x00000000022F1000-memory.dmp

Filesize
68KB

Download
memory/3552-126-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3552-36-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3552-57-0x00000000020A0000-0x00000000020D8000-memory.dmp

Filesize
224KB

Download
memory/3552-50-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/3568-146-0x00000000023F0000-0x000000000240E000-memory.dmp

Filesize
120KB

Download
memory/3568-144-0x00000000021D0000-0x00000000021E1000-memory.dmp

Filesize
68KB

Download
memory/3568-167-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3568-168-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/3568-141-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3568-142-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/3568-145-0x00000000023F0000-0x000000000240E000-memory.dmp

Filesize
120KB

Download
memory/3568-143-0x0000000002140000-0x0000000002178000-memory.dmp

Filesize
224KB

Download
memory/4228-174-0x0000000000530000-0x0000000000568000-memory.dmp

Filesize
224KB

Download
memory/4228-178-0x00000000026C0000-0x00000000026DE000-memory.dmp

Filesize
120KB

Download
memory/4228-173-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/4228-175-0x0000000002510000-0x0000000002521000-memory.dmp

Filesize
68KB

Download
memory/4228-179-0x00000000026C0000-0x00000000026DE000-memory.dmp

Filesize
120KB

Download
memory/4456-129-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/4456-125-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4456-79-0x0000000002F50000-0x0000000002F6E000-memory.dmp

Filesize
120KB

Download
memory/4456-78-0x00000000027A0000-0x00000000027B1000-memory.dmp

Filesize
68KB

Download
memory/4456-70-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/4456-80-0x0000000002F50000-0x0000000002F6E000-memory.dmp

Filesize
120KB

Download
memory/4456-73-0x0000000002240000-0x0000000002278000-memory.dmp

Filesize
224KB

Download
memory/4784-186-0x0000000002350000-0x0000000002361000-memory.dmp

Filesize
68KB

Download
memory/4784-185-0x0000000002290000-0x00000000022C8000-memory.dmp

Filesize
224KB

Download
memory/4784-187-0x0000000002390000-0x00000000023AE000-memory.dmp

Filesize
120KB

Download
memory/4784-180-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5028-158-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5028-166-0x0000000002480000-0x000000000249E000-memory.dmp

Filesize
120KB

Download
memory/5028-164-0x0000000000790000-0x00000000007C8000-memory.dmp

Filesize
224KB

Download
memory/5028-163-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/5028-165-0x00000000021C0000-0x00000000021D1000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads