sality | b24d01edb8b76471a6c715b3a8c76d91a20465cea1c5f3a07d3d47f0ea6ccd90

Windows Service

T1543.003

Processes:

4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exeXP-FEBFA1C7.EXE

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	XP-FEBFA1C7.EXE
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	XP-FEBFA1C7.EXE
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	XP-FEBFA1C7.EXE

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

Processes:

4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exeXP-FEBFA1C7.EXE

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	XP-FEBFA1C7.EXE

Windows security bypass 2 TTPs 12 IoCs

Disable or Modify Tools

Modify Registry

Processes:

XP-FEBFA1C7.EXE4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	XP-FEBFA1C7.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	XP-FEBFA1C7.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	XP-FEBFA1C7.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	XP-FEBFA1C7.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	XP-FEBFA1C7.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	XP-FEBFA1C7.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe

Executes dropped EXE 6 IoCs

Processes:

XP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXE

pid process

3604 XP-FEBFA1C7.EXE
4768 XP-FEBFA1C7.EXE
372 XP-FEBFA1C7.EXE
3644 XP-FEBFA1C7.EXE
1052 XP-FEBFA1C7.EXE
4184 XP-FEBFA1C7.EXE

pid	process
3604	XP-FEBFA1C7.EXE
4768	XP-FEBFA1C7.EXE
372	XP-FEBFA1C7.EXE
3644	XP-FEBFA1C7.EXE
1052	XP-FEBFA1C7.EXE
4184	XP-FEBFA1C7.EXE

Loads dropped DLL 43 IoCs

Processes:

4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exeXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXE

pid	process
668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
3604	XP-FEBFA1C7.EXE
3604	XP-FEBFA1C7.EXE
3604	XP-FEBFA1C7.EXE
3604	XP-FEBFA1C7.EXE
3604	XP-FEBFA1C7.EXE
3604	XP-FEBFA1C7.EXE
3604	XP-FEBFA1C7.EXE
4768	XP-FEBFA1C7.EXE
4768	XP-FEBFA1C7.EXE
4768	XP-FEBFA1C7.EXE
4768	XP-FEBFA1C7.EXE
4768	XP-FEBFA1C7.EXE
4768	XP-FEBFA1C7.EXE
4768	XP-FEBFA1C7.EXE
372	XP-FEBFA1C7.EXE
372	XP-FEBFA1C7.EXE
372	XP-FEBFA1C7.EXE
372	XP-FEBFA1C7.EXE
372	XP-FEBFA1C7.EXE
372	XP-FEBFA1C7.EXE
372	XP-FEBFA1C7.EXE
3644	XP-FEBFA1C7.EXE
3644	XP-FEBFA1C7.EXE
3644	XP-FEBFA1C7.EXE
3644	XP-FEBFA1C7.EXE
3644	XP-FEBFA1C7.EXE
3644	XP-FEBFA1C7.EXE
3644	XP-FEBFA1C7.EXE
1052	XP-FEBFA1C7.EXE
1052	XP-FEBFA1C7.EXE
1052	XP-FEBFA1C7.EXE
1052	XP-FEBFA1C7.EXE
1052	XP-FEBFA1C7.EXE
1052	XP-FEBFA1C7.EXE
1052	XP-FEBFA1C7.EXE
4184	XP-FEBFA1C7.EXE

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/668-4-0x00000000021A0000-0x000000000325A000-memory.dmp	upx
behavioral2/memory/668-18-0x00000000021A0000-0x000000000325A000-memory.dmp	upx
behavioral2/memory/668-19-0x00000000021A0000-0x000000000325A000-memory.dmp	upx
behavioral2/memory/668-1-0x00000000021A0000-0x000000000325A000-memory.dmp	upx
behavioral2/memory/668-3-0x00000000021A0000-0x000000000325A000-memory.dmp	upx
behavioral2/memory/668-5-0x00000000021A0000-0x000000000325A000-memory.dmp	upx
behavioral2/memory/668-20-0x00000000021A0000-0x000000000325A000-memory.dmp	upx
behavioral2/memory/668-33-0x00000000021A0000-0x000000000325A000-memory.dmp	upx
behavioral2/memory/668-30-0x00000000021A0000-0x000000000325A000-memory.dmp	upx
behavioral2/memory/668-39-0x00000000021A0000-0x000000000325A000-memory.dmp	upx
behavioral2/memory/668-61-0x00000000021A0000-0x000000000325A000-memory.dmp	upx
behavioral2/memory/668-70-0x00000000021A0000-0x000000000325A000-memory.dmp	upx
behavioral2/memory/668-96-0x00000000021A0000-0x000000000325A000-memory.dmp	upx
behavioral2/memory/668-136-0x00000000021A0000-0x000000000325A000-memory.dmp	upx
behavioral2/memory/3644-178-0x00000000021C0000-0x000000000327A000-memory.dmp	upx
behavioral2/memory/3644-175-0x00000000021C0000-0x000000000327A000-memory.dmp	upx
behavioral2/memory/3644-174-0x00000000021C0000-0x000000000327A000-memory.dmp	upx
behavioral2/memory/3644-171-0x00000000021C0000-0x000000000327A000-memory.dmp	upx
behavioral2/memory/3644-170-0x00000000021C0000-0x000000000327A000-memory.dmp	upx
behavioral2/memory/3644-173-0x00000000021C0000-0x000000000327A000-memory.dmp	upx
behavioral2/memory/3644-172-0x00000000021C0000-0x000000000327A000-memory.dmp	upx
behavioral2/memory/3644-169-0x00000000021C0000-0x000000000327A000-memory.dmp	upx
behavioral2/memory/3644-155-0x00000000021C0000-0x000000000327A000-memory.dmp	upx
behavioral2/memory/3644-211-0x00000000021C0000-0x000000000327A000-memory.dmp	upx
behavioral2/memory/3644-210-0x00000000021C0000-0x000000000327A000-memory.dmp	upx
behavioral2/memory/3644-153-0x00000000021C0000-0x000000000327A000-memory.dmp	upx
behavioral2/memory/3644-231-0x00000000021C0000-0x000000000327A000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

Disable or Modify Tools

Modify Registry

Processes:

4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exeXP-FEBFA1C7.EXE

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	XP-FEBFA1C7.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	XP-FEBFA1C7.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	XP-FEBFA1C7.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	XP-FEBFA1C7.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	XP-FEBFA1C7.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	XP-FEBFA1C7.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	XP-FEBFA1C7.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

T1082

Processes:

4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exeXP-FEBFA1C7.EXE

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	XP-FEBFA1C7.EXE

Writes to the Master Boot Record (MBR) 1 TTPs 6 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

XP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXE4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exeXP-FEBFA1C7.EXEXP-FEBFA1C7.EXE

description	ioc	process
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE

Drops file in System32 directory 2 IoCs

Processes:

4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe

description	ioc	process
File created	C:\Windows\SysWOW64\XP-FEBFA1C7.EXE	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\XP-FEBFA1C7.EXE	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe

Drops file in Windows directory 3 IoCs

Processes:

4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exeXP-FEBFA1C7.EXE

description	ioc	process
File created	C:\Windows\e57466f	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
File opened for modification	C:\Windows\SYSTEM.INI	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
File created	C:\Windows\e57568c	XP-FEBFA1C7.EXE

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

Processes:

explorer.exeexplorer.exeexplorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies registry class 49 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe

Suspicious behavior: AddClipboardFormatListener 3 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exe

pid process

3176 explorer.exe
4168 explorer.exe
3372 explorer.exe

pid	process
3176	explorer.exe
4168	explorer.exe
3372	explorer.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exeXP-FEBFA1C7.EXE

pid	process
668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
3644	XP-FEBFA1C7.EXE
3644	XP-FEBFA1C7.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe

description	pid	process
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Token: SeDebugPrivilege	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe

Suspicious use of SetWindowsHookEx 42 IoCs

Processes:

4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exeXP-FEBFA1C7.EXEexplorer.exeXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEexplorer.exeXP-FEBFA1C7.EXEexplorer.exeXP-FEBFA1C7.EXE

pid	process
668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
3604	XP-FEBFA1C7.EXE
3604	XP-FEBFA1C7.EXE
3176	explorer.exe
3176	explorer.exe
3604	XP-FEBFA1C7.EXE
3604	XP-FEBFA1C7.EXE
3604	XP-FEBFA1C7.EXE
3604	XP-FEBFA1C7.EXE
4768	XP-FEBFA1C7.EXE
4768	XP-FEBFA1C7.EXE
4768	XP-FEBFA1C7.EXE
4768	XP-FEBFA1C7.EXE
4768	XP-FEBFA1C7.EXE
4768	XP-FEBFA1C7.EXE
372	XP-FEBFA1C7.EXE
372	XP-FEBFA1C7.EXE
4168	explorer.exe
4168	explorer.exe
372	XP-FEBFA1C7.EXE
372	XP-FEBFA1C7.EXE
372	XP-FEBFA1C7.EXE
372	XP-FEBFA1C7.EXE
3644	XP-FEBFA1C7.EXE
3644	XP-FEBFA1C7.EXE
3644	XP-FEBFA1C7.EXE
3644	XP-FEBFA1C7.EXE
3644	XP-FEBFA1C7.EXE
3372	explorer.exe
3372	explorer.exe
3644	XP-FEBFA1C7.EXE
1052	XP-FEBFA1C7.EXE
1052	XP-FEBFA1C7.EXE
1052	XP-FEBFA1C7.EXE
1052	XP-FEBFA1C7.EXE
1052	XP-FEBFA1C7.EXE
1052	XP-FEBFA1C7.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exeXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXE

description	pid	process	target process
PID 668 wrote to memory of 772	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe	fontdrvhost.exe
PID 668 wrote to memory of 776	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe	fontdrvhost.exe
PID 668 wrote to memory of 380	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe	dwm.exe
PID 668 wrote to memory of 2688	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe	sihost.exe
PID 668 wrote to memory of 2804	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe	svchost.exe
PID 668 wrote to memory of 3036	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe	taskhostw.exe
PID 668 wrote to memory of 3552	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe	Explorer.EXE
PID 668 wrote to memory of 3672	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe	svchost.exe
PID 668 wrote to memory of 3860	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe	DllHost.exe
PID 668 wrote to memory of 4044	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe	StartMenuExperienceHost.exe
PID 668 wrote to memory of 1060	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe	RuntimeBroker.exe
PID 668 wrote to memory of 2884	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe	SearchApp.exe
PID 668 wrote to memory of 3780	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe	RuntimeBroker.exe
PID 668 wrote to memory of 468	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe	TextInputHost.exe
PID 668 wrote to memory of 4740	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe	RuntimeBroker.exe
PID 668 wrote to memory of 3756	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe	backgroundTaskHost.exe
PID 668 wrote to memory of 3836	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe	backgroundTaskHost.exe
PID 668 wrote to memory of 3632	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe	explorer.exe
PID 668 wrote to memory of 3632	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe	explorer.exe
PID 668 wrote to memory of 3632	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe	explorer.exe
PID 668 wrote to memory of 3604	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe	XP-FEBFA1C7.EXE
PID 668 wrote to memory of 3604	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe	XP-FEBFA1C7.EXE
PID 668 wrote to memory of 3604	668	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe	XP-FEBFA1C7.EXE
PID 3604 wrote to memory of 4876	3604	XP-FEBFA1C7.EXE	explorer.exe
PID 3604 wrote to memory of 4876	3604	XP-FEBFA1C7.EXE	explorer.exe
PID 3604 wrote to memory of 4876	3604	XP-FEBFA1C7.EXE	explorer.exe
PID 3604 wrote to memory of 4768	3604	XP-FEBFA1C7.EXE	WaaSMedicAgent.exe
PID 3604 wrote to memory of 4768	3604	XP-FEBFA1C7.EXE	WaaSMedicAgent.exe
PID 3604 wrote to memory of 4768	3604	XP-FEBFA1C7.EXE	WaaSMedicAgent.exe
PID 4768 wrote to memory of 4696	4768	XP-FEBFA1C7.EXE	explorer.exe
PID 4768 wrote to memory of 4696	4768	XP-FEBFA1C7.EXE	explorer.exe
PID 4768 wrote to memory of 4696	4768	XP-FEBFA1C7.EXE	explorer.exe
PID 4768 wrote to memory of 372	4768	XP-FEBFA1C7.EXE	XP-FEBFA1C7.EXE
PID 4768 wrote to memory of 372	4768	XP-FEBFA1C7.EXE	XP-FEBFA1C7.EXE
PID 4768 wrote to memory of 372	4768	XP-FEBFA1C7.EXE	XP-FEBFA1C7.EXE
PID 372 wrote to memory of 4140	372	XP-FEBFA1C7.EXE	explorer.exe
PID 372 wrote to memory of 4140	372	XP-FEBFA1C7.EXE	explorer.exe
PID 372 wrote to memory of 4140	372	XP-FEBFA1C7.EXE	explorer.exe
PID 372 wrote to memory of 3644	372	XP-FEBFA1C7.EXE	XP-FEBFA1C7.EXE
PID 372 wrote to memory of 3644	372	XP-FEBFA1C7.EXE	XP-FEBFA1C7.EXE
PID 372 wrote to memory of 3644	372	XP-FEBFA1C7.EXE	XP-FEBFA1C7.EXE
PID 3644 wrote to memory of 772	3644	XP-FEBFA1C7.EXE	fontdrvhost.exe
PID 3644 wrote to memory of 776	3644	XP-FEBFA1C7.EXE	fontdrvhost.exe
PID 3644 wrote to memory of 380	3644	XP-FEBFA1C7.EXE	dwm.exe
PID 3644 wrote to memory of 2688	3644	XP-FEBFA1C7.EXE	sihost.exe
PID 3644 wrote to memory of 2804	3644	XP-FEBFA1C7.EXE	svchost.exe
PID 3644 wrote to memory of 3036	3644	XP-FEBFA1C7.EXE	taskhostw.exe
PID 3644 wrote to memory of 3552	3644	XP-FEBFA1C7.EXE	Explorer.EXE
PID 3644 wrote to memory of 3672	3644	XP-FEBFA1C7.EXE	svchost.exe
PID 3644 wrote to memory of 3860	3644	XP-FEBFA1C7.EXE	DllHost.exe
PID 3644 wrote to memory of 4044	3644	XP-FEBFA1C7.EXE	StartMenuExperienceHost.exe
PID 3644 wrote to memory of 1060	3644	XP-FEBFA1C7.EXE	RuntimeBroker.exe
PID 3644 wrote to memory of 2884	3644	XP-FEBFA1C7.EXE	SearchApp.exe
PID 3644 wrote to memory of 3780	3644	XP-FEBFA1C7.EXE	RuntimeBroker.exe
PID 3644 wrote to memory of 468	3644	XP-FEBFA1C7.EXE	TextInputHost.exe
PID 3644 wrote to memory of 4740	3644	XP-FEBFA1C7.EXE	RuntimeBroker.exe
PID 3644 wrote to memory of 3756	3644	XP-FEBFA1C7.EXE	backgroundTaskHost.exe
PID 3644 wrote to memory of 3836	3644	XP-FEBFA1C7.EXE	backgroundTaskHost.exe
PID 3644 wrote to memory of 3176	3644	XP-FEBFA1C7.EXE	explorer.exe
PID 3644 wrote to memory of 4168	3644	XP-FEBFA1C7.EXE	explorer.exe
PID 3644 wrote to memory of 3420	3644	XP-FEBFA1C7.EXE	BackgroundTransferHost.exe
PID 3644 wrote to memory of 372	3644	XP-FEBFA1C7.EXE	XP-FEBFA1C7.EXE
PID 3644 wrote to memory of 372	3644	XP-FEBFA1C7.EXE	XP-FEBFA1C7.EXE
PID 3644 wrote to memory of 3372	3644	XP-FEBFA1C7.EXE	explorer.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

Processes:

4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exeXP-FEBFA1C7.EXE

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	XP-FEBFA1C7.EXE

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:772

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:776

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:380

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2804

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:3036

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3552
- C:\Users\Admin\AppData\Local\Temp\4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics.exe"
  2⤵
  - Modifies firewall policy service
  - UAC bypass
  - Windows security bypass
  - Loads dropped DLL
  - Windows security modification
  - Checks whether UAC is enabled
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:668
- - C:\Windows\SysWOW64\explorer.exe
    explorer C:\Users\Admin\AppData\Local\Temp\4c7adf51d74764fc83d628e9a8cc9c60_NeikiAnalytics
    3⤵
    PID:3632
- - C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
    C:\Windows\system32\XP-FEBFA1C7.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3604
  - - C:\Windows\SysWOW64\explorer.exe
      explorer C:\Windows\SysWOW64\XP-FEBFA1C7
      4⤵
      PID:4876
  - - C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
      C:\Windows\system32\XP-FEBFA1C7.EXE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4768
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        5⤵
        
        PID:4696
    - - C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:372
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        6⤵
        
        PID:4140
      - C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        6⤵
        Modifies firewall policy service
        UAC bypass
        Windows security bypass
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        Checks whether UAC is enabled
        Writes to the Master Boot Record (MBR)
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:3644
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        7⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetWindowsHookEx
        
        PID:1052
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        8⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4184
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        9⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        9⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        10⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        10⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        11⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        11⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        12⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        12⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        13⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        13⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        14⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        14⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        15⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        15⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        16⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        16⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        17⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        17⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        18⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        18⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        19⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        19⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        20⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        20⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        21⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        21⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        22⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        22⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        23⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        23⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        24⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        24⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        25⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        25⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        26⤵
        
        PID:5828
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        26⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        27⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        27⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        28⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        28⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        29⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        29⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        30⤵
        
        PID:5988
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        30⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        31⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        31⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        32⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        32⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        33⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        33⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        34⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        34⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        35⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        35⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        36⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        36⤵
        
        PID:396
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        37⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        37⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        38⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        38⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        39⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        39⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        40⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        40⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        41⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        41⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        42⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        42⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        43⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        43⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        44⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        44⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        45⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        45⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        46⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        46⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        47⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        47⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        48⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        48⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        49⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        49⤵
        
        PID:7272
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        50⤵
        
        PID:7464
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        50⤵
        
        PID:7584
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        51⤵
        
        PID:7704
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        51⤵
        
        PID:7744
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        52⤵
        
        PID:7856
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        52⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        53⤵
        
        PID:8024
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        53⤵
        
        PID:8064
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        54⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        54⤵
        
        PID:7232
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        55⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        55⤵
        
        PID:7736
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        56⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        56⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        57⤵
        
        PID:8176
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        57⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        58⤵
        
        PID:7260
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        58⤵
        
        PID:8096
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        59⤵
        
        PID:7176
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        59⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        60⤵
        
        PID:8024
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        60⤵
        
        PID:8016
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        61⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        61⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        62⤵
        
        PID:7172
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        62⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        63⤵
        
        PID:8160
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        63⤵
        
        PID:7804
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        64⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        64⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        65⤵
        
        PID:8160
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        65⤵
        
        PID:7320
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        66⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        66⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        67⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        67⤵
        
        PID:7276
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        68⤵
        
        PID:8248
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        68⤵
        
        PID:8292
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        69⤵
        
        PID:8504
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        69⤵
        
        PID:8544
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        70⤵
        
        PID:8832
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        70⤵
        
        PID:8896
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        71⤵
        
        PID:9000
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        71⤵
        
        PID:9072
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        72⤵
        
        PID:9188
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        72⤵
        
        PID:8232
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        73⤵
        
        PID:7308
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        73⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        74⤵
        
        PID:7672
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        74⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        75⤵
        
        PID:9140
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        75⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        76⤵
        
        PID:8760
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        76⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        77⤵
        
        PID:8444
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        77⤵
        
        PID:8788
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        78⤵
        
        PID:8208
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        78⤵
        
        PID:9060
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        79⤵
        
        PID:8716
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        79⤵
        
        PID:8408
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        80⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        80⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        81⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        81⤵
        
        PID:9004
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        82⤵
        
        PID:8868
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        82⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        83⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        83⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        84⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        84⤵
        
        PID:8212
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        85⤵
        
        PID:8736
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        85⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        86⤵
        
        PID:8908
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        86⤵
        
        PID:8400
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        87⤵
        
        PID:944
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        87⤵
        
        PID:7280
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        88⤵
        
        PID:9316
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        88⤵
        
        PID:9376
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        89⤵
        
        PID:9544
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        89⤵
        
        PID:9580
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        90⤵
        
        PID:9944
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        90⤵
        
        PID:9992
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        91⤵
        
        PID:10092
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        91⤵
        
        PID:10164
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        92⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        92⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        93⤵
        
        PID:9492
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        93⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        94⤵
        
        PID:9956
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        94⤵
        
        PID:10228
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        95⤵
        
        PID:880
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        95⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        96⤵
        
        PID:9768
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        96⤵
        
        PID:9880
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        97⤵
        
        PID:9652
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        97⤵
        
        PID:9244
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        98⤵
        
        PID:9608
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        98⤵
        
        PID:8708
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        99⤵
        
        PID:8264
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        99⤵
        
        PID:9928
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        100⤵
        
        PID:9808
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        100⤵
        
        PID:10228
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        101⤵
        
        PID:9920
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        101⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        102⤵
        
        PID:9428
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        102⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        103⤵
        
        PID:9408
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        103⤵
        
        PID:9744
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        104⤵
        
        PID:7280
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        104⤵
        
        PID:9876
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        105⤵
        
        PID:9992
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        105⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        106⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        106⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        107⤵
        
        PID:9992
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        107⤵
        
        PID:8424
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        108⤵
        
        PID:10300
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        108⤵
        
        PID:10420
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        109⤵
        
        PID:10740
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        109⤵
        
        PID:10820
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        110⤵
        
        PID:10932
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        110⤵
        
        PID:10968
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        111⤵
        
        PID:11168
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        111⤵
        
        PID:1432
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        112⤵
        
        PID:10480
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        112⤵
        
        PID:9420
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        113⤵
        
        PID:10812
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        113⤵
        
        PID:10960
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        114⤵
        
        PID:10964
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        114⤵
        
        PID:10456
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        115⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        115⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        116⤵
        
        PID:10972
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        116⤵
        
        PID:924
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        117⤵
        
        PID:10196
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        117⤵
        
        PID:10464
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        118⤵
        
        PID:8956
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        118⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        119⤵
        
        PID:10752
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        119⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        120⤵
        
        PID:10600
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        120⤵
        
        PID:10484
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        121⤵
        
        PID:10540
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        121⤵
        
        PID:10196
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        122⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        122⤵
        
        PID:10272
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        123⤵
        
        PID:7956
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        123⤵
        
        PID:7740
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        124⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        124⤵
        
        PID:11240
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        125⤵
        
        PID:8080
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        125⤵
        
        PID:11324
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        126⤵
        
        PID:11608
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        126⤵
        
        PID:11684
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        127⤵
        
        PID:11860
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        127⤵
        
        PID:11896
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        128⤵
        
        PID:12024
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        128⤵
        
        PID:12152
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        129⤵
        
        PID:9516
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        129⤵
        
        PID:11468
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        130⤵
        
        PID:10596
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        130⤵
        
        PID:11612
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        131⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        131⤵
        
        PID:11464
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        132⤵
        
        PID:11840
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        132⤵
        
        PID:12036
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        133⤵
        
        PID:10144
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        133⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        134⤵
        
        PID:7440
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        134⤵
        
        PID:11860
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        135⤵
        
        PID:11416
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        135⤵
        
        PID:11832
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        136⤵
        
        PID:8312
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        136⤵
        
        PID:12084
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        137⤵
        
        PID:11360
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        137⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        138⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        138⤵
        
        PID:11644
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        139⤵
        
        PID:7492
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        139⤵
        
        PID:8796
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        140⤵
        
        PID:12252
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        140⤵
        
        PID:9204
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        141⤵
        
        PID:10316
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        141⤵
        
        PID:12180
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        142⤵
        
        PID:8832
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        142⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        143⤵
        
        PID:12340
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        143⤵
        
        PID:12372
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        144⤵
        
        PID:12460
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        144⤵
        
        PID:12488
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        145⤵
        
        PID:12816
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        145⤵
        
        PID:12848
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        146⤵
        
        PID:12904
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        146⤵
        
        PID:12936
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        147⤵
        
        PID:13000
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        147⤵
        
        PID:13032
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        148⤵
        
        PID:13108
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        148⤵
        
        PID:13140
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        149⤵
        
        PID:13220
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        149⤵
        
        PID:13292
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        150⤵
        
        PID:12696
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        150⤵
        
        PID:12960
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        151⤵
        
        PID:13072
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        151⤵
        
        PID:12796
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        152⤵
        
        PID:12700
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        152⤵
        
        PID:12896
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        153⤵
        
        PID:12980
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        153⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        154⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        154⤵
        
        PID:7680
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        155⤵
        
        PID:12628
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        155⤵
        
        PID:12992
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        156⤵
        
        PID:12312
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        156⤵
        
        PID:8264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3672

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3860

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4044

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1060

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2884

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3780

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:468

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4740

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:3756

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3836

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3176

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4168

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:3420

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3372

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:4028

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:3244

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4560

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3228

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 03bd2ff19292f03967461d7f98b28b97 1SYaPt9bfEuJgpz7h3f/Mw.0.1.0.0.0
1⤵
PID:4768

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3548

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3272

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1316

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4304

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1144

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1608

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3688

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5216

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5356

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5504

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5756

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5308

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3068

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3612

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6060

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5408

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5612

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5848

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4800

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5884

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2180

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5396

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5988

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6372

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6744

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7040

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3928

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4340

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6964

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5608

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6200

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6640

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5056

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6472

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1056

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5304

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6244

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5772

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6592

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7300

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7592

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7752

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7940

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8072

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5856

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7784

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7396

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7620

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8112

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7932

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5628

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8152

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6708

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7812

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7936

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7084

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:756

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7844

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8300

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8552

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8912

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9084

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3532

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7320

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8836

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4928

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6416

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8984

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8760

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8248

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6996

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8208

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8504

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6368

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8160

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8392

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8756

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8580

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9392

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9588

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10000

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10172

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8888

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9320

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10232

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10140

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3156

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7660

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7332

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9492

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7544

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:332

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9264

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8692

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2916

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6764

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5676

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4720

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10432

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10836

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10980

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10120

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6408

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6812

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11236

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7080

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11048

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6392

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10228

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10488

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10400

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4056

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6992

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7700

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9688

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11352

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11692

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11904

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:12164

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11452

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11664

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11480

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:12032

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11748

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:12068

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11656

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11688

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:12008

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10196

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10868

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry