ff647e3d6a50d31f4a526cdef1af0f7b428716e1e57597ac27ef374580c63925

Analysis

max time kernel
43s
max time network
149s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26/07/2024, 11:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe
Size

1.4MB
MD5

73e3898ded99d9f062cfb167d5b57635
SHA1

0b2aa86bccbed7a61a066f48c259433b6af25c1a
SHA256

ff647e3d6a50d31f4a526cdef1af0f7b428716e1e57597ac27ef374580c63925
SHA512

0f7d58c3d1fea43659a6f4ce93150e0d5f1199d9f9465100e099aeb578f7311469e3db4f08c0d3e281d6ffc298bf0945a5cf422430c2e762d8437664762e75cb
SSDEEP

24576:xhcmZ4JV6y3gOv4gfd+e61g4l2G2pfm47S5IBkgdElKcnT9U:xh4Jl7E3g4lYfm47S5IBfdSr9U

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Executes dropped EXE 57 IoCs

pid	Process
2696	A29FDD.EXE
2632	A29FDD.EXE
2128	A29FDD.EXE
2912	A29FDD.EXE
844	A29FDD.EXE
2200	A29FDD.EXE
700	A29FDD.EXE
1084	A29FDD.EXE
1572	A29FDD.EXE
2708	A29FDD.EXE
1716	A29FDD.EXE
2096	A29FDD.EXE
284	A29FDD.EXE
2960	A29FDD.EXE
2996	A29FDD.EXE
2076	A29FDD.EXE
2032	A29FDD.EXE
2772	A29FDD.EXE
576	A29FDD.EXE
1208	A29FDD.EXE
2312	A29FDD.EXE
2448	A29FDD.EXE
1820	A29FDD.EXE
2456	A29FDD.EXE
2712	A29FDD.EXE
2916	A29FDD.EXE
2076	A29FDD.EXE
264	A29FDD.EXE
3152	A29FDD.EXE
3300	A29FDD.EXE
3440	A29FDD.EXE
3596	A29FDD.EXE
3740	A29FDD.EXE
3880	A29FDD.EXE
4028	A29FDD.EXE
3164	A29FDD.EXE
3380	A29FDD.EXE
3568	A29FDD.EXE
3824	A29FDD.EXE
3932	A29FDD.EXE
3268	A29FDD.EXE
3612	A29FDD.EXE
3976	A29FDD.EXE
3152	A29FDD.EXE
3380	A29FDD.EXE
2452	A29FDD.EXE
3560	A29FDD.EXE
4168	A29FDD.EXE
4288	A29FDD.EXE
4408	A29FDD.EXE
4500	A29FDD.EXE
4616	A29FDD.EXE
4744	A29FDD.EXE
4872	A29FDD.EXE
4984	A29FDD.EXE
5096	A29FDD.EXE
4268	A29FDD.EXE

Loads dropped DLL 64 IoCs

pid	Process
2524	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe
2524	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe
2524	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe
2524	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe
2524	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe
2524	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe
2524	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe
2696	A29FDD.EXE
2696	A29FDD.EXE
2696	A29FDD.EXE
2696	A29FDD.EXE
2696	A29FDD.EXE
2696	A29FDD.EXE
2696	A29FDD.EXE
2632	A29FDD.EXE
2632	A29FDD.EXE
2632	A29FDD.EXE
2632	A29FDD.EXE
2632	A29FDD.EXE
2632	A29FDD.EXE
2632	A29FDD.EXE
2128	A29FDD.EXE
2128	A29FDD.EXE
2128	A29FDD.EXE
2128	A29FDD.EXE
2128	A29FDD.EXE
2128	A29FDD.EXE
2128	A29FDD.EXE
2912	A29FDD.EXE
2912	A29FDD.EXE
2912	A29FDD.EXE
2912	A29FDD.EXE
2912	A29FDD.EXE
2912	A29FDD.EXE
2912	A29FDD.EXE
844	A29FDD.EXE
844	A29FDD.EXE
844	A29FDD.EXE
844	A29FDD.EXE
844	A29FDD.EXE
844	A29FDD.EXE
844	A29FDD.EXE
2200	A29FDD.EXE
2200	A29FDD.EXE
2200	A29FDD.EXE
2200	A29FDD.EXE
2200	A29FDD.EXE
2200	A29FDD.EXE
2200	A29FDD.EXE
700	A29FDD.EXE
700	A29FDD.EXE
700	A29FDD.EXE
700	A29FDD.EXE
700	A29FDD.EXE
700	A29FDD.EXE
700	A29FDD.EXE
1084	A29FDD.EXE
1084	A29FDD.EXE
1084	A29FDD.EXE
1084	A29FDD.EXE
1084	A29FDD.EXE
1084	A29FDD.EXE
1084	A29FDD.EXE
1572	A29FDD.EXE

Writes to the Master Boot Record (MBR) 1 TTPs 57 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\666585\	A29FDD.EXE
File created	C:\Windows\SysWOW64\E9804A\A29FDD.EXE	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\E9804A\A29FDD.EXE	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\E9804A\A29FDD.EXE	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\D5B797\	A29FDD.EXE
File created	C:\Windows\SysWOW64\E9804A\A29FDD.EXE	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\666585\	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\D5B797\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\666585\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\E82AF8\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\E9804A\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\666585\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\666585\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\E9804A\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\D5B797\	A29FDD.EXE
File created	C:\Windows\SysWOW64\E9804A\A29FDD.EXE	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\E9804A\A29FDD.EXE	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\666585\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\666585\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\E82AF8\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\D5B797\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\666585\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\E82AF8\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\666585\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\666585\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\D5B797\	A29FDD.EXE
File created	C:\Windows\SysWOW64\E9804A\A29FDD.EXE	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\E9804A\A29FDD.EXE	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\E9804A\A29FDD.EXE	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\E9804A\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\666585\	A29FDD.EXE
File created	C:\Windows\SysWOW64\E9804A\A29FDD.EXE	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\E9804A\A29FDD.EXE	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\666585\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\E82AF8\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\E9804A\A29FDD.EXE	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\E9804A\A29FDD.EXE	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\D5B797\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\D5B797\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\D5B797\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\666585\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\E9804A\	A29FDD.EXE
File created	C:\Windows\SysWOW64\E9804A\A29FDD.EXE	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\E9804A\A29FDD.EXE	A29FDD.EXE
File created	C:\Windows\SysWOW64\E9804A\A29FDD.EXE	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\D5B797\	A29FDD.EXE
File created	C:\Windows\SysWOW64\E9804A\A29FDD.EXE	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\E9804A\	A29FDD.EXE
File created	C:\Windows\SysWOW64\E9804A\A29FDD.EXE	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\E9804A\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\666585\	A29FDD.EXE
File created	C:\Windows\SysWOW64\E9804A\A29FDD.EXE	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\D5B797\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\E9804A\A29FDD.EXE	A29FDD.EXE
File created	C:\Windows\SysWOW64\E9804A\A29FDD.EXE	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\E9804A\	A29FDD.EXE
File created	C:\Windows\SysWOW64\E9804A\A29FDD.EXE	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\D5B797\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\E82AF8\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\666585\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\E82AF8\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\D5B797\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\E9804A\A29FDD.EXE	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\E9804A\	A29FDD.EXE

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A29FDD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A29FDD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A29FDD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A29FDD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A29FDD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A29FDD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A29FDD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A29FDD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A29FDD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A29FDD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A29FDD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A29FDD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A29FDD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A29FDD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A29FDD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A29FDD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A29FDD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A29FDD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A29FDD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A29FDD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A29FDD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A29FDD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A29FDD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A29FDD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A29FDD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A29FDD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A29FDD.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000f00000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000f00000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000f00000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2524	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe
2524	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe
2524	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe
2524	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe
2524	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe
2524	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe
2696	A29FDD.EXE
2696	A29FDD.EXE
2696	A29FDD.EXE
2696	A29FDD.EXE
2696	A29FDD.EXE
2696	A29FDD.EXE
2632	A29FDD.EXE
2632	A29FDD.EXE
2632	A29FDD.EXE
2632	A29FDD.EXE
2632	A29FDD.EXE
2632	A29FDD.EXE
2128	A29FDD.EXE
2128	A29FDD.EXE
2128	A29FDD.EXE
2128	A29FDD.EXE
2128	A29FDD.EXE
2128	A29FDD.EXE
2912	A29FDD.EXE
2912	A29FDD.EXE
2912	A29FDD.EXE
2912	A29FDD.EXE
2912	A29FDD.EXE
2912	A29FDD.EXE
844	A29FDD.EXE
844	A29FDD.EXE
844	A29FDD.EXE
844	A29FDD.EXE
844	A29FDD.EXE
844	A29FDD.EXE
2200	A29FDD.EXE
2200	A29FDD.EXE
2200	A29FDD.EXE
2200	A29FDD.EXE
2200	A29FDD.EXE
2200	A29FDD.EXE
700	A29FDD.EXE
700	A29FDD.EXE
700	A29FDD.EXE
700	A29FDD.EXE
700	A29FDD.EXE
700	A29FDD.EXE
1084	A29FDD.EXE
1084	A29FDD.EXE
1084	A29FDD.EXE
1084	A29FDD.EXE
1084	A29FDD.EXE
1084	A29FDD.EXE
1572	A29FDD.EXE
1572	A29FDD.EXE
1572	A29FDD.EXE
1572	A29FDD.EXE
1572	A29FDD.EXE
1572	A29FDD.EXE
2708	A29FDD.EXE
2708	A29FDD.EXE
2708	A29FDD.EXE
2708	A29FDD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2404	2524	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe	30
PID 2524 wrote to memory of 2404	2524	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe	30
PID 2524 wrote to memory of 2404	2524	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe	30
PID 2524 wrote to memory of 2404	2524	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe	30
PID 2524 wrote to memory of 2696	2524	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe	32
PID 2524 wrote to memory of 2696	2524	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe	32
PID 2524 wrote to memory of 2696	2524	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe	32
PID 2524 wrote to memory of 2696	2524	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe	32
PID 2696 wrote to memory of 2908	2696	A29FDD.EXE	33
PID 2696 wrote to memory of 2908	2696	A29FDD.EXE	33
PID 2696 wrote to memory of 2908	2696	A29FDD.EXE	33
PID 2696 wrote to memory of 2908	2696	A29FDD.EXE	33
PID 2696 wrote to memory of 2632	2696	A29FDD.EXE	34
PID 2696 wrote to memory of 2632	2696	A29FDD.EXE	34
PID 2696 wrote to memory of 2632	2696	A29FDD.EXE	34
PID 2696 wrote to memory of 2632	2696	A29FDD.EXE	34
PID 2632 wrote to memory of 676	2632	A29FDD.EXE	67
PID 2632 wrote to memory of 676	2632	A29FDD.EXE	67
PID 2632 wrote to memory of 676	2632	A29FDD.EXE	67
PID 2632 wrote to memory of 676	2632	A29FDD.EXE	67
PID 2632 wrote to memory of 2128	2632	A29FDD.EXE	38
PID 2632 wrote to memory of 2128	2632	A29FDD.EXE	38
PID 2632 wrote to memory of 2128	2632	A29FDD.EXE	38
PID 2632 wrote to memory of 2128	2632	A29FDD.EXE	38
PID 2128 wrote to memory of 1560	2128	A29FDD.EXE	39
PID 2128 wrote to memory of 1560	2128	A29FDD.EXE	39
PID 2128 wrote to memory of 1560	2128	A29FDD.EXE	39
PID 2128 wrote to memory of 1560	2128	A29FDD.EXE	39
PID 2128 wrote to memory of 2912	2128	A29FDD.EXE	40
PID 2128 wrote to memory of 2912	2128	A29FDD.EXE	40
PID 2128 wrote to memory of 2912	2128	A29FDD.EXE	40
PID 2128 wrote to memory of 2912	2128	A29FDD.EXE	40
PID 2912 wrote to memory of 2432	2912	A29FDD.EXE	41
PID 2912 wrote to memory of 2432	2912	A29FDD.EXE	41
PID 2912 wrote to memory of 2432	2912	A29FDD.EXE	41
PID 2912 wrote to memory of 2432	2912	A29FDD.EXE	41
PID 2912 wrote to memory of 844	2912	A29FDD.EXE	44
PID 2912 wrote to memory of 844	2912	A29FDD.EXE	44
PID 2912 wrote to memory of 844	2912	A29FDD.EXE	44
PID 2912 wrote to memory of 844	2912	A29FDD.EXE	44
PID 844 wrote to memory of 1964	844	A29FDD.EXE	45
PID 844 wrote to memory of 1964	844	A29FDD.EXE	45
PID 844 wrote to memory of 1964	844	A29FDD.EXE	45
PID 844 wrote to memory of 1964	844	A29FDD.EXE	45
PID 844 wrote to memory of 2200	844	A29FDD.EXE	47
PID 844 wrote to memory of 2200	844	A29FDD.EXE	47
PID 844 wrote to memory of 2200	844	A29FDD.EXE	47
PID 844 wrote to memory of 2200	844	A29FDD.EXE	47
PID 2200 wrote to memory of 1672	2200	A29FDD.EXE	48
PID 2200 wrote to memory of 1672	2200	A29FDD.EXE	48
PID 2200 wrote to memory of 1672	2200	A29FDD.EXE	48
PID 2200 wrote to memory of 1672	2200	A29FDD.EXE	48
PID 2200 wrote to memory of 700	2200	A29FDD.EXE	50
PID 2200 wrote to memory of 700	2200	A29FDD.EXE	50
PID 2200 wrote to memory of 700	2200	A29FDD.EXE	50
PID 2200 wrote to memory of 700	2200	A29FDD.EXE	50
PID 700 wrote to memory of 2480	700	A29FDD.EXE	51
PID 700 wrote to memory of 2480	700	A29FDD.EXE	51
PID 700 wrote to memory of 2480	700	A29FDD.EXE	51
PID 700 wrote to memory of 2480	700	A29FDD.EXE	51
PID 700 wrote to memory of 1084	700	A29FDD.EXE	53
PID 700 wrote to memory of 1084	700	A29FDD.EXE	53
PID 700 wrote to memory of 1084	700	A29FDD.EXE	53
PID 700 wrote to memory of 1084	700	A29FDD.EXE	53

C:\Users\Admin\AppData\Local\Temp\73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\SysWOW64\explorer.exe
  explorer C:\Users\Admin\AppData\Local\Temp\73e3898ded99d9f062cfb167d5b57635_JaffaCakes118
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2404
- C:\Windows\SysWOW64\E9804A\A29FDD.EXE
  C:\Windows\system32\E9804A\A29FDD.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\explorer.exe
    explorer C:\Windows\SysWOW64\E9804A\A29FDD
    3⤵
    PID:2908
- - C:\Windows\SysWOW64\E9804A\A29FDD.EXE
    C:\Windows\system32\E9804A\A29FDD.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\SysWOW64\explorer.exe
      explorer C:\Windows\SysWOW64\E9804A\A29FDD
      4⤵
      System Location Discovery: System Language Discovery
      PID:676
  - - C:\Windows\SysWOW64\E9804A\A29FDD.EXE
      C:\Windows\system32\E9804A\A29FDD.EXE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2128
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1560
    - - C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2912
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        6⤵
        
        PID:2432
      - C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:844
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1964
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        8⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:700
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2480
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1084
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2376
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1572
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        11⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2708
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        12⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        12⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        13⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        13⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:2096
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        14⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        14⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:284
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        15⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:2960
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        16⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        16⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:2996
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        17⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        17⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:2076
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:352
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        18⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:2032
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        19⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        20⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:576
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:2916
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        21⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:1208
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        22⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        22⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2312
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        23⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        23⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:2448
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        24⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        24⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1820
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        25⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:2456
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        26⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        26⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2712
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:2180
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        27⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:2916
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:264
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        28⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:2076
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:2312
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        29⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:264
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:3104
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        30⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:3152
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        31⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        31⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:3300
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:3388
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        32⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3440
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:3544
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        33⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3596
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        34⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        34⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:3740
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:3840
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        35⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:3880
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        36⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        36⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4028
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        37⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:3164
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        38⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        38⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:3380
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:3528
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        39⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3568
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        40⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        40⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:3824
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:3984
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        41⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:3932
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        42⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        42⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:3268
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:3548
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        43⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:3612
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:3728
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        44⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3976
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        45⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3152
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:4044
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        46⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3380
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        47⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        47⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:2452
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:3400
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        48⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:3560
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:4128
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        49⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:4168
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:4248
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        50⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:4288
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:4372
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        51⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:4408
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:4472
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        52⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:4500
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:4584
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        53⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:4616
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        54⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        54⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:4744
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:4836
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        55⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:4872
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:4940
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        56⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4984
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:5052
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        57⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5096
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        58⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        58⤵
        Executes dropped EXE
        
        PID:4268
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        59⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        59⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        60⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        60⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        61⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        61⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        62⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        62⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        63⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        63⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        64⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        64⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        65⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        65⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        66⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        66⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        67⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        67⤵
        
        PID:5132
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        68⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        68⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        69⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        69⤵
        
        PID:5356
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        70⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        70⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        71⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        71⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        72⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        72⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        73⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        73⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        74⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        74⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        75⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        75⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        76⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        76⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        77⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        77⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        78⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        78⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        79⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        79⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        80⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        80⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        81⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        81⤵
        
        PID:5572
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        82⤵
        
        PID:5448
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        82⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        83⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        83⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        84⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        84⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        85⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        85⤵
        
        PID:6148
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        86⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        86⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        87⤵
        
        PID:6368
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        87⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        88⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        88⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        89⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        89⤵
        
        PID:6660
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        90⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        90⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        91⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        91⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        92⤵
        
        PID:7004
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        92⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        93⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        93⤵
        
        PID:7144
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        94⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        94⤵
        
        PID:6236
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        95⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        95⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        96⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        96⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        97⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        97⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        98⤵
        
        PID:7132
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        98⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        99⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        99⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        100⤵
        
        PID:6888
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        100⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        101⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        101⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        102⤵
        
        PID:7208
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        102⤵
        
        PID:7248
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        103⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        103⤵
        
        PID:7384
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        104⤵
        
        PID:7468
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        104⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        105⤵
        
        PID:7584
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        105⤵
        
        PID:7616
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        106⤵
        
        PID:7708
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        106⤵
        
        PID:7752
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        107⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        107⤵
        
        PID:7872
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        108⤵
        
        PID:7964
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        108⤵
        
        PID:8000
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        109⤵
        
        PID:8076
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        109⤵
        
        PID:8128
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        110⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        110⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        111⤵
        
        PID:7520
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        111⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        112⤵
        
        PID:7740
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        112⤵
        
        PID:7884
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        113⤵
        
        PID:7752
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        113⤵
        
        PID:8144
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        114⤵
        
        PID:8004
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        114⤵
        
        PID:7628
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        115⤵
        
        PID:7732
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        115⤵
        
        PID:8116
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        116⤵
        
        PID:7316
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        116⤵
        
        PID:7524
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        117⤵
        
        PID:8144
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        117⤵
        
        PID:7628
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        118⤵
        
        PID:8292
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        118⤵
        
        PID:8332
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        119⤵
        
        PID:8408
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        119⤵
        
        PID:8444
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        120⤵
        
        PID:8544
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        120⤵
        
        PID:8580
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        121⤵
        
        PID:8660
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        121⤵
        
        PID:8720
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        122⤵
        
        PID:8792
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        122⤵
        
        PID:8888
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        123⤵
        
        PID:8936
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        123⤵
        
        PID:8972
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        124⤵
        
        PID:9076
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        124⤵
        
        PID:9112
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        125⤵
        
        PID:9184
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        125⤵
        
        PID:8200
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        126⤵
        
        PID:7524
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        126⤵
        
        PID:8460
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        127⤵
        
        PID:8568
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        127⤵
        
        PID:8748
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        128⤵
        
        PID:8796
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        128⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        129⤵
        
        PID:8992
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        129⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        130⤵
        
        PID:304
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        130⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        131⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        131⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        132⤵
        
        PID:8404
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        132⤵
        
        PID:8432
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        133⤵
        
        PID:8548
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        133⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        134⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        134⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        135⤵
        
        PID:8892
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        135⤵
        
        PID:8724

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2468

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2584

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1984

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2052

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:404

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1676

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:920

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1632

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2876

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2824

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2652

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2496

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:676

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2768

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2992

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:2436

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2376

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3028

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1564

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1064

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1744

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2752

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2644

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2444

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:984

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1532

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:480

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2888

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3144

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3288

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3432

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3588

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3732

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:3872

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4020

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:3120

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2076

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3660

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:3688

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4060

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3368

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3624

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3980

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3664

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:4048

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2676

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3460

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4160

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4276

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4400

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4508

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:4608

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:4736

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4864

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:4976

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:5088

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4132

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4392

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4604

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4888

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4748

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4252

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4852

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4156

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4304

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5124

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5240

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5348

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5476

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5592

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5704

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5808

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5928

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6048

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5000

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5316

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5724

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5912

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5144

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5360

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5224

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5900

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5688

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6156

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6264

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6400

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6536

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6652

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6784

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6920

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7028

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7136

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6252

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6500

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6780

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7052

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5544

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6600

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6504

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7044

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7240

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7376

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7500

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7608

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7744

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7864

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7992

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8120

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7236

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7468

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7508

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8008

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6756

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7172

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7884

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7316

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8324

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8436

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8572

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8712

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8836

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8964

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9104

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9208

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8452

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8744

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8808

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5616

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3060

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8240

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9112

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3724

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9000

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E_N4\cnvpe.fne

Filesize
60KB

MD5
b1b6c344460a50795b2e879933c25672

SHA1
141ab6f35cd2ccb774d2294dcacd620c08b86a3e

SHA256
d242dbcd34b10bb6f8ec19abf83c6b59ee7f4c749654b74892224a3fec419f0b

SHA512
4969a54e42644bb4bc96f536011c502efc769f7484ca29f45064a318e4578262dbc3fd52d9b9319e6fc9140457ee22724b5590f0459cecf44cbbf8d4cd9a8f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\eAPI.fne

Filesize
316KB

MD5
5e73aae0958c5d70a87f9be353bd9c05

SHA1
a9ddb8fd9f53c61b139e3e152d584feceba8bed3

SHA256
8863827bce01dd32c49aa69228f2510c499ee747334a343461e092972e22791a

SHA512
c0d2f3b9f8b12292ea449264cacf240b5fbcf22e00a2f6948d510c524d49c0808d2de7044f261aca780cfc0fa1d15ab0eed3a2713e7f1748ffd4bc12ffb48b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\internet.fne

Filesize
180KB

MD5
d930345881169556267b3cd8fcabec9a

SHA1
ff39ec537782fb325d550cb1d43a13d9b5bd1e2f

SHA256
8e0acd1eca636cbf44059ed97697b4756b832ec89f676bb71de53f56c7045d48

SHA512
0771834beab9ab43cb49d9b30a775d78936f68dc90f92ef9afdff37e732f38eae5af1d844c7c459924168f2c9cef1244ab5a2c32eee7b5555f7790312e9b5095

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\spec.fne

Filesize
72KB

MD5
a6e193d30034c0bf9de1d896c2bd5463

SHA1
d71ff0f76e164701e078b9d1883feb3d8fd0b2ce

SHA256
8021ee99c11d3e75d02b7b49d2a22a0b0284e3ffc7a4a0ce9eef711168e96c9e

SHA512
75e13717c31fb10399ea5b6bee2a8e5e0f7a413064f7ebb3019539cd2b8f88f70da2c2e58b1f6323199578795c12488c0110f171892918a2dba8db63528a1be2

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\HtmlView.fne

Filesize
212KB

MD5
4090eea7ff62af1474cc25def4bf96de

SHA1
51e6e22386720c61633e85c732e56453e798042c

SHA256
296964311893988cf93fb8455734b52a6ccba806c8195cbd1a25ed0f08ff1089

SHA512
b3140fa67cc86c02c18e4eb5a23d3757d2bbd1149b3df0b6139164ca6b256fe9bf2687fbec89feaeee7c94e92067832a3a4d42092f1d7bd8b94944d0bab8609b

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\RegEx.fnr

Filesize
212KB

MD5
28ffc842ee89ed477df08e3e20d42bac

SHA1
846b09702c04b846b9e8be0c117f583fc418d930

SHA256
e574b4e24b7e97d9c766661f4fcdf5f04af5e134ba8a4d1f237ad4654c7b6d52

SHA512
8d85765f9d8009037e682f3123e9d4f65ca8a798051b01d1eb4449bc896689b3399632a0c6ff2e8fd2ab148af518b202b194a231f63431c2348bbb94ff8b9063

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\dp1.fne

Filesize
112KB

MD5
bc0fa124c36332cebc56e3f7823946c8

SHA1
8c3afac4a00f1ee43323a98ea93fa438bf750e0c

SHA256
23b9224692f3e52e74f233fff77e4330449bb0b01bfbccc41703e268b311cefd

SHA512
59391c2d92ccdfd2cdedfaef2e7d58ada1ad2f05df448a5cdc871be5331db68cf9fc92d32c4ef4df44337d6ef5a0de514c58d8c797e5a256948e58977d79fce2

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

Filesize
1.1MB

MD5
f4c291989b183ee5b94592fbfdeaecf8

SHA1
986701d3f885e14b0c5f4544f3ec1e6db341e1e1

SHA256
0a211f4ef38ca8c5bf5b1f7073e36b11c5f5a68287c8cfece5413381ba24fe28

SHA512
cd33eb482f7ee21a6bcc4a83bbe6b73d86ba636493627540b0ece73e5842603b47d8b2a0d386b4731496551243217c6dbbcaf4dd9a60a8cad50fc20813f396f3

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\shell.fne

Filesize
40KB

MD5
aacd07acb523e773f9ab8f94dd6fba03

SHA1
fe7446c31cb83618a69c6e932fb4181390045db2

SHA256
98f4bd493409a798d8b970c91fe20701d186ec0e2ec9a010188ab4cf74cc3b77

SHA512
ada8510e5f9702daf0507fae3c91c27eeeb1ae1cf5d00807e0baee713a55b27e289e07daf52a4108452929a1421636a788bebd60273e075a88b6736b2c39c905

Download Submit
\Windows\SysWOW64\E9804A\A29FDD.EXE

Filesize
1.4MB

MD5
73e3898ded99d9f062cfb167d5b57635

SHA1
0b2aa86bccbed7a61a066f48c259433b6af25c1a

SHA256
ff647e3d6a50d31f4a526cdef1af0f7b428716e1e57597ac27ef374580c63925

SHA512
0f7d58c3d1fea43659a6f4ce93150e0d5f1199d9f9465100e099aeb578f7311469e3db4f08c0d3e281d6ffc298bf0945a5cf422430c2e762d8437664762e75cb

Download Submit
memory/700-174-0x0000000000240000-0x0000000000278000-memory.dmp

Filesize
224KB

Download
memory/700-173-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/700-176-0x0000000000320000-0x0000000000331000-memory.dmp

Filesize
68KB

Download
memory/700-175-0x00000000003C0000-0x00000000003F6000-memory.dmp

Filesize
216KB

Download
memory/700-177-0x0000000001D50000-0x0000000001D6E000-memory.dmp

Filesize
120KB

Download
memory/700-185-0x0000000001D70000-0x0000000001D9A000-memory.dmp

Filesize
168KB

Download
memory/700-184-0x0000000001D70000-0x0000000001D9A000-memory.dmp

Filesize
168KB

Download
memory/844-150-0x0000000000380000-0x00000000003B8000-memory.dmp

Filesize
224KB

Download
memory/844-229-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/844-155-0x0000000001F10000-0x0000000001F3A000-memory.dmp

Filesize
168KB

Download
memory/844-154-0x0000000001F10000-0x0000000001F3A000-memory.dmp

Filesize
168KB

Download
memory/844-151-0x0000000001EB0000-0x0000000001EE6000-memory.dmp

Filesize
216KB

Download
memory/844-152-0x0000000000530000-0x0000000000541000-memory.dmp

Filesize
68KB

Download
memory/844-153-0x0000000001EF0000-0x0000000001F0E000-memory.dmp

Filesize
120KB

Download
memory/844-141-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/844-148-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/1084-194-0x0000000001EA0000-0x0000000001ECA000-memory.dmp

Filesize
168KB

Download
memory/1084-188-0x0000000000380000-0x00000000003B8000-memory.dmp

Filesize
224KB

Download
memory/1084-186-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1084-187-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/1084-191-0x0000000000550000-0x000000000056E000-memory.dmp

Filesize
120KB

Download
memory/1084-193-0x0000000001EA0000-0x0000000001ECA000-memory.dmp

Filesize
168KB

Download
memory/1084-190-0x0000000000530000-0x0000000000541000-memory.dmp

Filesize
68KB

Download
memory/1084-189-0x00000000003C0000-0x00000000003F6000-memory.dmp

Filesize
216KB

Download
memory/1572-195-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1572-208-0x0000000001F60000-0x0000000001F8A000-memory.dmp

Filesize
168KB

Download
memory/1572-209-0x0000000001F60000-0x0000000001F8A000-memory.dmp

Filesize
168KB

Download
memory/1572-206-0x0000000000430000-0x0000000000441000-memory.dmp

Filesize
68KB

Download
memory/1572-207-0x0000000001D50000-0x0000000001D6E000-memory.dmp

Filesize
120KB

Download
memory/1572-202-0x0000000001E80000-0x0000000001EB8000-memory.dmp

Filesize
224KB

Download
memory/1572-205-0x0000000001ED0000-0x0000000001F06000-memory.dmp

Filesize
216KB

Download
memory/1572-200-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/1716-228-0x00000000003C0000-0x00000000003F8000-memory.dmp

Filesize
224KB

Download
memory/2128-204-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2128-108-0x0000000000540000-0x0000000000551000-memory.dmp

Filesize
68KB

Download
memory/2128-109-0x0000000001DC0000-0x0000000001DDE000-memory.dmp

Filesize
120KB

Download
memory/2128-113-0x0000000001E10000-0x0000000001E3A000-memory.dmp

Filesize
168KB

Download
memory/2128-107-0x0000000001D80000-0x0000000001DB6000-memory.dmp

Filesize
216KB

Download
memory/2128-106-0x0000000000220000-0x0000000000258000-memory.dmp

Filesize
224KB

Download
memory/2128-203-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2128-91-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2128-105-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2200-161-0x00000000003B0000-0x00000000003E8000-memory.dmp

Filesize
224KB

Download
memory/2200-168-0x0000000002000000-0x000000000202A000-memory.dmp

Filesize
168KB

Download
memory/2200-164-0x0000000001FC0000-0x0000000001FDE000-memory.dmp

Filesize
120KB

Download
memory/2200-167-0x0000000002000000-0x000000000202A000-memory.dmp

Filesize
168KB

Download
memory/2200-162-0x0000000000720000-0x0000000000756000-memory.dmp

Filesize
216KB

Download
memory/2200-163-0x0000000000760000-0x0000000000771000-memory.dmp

Filesize
68KB

Download
memory/2200-160-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2468-78-0x0000000003D60000-0x0000000003D70000-memory.dmp

Filesize
64KB

Download
memory/2524-135-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2524-35-0x0000000000820000-0x000000000084A000-memory.dmp

Filesize
168KB

Download
memory/2524-34-0x0000000000820000-0x000000000084A000-memory.dmp

Filesize
168KB

Download
memory/2524-22-0x00000000003A0000-0x00000000003D6000-memory.dmp

Filesize
216KB

Download
memory/2524-24-0x00000000005E0000-0x00000000005FE000-memory.dmp

Filesize
120KB

Download
memory/2524-23-0x00000000005C0000-0x00000000005D1000-memory.dmp

Filesize
68KB

Download
memory/2524-134-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2524-6-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2524-21-0x0000000000330000-0x0000000000368000-memory.dmp

Filesize
224KB

Download
memory/2524-12-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2632-82-0x0000000000550000-0x0000000000561000-memory.dmp

Filesize
68KB

Download
memory/2632-77-0x0000000000380000-0x00000000003B8000-memory.dmp

Filesize
224KB

Download
memory/2632-179-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2632-178-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2632-81-0x0000000000810000-0x0000000000846000-memory.dmp

Filesize
216KB

Download
memory/2632-84-0x0000000000850000-0x000000000086E000-memory.dmp

Filesize
120KB

Download
memory/2632-76-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2632-87-0x0000000002040000-0x000000000206A000-memory.dmp

Filesize
168KB

Download
memory/2632-90-0x0000000002040000-0x000000000206A000-memory.dmp

Filesize
168KB

Download
memory/2696-57-0x0000000001D90000-0x0000000001DC8000-memory.dmp

Filesize
224KB

Download
memory/2696-59-0x0000000001FD0000-0x0000000002006000-memory.dmp

Filesize
216KB

Download
memory/2696-58-0x0000000001C70000-0x0000000001C8E000-memory.dmp

Filesize
120KB

Download
memory/2696-60-0x00000000005C0000-0x00000000005D1000-memory.dmp

Filesize
68KB

Download
memory/2696-36-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2696-165-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2696-64-0x0000000002270000-0x000000000229A000-memory.dmp

Filesize
168KB

Download
memory/2696-65-0x0000000002270000-0x000000000229A000-memory.dmp

Filesize
168KB

Download
memory/2696-50-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2696-166-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2708-216-0x0000000000220000-0x0000000000258000-memory.dmp

Filesize
224KB

Download
memory/2708-220-0x0000000001FD0000-0x0000000001FFA000-memory.dmp

Filesize
168KB

Download
memory/2708-221-0x0000000001FD0000-0x0000000001FFA000-memory.dmp

Filesize
168KB

Download
memory/2708-218-0x0000000001F70000-0x0000000001FA6000-memory.dmp

Filesize
216KB

Download
memory/2708-215-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2708-214-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2708-219-0x0000000000350000-0x0000000000361000-memory.dmp

Filesize
68KB

Download
memory/2708-217-0x00000000005C0000-0x00000000005DE000-memory.dmp

Filesize
120KB

Download
memory/2912-131-0x0000000001E80000-0x0000000001E91000-memory.dmp

Filesize
68KB

Download
memory/2912-130-0x00000000003C0000-0x00000000003F6000-memory.dmp

Filesize
216KB

Download
memory/2912-114-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2912-125-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2912-128-0x0000000000340000-0x0000000000378000-memory.dmp

Filesize
224KB

Download
memory/2912-132-0x0000000001EA0000-0x0000000001EBE000-memory.dmp

Filesize
120KB

Download
memory/2912-227-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2912-226-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2912-140-0x0000000001EC0000-0x0000000001EEA000-memory.dmp

Filesize
168KB

Download
memory/2912-139-0x0000000001EC0000-0x0000000001EEA000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads