96543093ce6a7ee65e2eb84e164bbc4d0f373b528f15a48099189da93442a350

Analysis

max time kernel
10s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 08:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9ed6efacd6ccab81f4d27dff442ad4b_JaffaCakes118.exe
Size

1.4MB
MD5

f9ed6efacd6ccab81f4d27dff442ad4b
SHA1

1a5d72751ec0c68caf5c7aed7c858cf76e0d4615
SHA256

96543093ce6a7ee65e2eb84e164bbc4d0f373b528f15a48099189da93442a350
SHA512

f725b5aa40daa0b9f90fc5d5bd15f4cc0f38176924a942733d2df1f5b8b91b4dcc227712c7e53da41b89f5e88a09d7bdc9d1c3a9dea68345d28b4ba1509987ff
SSDEEP

24576:HJlihSFZgXSasH/J2wSvidGHEdhgUDumvHhYBe9ML1K:HuIKKav0GHEXgUasHhkdLk

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 19 IoCs

pid	Process
4996	BFA1C7.EXE
1576	BFA1C7.EXE
2792	BFA1C7.EXE
3968	BFA1C7.EXE
412	BFA1C7.EXE
4540	BFA1C7.EXE
3688	BFA1C7.EXE
2828	BFA1C7.EXE
4304	BFA1C7.EXE
388	BFA1C7.EXE
860	BFA1C7.EXE
2592	BFA1C7.EXE
4356	BFA1C7.EXE
3840	BFA1C7.EXE
4828	BFA1C7.EXE
1992	BFA1C7.EXE
2104	BFA1C7.EXE
4708	BFA1C7.EXE
3820	BFA1C7.EXE

Loads dropped DLL 64 IoCs

pid	Process
620	f9ed6efacd6ccab81f4d27dff442ad4b_JaffaCakes118.exe
620	f9ed6efacd6ccab81f4d27dff442ad4b_JaffaCakes118.exe
620	f9ed6efacd6ccab81f4d27dff442ad4b_JaffaCakes118.exe
620	f9ed6efacd6ccab81f4d27dff442ad4b_JaffaCakes118.exe
620	f9ed6efacd6ccab81f4d27dff442ad4b_JaffaCakes118.exe
620	f9ed6efacd6ccab81f4d27dff442ad4b_JaffaCakes118.exe
620	f9ed6efacd6ccab81f4d27dff442ad4b_JaffaCakes118.exe
4996	BFA1C7.EXE
4996	BFA1C7.EXE
4996	BFA1C7.EXE
4996	BFA1C7.EXE
4996	BFA1C7.EXE
4996	BFA1C7.EXE
4996	BFA1C7.EXE
1576	BFA1C7.EXE
1576	BFA1C7.EXE
1576	BFA1C7.EXE
1576	BFA1C7.EXE
1576	BFA1C7.EXE
1576	BFA1C7.EXE
1576	BFA1C7.EXE
2792	BFA1C7.EXE
2792	BFA1C7.EXE
2792	BFA1C7.EXE
2792	BFA1C7.EXE
2792	BFA1C7.EXE
2792	BFA1C7.EXE
2792	BFA1C7.EXE
3968	BFA1C7.EXE
3968	BFA1C7.EXE
3968	BFA1C7.EXE
3968	BFA1C7.EXE
3968	BFA1C7.EXE
3968	BFA1C7.EXE
3968	BFA1C7.EXE
412	BFA1C7.EXE
412	BFA1C7.EXE
412	BFA1C7.EXE
412	BFA1C7.EXE
412	BFA1C7.EXE
412	BFA1C7.EXE
412	BFA1C7.EXE
4540	BFA1C7.EXE
4540	BFA1C7.EXE
4540	BFA1C7.EXE
4540	BFA1C7.EXE
4540	BFA1C7.EXE
4540	BFA1C7.EXE
4540	BFA1C7.EXE
3688	BFA1C7.EXE
3688	BFA1C7.EXE
3688	BFA1C7.EXE
3688	BFA1C7.EXE
3688	BFA1C7.EXE
3688	BFA1C7.EXE
3688	BFA1C7.EXE
2828	BFA1C7.EXE
2828	BFA1C7.EXE
2828	BFA1C7.EXE
2828	BFA1C7.EXE
2828	BFA1C7.EXE
2828	BFA1C7.EXE
2828	BFA1C7.EXE
4304	BFA1C7.EXE

Writes to the Master Boot Record (MBR) 1 TTPs 20 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	BFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	BFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	BFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	BFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	BFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	BFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	BFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	BFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	BFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	BFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	BFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	BFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	BFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	f9ed6efacd6ccab81f4d27dff442ad4b_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	BFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	BFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	BFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	BFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	BFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	BFA1C7.EXE

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\046D17	f9ed6efacd6ccab81f4d27dff442ad4b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\70B97F	f9ed6efacd6ccab81f4d27dff442ad4b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\497A92	f9ed6efacd6ccab81f4d27dff442ad4b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\046D17\BFA1C7.EXE	f9ed6efacd6ccab81f4d27dff442ad4b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\046D17\BFA1C7.EXE	f9ed6efacd6ccab81f4d27dff442ad4b_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe

Suspicious behavior: AddClipboardFormatListener 14 IoCs

pid	Process
4748	explorer.exe
5108	explorer.exe
1572	explorer.exe
4568	explorer.exe
392	explorer.exe
2084	explorer.exe
1356	explorer.exe
4136	explorer.exe
4332	explorer.exe
2748	explorer.exe
4628	explorer.exe
1164	explorer.exe
1360	explorer.exe
1660	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
620	f9ed6efacd6ccab81f4d27dff442ad4b_JaffaCakes118.exe
620	f9ed6efacd6ccab81f4d27dff442ad4b_JaffaCakes118.exe
620	f9ed6efacd6ccab81f4d27dff442ad4b_JaffaCakes118.exe
620	f9ed6efacd6ccab81f4d27dff442ad4b_JaffaCakes118.exe
620	f9ed6efacd6ccab81f4d27dff442ad4b_JaffaCakes118.exe
620	f9ed6efacd6ccab81f4d27dff442ad4b_JaffaCakes118.exe
4996	BFA1C7.EXE
4996	BFA1C7.EXE
4996	BFA1C7.EXE
4996	BFA1C7.EXE
4996	BFA1C7.EXE
4996	BFA1C7.EXE
4748	explorer.exe
4748	explorer.exe
1576	BFA1C7.EXE
1576	BFA1C7.EXE
1576	BFA1C7.EXE
1576	BFA1C7.EXE
1576	BFA1C7.EXE
1576	BFA1C7.EXE
5108	explorer.exe
5108	explorer.exe
2792	BFA1C7.EXE
2792	BFA1C7.EXE
2792	BFA1C7.EXE
2792	BFA1C7.EXE
2792	BFA1C7.EXE
2792	BFA1C7.EXE
3968	BFA1C7.EXE
3968	BFA1C7.EXE
3968	BFA1C7.EXE
3968	BFA1C7.EXE
3968	BFA1C7.EXE
3968	BFA1C7.EXE
412	BFA1C7.EXE
412	BFA1C7.EXE
412	BFA1C7.EXE
412	BFA1C7.EXE
412	BFA1C7.EXE
412	BFA1C7.EXE
4568	explorer.exe
4568	explorer.exe
1572	explorer.exe
1572	explorer.exe
4540	BFA1C7.EXE
4540	BFA1C7.EXE
4540	BFA1C7.EXE
4540	BFA1C7.EXE
4540	BFA1C7.EXE
4540	BFA1C7.EXE
3688	BFA1C7.EXE
3688	BFA1C7.EXE
3688	BFA1C7.EXE
3688	BFA1C7.EXE
3688	BFA1C7.EXE
392	explorer.exe
392	explorer.exe
3688	BFA1C7.EXE
2828	BFA1C7.EXE
2828	BFA1C7.EXE
2828	BFA1C7.EXE
2828	BFA1C7.EXE
2828	BFA1C7.EXE
2828	BFA1C7.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 620 wrote to memory of 872	620	f9ed6efacd6ccab81f4d27dff442ad4b_JaffaCakes118.exe	83
PID 620 wrote to memory of 872	620	f9ed6efacd6ccab81f4d27dff442ad4b_JaffaCakes118.exe	83
PID 620 wrote to memory of 872	620	f9ed6efacd6ccab81f4d27dff442ad4b_JaffaCakes118.exe	83
PID 620 wrote to memory of 4996	620	f9ed6efacd6ccab81f4d27dff442ad4b_JaffaCakes118.exe	85
PID 620 wrote to memory of 4996	620	f9ed6efacd6ccab81f4d27dff442ad4b_JaffaCakes118.exe	85
PID 620 wrote to memory of 4996	620	f9ed6efacd6ccab81f4d27dff442ad4b_JaffaCakes118.exe	85
PID 4996 wrote to memory of 3668	4996	BFA1C7.EXE	86
PID 4996 wrote to memory of 3668	4996	BFA1C7.EXE	86
PID 4996 wrote to memory of 3668	4996	BFA1C7.EXE	86
PID 4996 wrote to memory of 1576	4996	BFA1C7.EXE	181
PID 4996 wrote to memory of 1576	4996	BFA1C7.EXE	181
PID 4996 wrote to memory of 1576	4996	BFA1C7.EXE	181
PID 1576 wrote to memory of 4152	1576	BFA1C7.EXE	89
PID 1576 wrote to memory of 4152	1576	BFA1C7.EXE	89
PID 1576 wrote to memory of 4152	1576	BFA1C7.EXE	89
PID 1576 wrote to memory of 2792	1576	BFA1C7.EXE	90
PID 1576 wrote to memory of 2792	1576	BFA1C7.EXE	90
PID 1576 wrote to memory of 2792	1576	BFA1C7.EXE	90
PID 2792 wrote to memory of 4740	2792	BFA1C7.EXE	142
PID 2792 wrote to memory of 4740	2792	BFA1C7.EXE	142
PID 2792 wrote to memory of 4740	2792	BFA1C7.EXE	142
PID 2792 wrote to memory of 3968	2792	BFA1C7.EXE	93
PID 2792 wrote to memory of 3968	2792	BFA1C7.EXE	93
PID 2792 wrote to memory of 3968	2792	BFA1C7.EXE	93
PID 3968 wrote to memory of 768	3968	BFA1C7.EXE	95
PID 3968 wrote to memory of 768	3968	BFA1C7.EXE	95
PID 3968 wrote to memory of 768	3968	BFA1C7.EXE	95
PID 3968 wrote to memory of 412	3968	BFA1C7.EXE	96
PID 3968 wrote to memory of 412	3968	BFA1C7.EXE	96
PID 3968 wrote to memory of 412	3968	BFA1C7.EXE	96
PID 412 wrote to memory of 4080	412	BFA1C7.EXE	293
PID 412 wrote to memory of 4080	412	BFA1C7.EXE	293
PID 412 wrote to memory of 4080	412	BFA1C7.EXE	293
PID 412 wrote to memory of 4540	412	BFA1C7.EXE	99
PID 412 wrote to memory of 4540	412	BFA1C7.EXE	99
PID 412 wrote to memory of 4540	412	BFA1C7.EXE	99
PID 4540 wrote to memory of 4904	4540	BFA1C7.EXE	101
PID 4540 wrote to memory of 4904	4540	BFA1C7.EXE	101
PID 4540 wrote to memory of 4904	4540	BFA1C7.EXE	101
PID 4540 wrote to memory of 3688	4540	BFA1C7.EXE	102
PID 4540 wrote to memory of 3688	4540	BFA1C7.EXE	102
PID 4540 wrote to memory of 3688	4540	BFA1C7.EXE	102
PID 3688 wrote to memory of 2448	3688	BFA1C7.EXE	104
PID 3688 wrote to memory of 2448	3688	BFA1C7.EXE	104
PID 3688 wrote to memory of 2448	3688	BFA1C7.EXE	104
PID 3688 wrote to memory of 2828	3688	BFA1C7.EXE	105
PID 3688 wrote to memory of 2828	3688	BFA1C7.EXE	105
PID 3688 wrote to memory of 2828	3688	BFA1C7.EXE	105
PID 2828 wrote to memory of 3532	2828	BFA1C7.EXE	107
PID 2828 wrote to memory of 3532	2828	BFA1C7.EXE	107
PID 2828 wrote to memory of 3532	2828	BFA1C7.EXE	107
PID 2828 wrote to memory of 4304	2828	BFA1C7.EXE	108
PID 2828 wrote to memory of 4304	2828	BFA1C7.EXE	108
PID 2828 wrote to memory of 4304	2828	BFA1C7.EXE	108
PID 4304 wrote to memory of 3936	4304	BFA1C7.EXE	110
PID 4304 wrote to memory of 3936	4304	BFA1C7.EXE	110
PID 4304 wrote to memory of 3936	4304	BFA1C7.EXE	110
PID 4304 wrote to memory of 388	4304	BFA1C7.EXE	112
PID 4304 wrote to memory of 388	4304	BFA1C7.EXE	112
PID 4304 wrote to memory of 388	4304	BFA1C7.EXE	112
PID 388 wrote to memory of 4688	388	BFA1C7.EXE	113
PID 388 wrote to memory of 4688	388	BFA1C7.EXE	113
PID 388 wrote to memory of 4688	388	BFA1C7.EXE	113
PID 388 wrote to memory of 860	388	BFA1C7.EXE	114

C:\Users\Admin\AppData\Local\Temp\f9ed6efacd6ccab81f4d27dff442ad4b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f9ed6efacd6ccab81f4d27dff442ad4b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:620
- C:\Windows\SysWOW64\explorer.exe
  explorer C:\Users\Admin\AppData\Local\Temp\f9ed6efacd6ccab81f4d27dff442ad4b_JaffaCakes118
  2⤵
  PID:872
- C:\Windows\SysWOW64\046D17\BFA1C7.EXE
  C:\Windows\system32\046D17\BFA1C7.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4996
- - C:\Windows\SysWOW64\explorer.exe
    explorer C:\Windows\SysWOW64\046D17\BFA1C7
    3⤵
    PID:3668
- - C:\Windows\SysWOW64\046D17\BFA1C7.EXE
    C:\Windows\system32\046D17\BFA1C7.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1576
  - - C:\Windows\SysWOW64\explorer.exe
      explorer C:\Windows\SysWOW64\046D17\BFA1C7
      4⤵
      PID:4152
  - - C:\Windows\SysWOW64\046D17\BFA1C7.EXE
      C:\Windows\system32\046D17\BFA1C7.EXE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2792
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        5⤵
        
        PID:4740
    - - C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3968
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        6⤵
        
        PID:768
      - C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:412
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        7⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        8⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        9⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        10⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        11⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        11⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of WriteProcessMemory
        
        PID:388
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        12⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        12⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:860
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        13⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        13⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:2592
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        14⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        14⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:4356
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        15⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        15⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:3840
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        16⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        16⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:4828
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        17⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        17⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:1992
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        18⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        18⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:2104
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        19⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        19⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:4708
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        20⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        20⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:3820
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        21⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        21⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        22⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        22⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        23⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        23⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        24⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        24⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        25⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        25⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        26⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        26⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        27⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        27⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        28⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        28⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        29⤵
        
        PID:5316
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        29⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        30⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        30⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        31⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        31⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        32⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        32⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        33⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        33⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        34⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        34⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        35⤵
        
        PID:5604
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        35⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        36⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        36⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        37⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        37⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        38⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        38⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        39⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        39⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        40⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        40⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        41⤵
        
        PID:400
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        41⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        42⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        42⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        43⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        43⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        44⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        44⤵
        
        PID:6464
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        45⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        45⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        46⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        46⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        47⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        47⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        48⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        48⤵
        
        PID:5460
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        49⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        49⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        50⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        50⤵
        
        PID:5824
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        51⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        51⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        52⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        52⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        53⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        53⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        54⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        54⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        55⤵
        
        PID:6824
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        55⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        56⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        56⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        57⤵
        
        PID:5428
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        57⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        58⤵
        
        PID:7260
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        58⤵
        
        PID:7324
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        59⤵
        
        PID:7432
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        59⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        60⤵
        
        PID:7588
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        60⤵
        
        PID:7664
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        61⤵
        
        PID:7788
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        61⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        62⤵
        
        PID:7976
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        62⤵
        
        PID:8032
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        63⤵
        
        PID:8184
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        63⤵
        
        PID:7228
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        64⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        64⤵
        
        PID:7512
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        65⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        65⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        66⤵
        
        PID:7904
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        66⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        67⤵
        
        PID:7584
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        67⤵
        
        PID:8020
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        68⤵
        
        PID:8184
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        68⤵
        
        PID:7856
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        69⤵
        
        PID:7588
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        69⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        70⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        70⤵
        
        PID:7360
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        71⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        71⤵
        
        PID:7412
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        72⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        72⤵
        
        PID:656
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        73⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        73⤵
        
        PID:8188
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        74⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        74⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        75⤵
        
        PID:8264
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        75⤵
        
        PID:8332
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        76⤵
        
        PID:8432
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        76⤵
        
        PID:8512
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        77⤵
        
        PID:8636
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        77⤵
        
        PID:8708
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        78⤵
        
        PID:8808
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        78⤵
        
        PID:8876
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        79⤵
        
        PID:8992
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        79⤵
        
        PID:9048
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        80⤵
        
        PID:9156
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        80⤵
        
        PID:8200
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        81⤵
        
        PID:7196
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        81⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        82⤵
        
        PID:8296
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        82⤵
        
        PID:8248
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        83⤵
        
        PID:8336
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        83⤵
        
        PID:8680
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        84⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        84⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        85⤵
        
        PID:8904
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        85⤵
        
        PID:8660
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        86⤵
        
        PID:6348
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        86⤵
        
        PID:9108
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        87⤵
        
        PID:8496
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        87⤵
        
        PID:8768
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        88⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        88⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        89⤵
        
        PID:8312
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        89⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        90⤵
        
        PID:9124
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        90⤵
        
        PID:9052
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        91⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        91⤵
        
        PID:9240
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        92⤵
        
        PID:9368
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        92⤵
        
        PID:9424
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        93⤵
        
        PID:9544
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        93⤵
        
        PID:9604
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        94⤵
        
        PID:9720
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        94⤵
        
        PID:9792
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        95⤵
        
        PID:9920
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        95⤵
        
        PID:9996
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        96⤵
        
        PID:10152
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        96⤵
        
        PID:10212
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        97⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        97⤵
        
        PID:6176
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        98⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        98⤵
        
        PID:9644
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        99⤵
        
        PID:9548
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        99⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        100⤵
        
        PID:9440
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        100⤵
        
        PID:10204
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        101⤵
        
        PID:9392
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        101⤵
        
        PID:10192
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        102⤵
        
        PID:10016
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        102⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        103⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        103⤵
        
        PID:7240
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        104⤵
        
        PID:9388
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        104⤵
        
        PID:10208
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        105⤵
        
        PID:10128
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        105⤵
        
        PID:748
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        106⤵
        
        PID:9268
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        106⤵
        
        PID:9388
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        107⤵
        
        PID:9384
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        107⤵
        
        PID:7240
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        108⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        108⤵
        
        PID:10308
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        109⤵
        
        PID:10436
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        109⤵
        
        PID:10536
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        110⤵
        
        PID:10660
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        110⤵
        
        PID:10712
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        111⤵
        
        PID:10820
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        111⤵
        
        PID:10888
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        112⤵
        
        PID:11028
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        112⤵
        
        PID:11088
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        113⤵
        
        PID:11232
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        113⤵
        
        PID:10288
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        114⤵
        
        PID:10420
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        114⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        115⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        115⤵
        
        PID:10740
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        116⤵
        
        PID:10704
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        116⤵
        
        PID:10832
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        117⤵
        
        PID:11044
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        117⤵
        
        PID:10792
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        118⤵
        
        PID:10584
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        118⤵
        
        PID:10420
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        119⤵
        
        PID:9548
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        119⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        120⤵
        
        PID:10508
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        120⤵
        
        PID:8528
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        121⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        121⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        122⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        122⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        123⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        123⤵
        
        PID:10420
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        124⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        124⤵
        
        PID:5692
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        125⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        125⤵
        
        PID:11040
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        126⤵
        
        PID:10156
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        126⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        127⤵
        
        PID:11352
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        127⤵
        
        PID:11420
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        128⤵
        
        PID:11552
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        128⤵
        
        PID:11608
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        129⤵
        
        PID:11748
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        129⤵
        
        PID:11824
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        130⤵
        
        PID:11908
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        130⤵
        
        PID:11988
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        131⤵
        
        PID:12128
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        131⤵
        
        PID:12208
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        132⤵
        
        PID:10792
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        132⤵
        
        PID:10420
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        133⤵
        
        PID:11008
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        133⤵
        
        PID:11656
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        134⤵
        
        PID:11812
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        134⤵
        
        PID:11512
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        135⤵
        
        PID:11868
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        135⤵
        
        PID:11924
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        136⤵
        
        PID:11832
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        136⤵
        
        PID:11472
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        137⤵
        
        PID:11988
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        137⤵
        
        PID:11316
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        138⤵
        
        PID:11712
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        138⤵
        
        PID:11844
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        139⤵
        
        PID:11376
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        139⤵
        
        PID:11552
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        140⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        140⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\046D17\BFA1C7
        141⤵
        
        PID:11564
        
        C:\Windows\SysWOW64\046D17\BFA1C7.EXE
        
        C:\Windows\system32\046D17\BFA1C7.EXE
        141⤵
        
        PID:11712

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4748

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5108

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4568

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1572

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:392

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:2084

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:1356

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:4136

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:4332

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:2748

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:4628

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:1360

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:1164

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:1660

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2208

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2700

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1496

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:516

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3348

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4740

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4484

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4924

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2968

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4752

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4016

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3040

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5212

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5392

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5544

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5744

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5900

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6084

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1576

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2076

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6032

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5792

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5996

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2500

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1436

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1600

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5944

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6288

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6472

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6624

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6836

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6980

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:400

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6512

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6756

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7068

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7104

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6972

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3484

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4384

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6340

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2688

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7332

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7496

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7676

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7880

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8044

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:396

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7520

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7468

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8040

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3520

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5036

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1020

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7324

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8184

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7576

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5844

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6844

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8340

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8520

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8716

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8888

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9060

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8208

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5352

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5600

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9016

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8252

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8392

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6284

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9116

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8860

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8664

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4352

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9280

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9432

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9596

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9784

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10008

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5728

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9376

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9416

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9876

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10220

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:348

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9908

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9884

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9904

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10124

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9976

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7988

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10340

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10544

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10720

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10896

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11100

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2740

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6044

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10744

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10628

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10728

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10812

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11028

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10888

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3380

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2736

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10256

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:184

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11228

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2248

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11428

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11620

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11852

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:12016

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:12200

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7368

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11040

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11468

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11912

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:12180

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:12212

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11812

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1520

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5236

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11900

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:11992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E_4\RegEx.fnr

Filesize
212KB

MD5
fc974550901b26c5d01a57f95353640e

SHA1
b6b6dc6565a81edcfa9f7a666a7a5e690c5078aa

SHA256
ac1514470fac833966207725b611916fdd86b97c1f725be0952840330a0989a1

SHA512
3190b9186dc4396a9160f8bf7e12a7abe263651316b7d019bec49d61399e8541cbf33e867885048996d3595c13067974fa4ff778e77b86054de21d1a33c0dd99

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\com.run

Filesize
264KB

MD5
65c1c908a83ff96c5f55e59d897e1ab6

SHA1
a75d31a288c2c4619e19b8deeeeceeb260b8aca1

SHA256
5274afcfaa7b0ef4a66f2ced6544325baa52e0de010540280678e0efc54c25e9

SHA512
8804c8ffc6cbdcee13844c5c7de37343fe522ee7eb2af0d8e397d0aeedc4886d9b03f24f3ed5aaf1db94c07e6cfab91444c522c786698fcfb0d5a65d20bd2742

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\dp1.fne

Filesize
112KB

MD5
983ae0c4ed446b5c970f5b51d55a0c56

SHA1
b60d1c3d80b7f4a164155a4c760c41ca59ee7300

SHA256
1536ea5dceb8627ee22e00aa184afce2ed3a1f853e1c821aa836ba7e3ea1b90b

SHA512
8d68cc4163321b9c922b435339f1559be2d878b4248509e9798610d51e1db1bc167db385e788ec7a80de18ad85a317b32d3524c25d52c38e8307c09305535cf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\eAPI.fne

Filesize
316KB

MD5
14ab3914529048575af15468b344cb04

SHA1
df298f4cd4c61be5b66da4a4eb72ba5b17e71351

SHA256
98f04fc2d86e35fdaf556791de21b4e421d777655cdb24f56af815a33eaca113

SHA512
b3c4297257d620b303c74aea8e7d90132e99b1c8320feb555007e77e0278271f89073a0ec3e0e7db7d33a65e43ca5699293cc64ed3ef9bfda94265ae1acfeefa

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\internet.fne

Filesize
180KB

MD5
258d4c58bc1c829c263916a994f59554

SHA1
8320408d293a104e86a9dc7491031df3cd58441d

SHA256
dc04d188bb87526572300a14bcf8882bece321229a28e1662cfcbd041e345d9e

SHA512
57c9aae25c21c27fa287a4dc569ec0ebc65c65c8e2688663538d3a068fa32ce7839d3134bc350f163bfa3513a7092bb2b4b34e8cb4848017c4b187e86bb4758b

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
1.0MB

MD5
d96fa4e08cdfd5645098f1b2a9d7e18b

SHA1
06a078acb1fad3d11a4ce0f562c6d26f7fecdb24

SHA256
954137ce66ff0c28d0e549c8f2ff4803cac2038ecf5d62062ece5928a327badc

SHA512
b156205dd3c095f23f7f5d731f4fe0517bed3e5e4575ba2950dea14658eee8e79dea1ff7548a320b81d183d42cb6bd3033d3bd20f450c9212de50a7ddeada0dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\shell.fne

Filesize
40KB

MD5
e7c96432bf5a8b157a3a4c7199e885a7

SHA1
1ee2acb9dc491525571ca362403b08bbe082c824

SHA256
3daf15eb9b2e87b4ca20fe3182fbf1899a72cd0b16ded4c86c9c24cef5e9ebc9

SHA512
954c4a91e5303688bb0e11d08cf2febef8b99fa59f11616151c93849ef5a83858df72450b5a4a0471ad08ac36c4d7cd34488397261e4c61411e87595eea3a37f

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\spec.fne

Filesize
72KB

MD5
480734c7c3990ff231b93242302d7af5

SHA1
4b78fe0e22b61b0647723002eef46337d99c15b4

SHA256
be9e0cb2e9ac83210202da3b39663efd365f0f1cc8e8eb67112dd96c99a6a2eb

SHA512
73ce6e0583819caddb6c528d51198d282047413d78ec73f65b94823596504305545aaf25ab239cec727fa82698c9a62284e668417bdb9dd47d016c8df7d3e19f

Download Submit
C:\Windows\SysWOW64\046D17\BFA1C7.EXE

Filesize
1.4MB

MD5
f9ed6efacd6ccab81f4d27dff442ad4b

SHA1
1a5d72751ec0c68caf5c7aed7c858cf76e0d4615

SHA256
96543093ce6a7ee65e2eb84e164bbc4d0f373b528f15a48099189da93442a350

SHA512
f725b5aa40daa0b9f90fc5d5bd15f4cc0f38176924a942733d2df1f5b8b91b4dcc227712c7e53da41b89f5e88a09d7bdc9d1c3a9dea68345d28b4ba1509987ff

Download Submit
memory/412-129-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/412-173-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/412-137-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/412-142-0x0000000002930000-0x000000000294E000-memory.dmp

Filesize
120KB

Download
memory/412-138-0x0000000002000000-0x000000000204B000-memory.dmp

Filesize
300KB

Download
memory/412-140-0x00000000028F0000-0x0000000002901000-memory.dmp

Filesize
68KB

Download
memory/412-174-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/620-125-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/620-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/620-10-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/620-18-0x00000000023E0000-0x000000000242B000-memory.dmp

Filesize
300KB

Download
memory/620-19-0x00000000023E0000-0x000000000242B000-memory.dmp

Filesize
300KB

Download
memory/620-30-0x00000000026F0000-0x0000000002701000-memory.dmp

Filesize
68KB

Download
memory/620-31-0x00000000031B0000-0x00000000031CE000-memory.dmp

Filesize
120KB

Download
memory/620-127-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/1576-77-0x0000000002080000-0x00000000020CB000-memory.dmp

Filesize
300KB

Download
memory/1576-76-0x0000000002080000-0x00000000020CB000-memory.dmp

Filesize
300KB

Download
memory/1576-83-0x0000000003080000-0x000000000309E000-memory.dmp

Filesize
120KB

Download
memory/1576-148-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/1576-147-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1576-63-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1576-82-0x0000000002800000-0x0000000002811000-memory.dmp

Filesize
68KB

Download
memory/1576-73-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/2792-104-0x0000000002500000-0x000000000251E000-memory.dmp

Filesize
120KB

Download
memory/2792-103-0x00000000024E0000-0x00000000024F1000-memory.dmp

Filesize
68KB

Download
memory/2792-94-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2792-95-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/2792-156-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/2792-158-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2792-98-0x0000000002000000-0x000000000204B000-memory.dmp

Filesize
300KB

Download
memory/2828-169-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2828-170-0x00000000021B0000-0x00000000021FB000-memory.dmp

Filesize
300KB

Download
memory/2828-172-0x0000000002580000-0x000000000259E000-memory.dmp

Filesize
120KB

Download
memory/2828-171-0x0000000002560000-0x0000000002571000-memory.dmp

Filesize
68KB

Download
memory/3688-164-0x0000000003060000-0x000000000307E000-memory.dmp

Filesize
120KB

Download
memory/3688-162-0x0000000002F40000-0x0000000002F51000-memory.dmp

Filesize
68KB

Download
memory/3688-159-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/3688-157-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3688-160-0x00000000023F0000-0x000000000243B000-memory.dmp

Filesize
300KB

Download
memory/3968-126-0x0000000002700000-0x000000000271E000-memory.dmp

Filesize
120KB

Download
memory/3968-116-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/3968-115-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3968-119-0x0000000002240000-0x000000000228B000-memory.dmp

Filesize
300KB

Download
memory/3968-163-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/3968-161-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3968-124-0x00000000026E0000-0x00000000026F1000-memory.dmp

Filesize
68KB

Download
memory/4304-180-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/4304-179-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4304-183-0x0000000002A20000-0x0000000002A3E000-memory.dmp

Filesize
120KB

Download
memory/4304-182-0x0000000002A00000-0x0000000002A11000-memory.dmp

Filesize
68KB

Download
memory/4304-181-0x0000000002290000-0x00000000022DB000-memory.dmp

Filesize
300KB

Download
memory/4540-185-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/4540-149-0x00000000022C0000-0x000000000230B000-memory.dmp

Filesize
300KB

Download
memory/4540-151-0x0000000002F90000-0x0000000002FAE000-memory.dmp

Filesize
120KB

Download
memory/4540-184-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4540-150-0x0000000002F70000-0x0000000002F81000-memory.dmp

Filesize
68KB

Download
memory/4996-61-0x0000000002A80000-0x0000000002A9E000-memory.dmp

Filesize
120KB

Download
memory/4996-37-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4996-48-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/4996-52-0x00000000022C0000-0x000000000230B000-memory.dmp

Filesize
300KB

Download
memory/4996-53-0x00000000022C0000-0x000000000230B000-memory.dmp

Filesize
300KB

Download
memory/4996-60-0x0000000002950000-0x0000000002961000-memory.dmp

Filesize
68KB

Download
memory/4996-139-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4996-141-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads