ff647e3d6a50d31f4a526cdef1af0f7b428716e1e57597ac27ef374580c63925

Analysis

max time kernel
7s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26-07-2024 11:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe
Size

1.4MB
MD5

73e3898ded99d9f062cfb167d5b57635
SHA1

0b2aa86bccbed7a61a066f48c259433b6af25c1a
SHA256

ff647e3d6a50d31f4a526cdef1af0f7b428716e1e57597ac27ef374580c63925
SHA512

0f7d58c3d1fea43659a6f4ce93150e0d5f1199d9f9465100e099aeb578f7311469e3db4f08c0d3e281d6ffc298bf0945a5cf422430c2e762d8437664762e75cb
SSDEEP

24576:xhcmZ4JV6y3gOv4gfd+e61g4l2G2pfm47S5IBkgdElKcnT9U:xh4Jl7E3g4lYfm47S5IBfdSr9U

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Executes dropped EXE 12 IoCs

pid	Process
4320	A29FDD.EXE
4316	A29FDD.EXE
3964	A29FDD.EXE
4084	A29FDD.EXE
568	A29FDD.EXE
2452	A29FDD.EXE
4260	A29FDD.EXE
2252	A29FDD.EXE
3596	A29FDD.EXE
4600	A29FDD.EXE
532	A29FDD.EXE
4840	A29FDD.EXE

Loads dropped DLL 64 IoCs

pid	Process
1840	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe
1840	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe
1840	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe
1840	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe
1840	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe
1840	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe
1840	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe
1840	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe
1840	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe
4320	A29FDD.EXE
4320	A29FDD.EXE
4320	A29FDD.EXE
4320	A29FDD.EXE
4320	A29FDD.EXE
4320	A29FDD.EXE
4320	A29FDD.EXE
4320	A29FDD.EXE
4320	A29FDD.EXE
4316	A29FDD.EXE
4316	A29FDD.EXE
4316	A29FDD.EXE
4316	A29FDD.EXE
4316	A29FDD.EXE
4316	A29FDD.EXE
4316	A29FDD.EXE
4316	A29FDD.EXE
4316	A29FDD.EXE
3964	A29FDD.EXE
3964	A29FDD.EXE
3964	A29FDD.EXE
3964	A29FDD.EXE
3964	A29FDD.EXE
3964	A29FDD.EXE
3964	A29FDD.EXE
3964	A29FDD.EXE
3964	A29FDD.EXE
4084	A29FDD.EXE
4084	A29FDD.EXE
4084	A29FDD.EXE
4084	A29FDD.EXE
4084	A29FDD.EXE
4084	A29FDD.EXE
4084	A29FDD.EXE
4084	A29FDD.EXE
4084	A29FDD.EXE
568	A29FDD.EXE
568	A29FDD.EXE
568	A29FDD.EXE
568	A29FDD.EXE
568	A29FDD.EXE
568	A29FDD.EXE
568	A29FDD.EXE
568	A29FDD.EXE
568	A29FDD.EXE
2452	A29FDD.EXE
2452	A29FDD.EXE
2452	A29FDD.EXE
2452	A29FDD.EXE
2452	A29FDD.EXE
2452	A29FDD.EXE
2452	A29FDD.EXE
2452	A29FDD.EXE
2452	A29FDD.EXE
4260	A29FDD.EXE

Writes to the Master Boot Record (MBR) 1 TTPs 12 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE
File opened for modification	\??\PhysicalDrive0	A29FDD.EXE

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\E9804A\A29FDD.EXE	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\666585\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\E9804A\A29FDD.EXE	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\D5B797\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\E9804A\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\D5B797\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\E82AF8\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\666585\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\666585\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\E9804A\A29FDD.EXE	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\D5B797\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\E9804A\	A29FDD.EXE
File created	C:\Windows\SysWOW64\E9804A\A29FDD.EXE	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\666585\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\E9804A\A29FDD.EXE	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\D5B797\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\666585\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\E9804A\A29FDD.EXE	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\E9804A\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\E82AF8\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\E9804A\	A29FDD.EXE
File created	C:\Windows\SysWOW64\E9804A\A29FDD.EXE	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\E9804A\	A29FDD.EXE
File created	C:\Windows\SysWOW64\E9804A\A29FDD.EXE	A29FDD.EXE
File created	C:\Windows\SysWOW64\E9804A\A29FDD.EXE	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\E9804A\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\D5B797\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\E82AF8\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\E9804A\A29FDD.EXE	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\E9804A\	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\666585\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\E9804A\A29FDD.EXE	A29FDD.EXE
File created	C:\Windows\SysWOW64\E9804A\A29FDD.EXE	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\666585\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\666585\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\D5B797\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\E9804A\A29FDD.EXE	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\666585\	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\D5B797\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\E9804A\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\666585\	A29FDD.EXE
File created	C:\Windows\SysWOW64\E9804A\A29FDD.EXE	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\E82AF8\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\E82AF8\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\E82AF8\	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\E9804A\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\D5B797\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\E82AF8\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\E9804A\	A29FDD.EXE
File created	C:\Windows\SysWOW64\E9804A\A29FDD.EXE	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\D5B797\	A29FDD.EXE
File created	C:\Windows\SysWOW64\E9804A\A29FDD.EXE	A29FDD.EXE
File created	C:\Windows\SysWOW64\E9804A\A29FDD.EXE	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\E82AF8\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\666585\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\E82AF8\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\E82AF8\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\E9804A\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\D5B797\	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\E9804A\A29FDD.EXE	A29FDD.EXE
File created	C:\Windows\SysWOW64\E9804A\A29FDD.EXE	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\666585\	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\E9804A\A29FDD.EXE	A29FDD.EXE
File opened for modification	C:\Windows\SysWOW64\E82AF8\	A29FDD.EXE

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A29FDD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A29FDD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A29FDD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A29FDD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A29FDD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A29FDD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A29FDD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A29FDD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A29FDD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A29FDD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A29FDD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A29FDD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe

Suspicious behavior: AddClipboardFormatListener 6 IoCs

pid	Process
2332	explorer.exe
4016	explorer.exe
2924	explorer.exe
1768	explorer.exe
1540	explorer.exe
4500	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1840	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe
1840	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe
1840	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe
1840	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe
1840	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe
1840	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe
4320	A29FDD.EXE
4320	A29FDD.EXE
4320	A29FDD.EXE
4320	A29FDD.EXE
4320	A29FDD.EXE
4320	A29FDD.EXE
2332	explorer.exe
2332	explorer.exe
4316	A29FDD.EXE
4316	A29FDD.EXE
4316	A29FDD.EXE
4316	A29FDD.EXE
4316	A29FDD.EXE
4316	A29FDD.EXE
3964	A29FDD.EXE
3964	A29FDD.EXE
3964	A29FDD.EXE
3964	A29FDD.EXE
3964	A29FDD.EXE
3964	A29FDD.EXE
4016	explorer.exe
4016	explorer.exe
4084	A29FDD.EXE
4084	A29FDD.EXE
4084	A29FDD.EXE
4084	A29FDD.EXE
4084	A29FDD.EXE
4084	A29FDD.EXE
2924	explorer.exe
2924	explorer.exe
568	A29FDD.EXE
568	A29FDD.EXE
568	A29FDD.EXE
568	A29FDD.EXE
568	A29FDD.EXE
568	A29FDD.EXE
2452	A29FDD.EXE
2452	A29FDD.EXE
2452	A29FDD.EXE
2452	A29FDD.EXE
2452	A29FDD.EXE
2452	A29FDD.EXE
1768	explorer.exe
1768	explorer.exe
4260	A29FDD.EXE
4260	A29FDD.EXE
4260	A29FDD.EXE
4260	A29FDD.EXE
4260	A29FDD.EXE
4260	A29FDD.EXE
1540	explorer.exe
1540	explorer.exe
2252	A29FDD.EXE
2252	A29FDD.EXE
2252	A29FDD.EXE
2252	A29FDD.EXE
2252	A29FDD.EXE
2252	A29FDD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 4912	1840	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe	86
PID 1840 wrote to memory of 4912	1840	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe	86
PID 1840 wrote to memory of 4912	1840	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe	86
PID 1840 wrote to memory of 4320	1840	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe	89
PID 1840 wrote to memory of 4320	1840	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe	89
PID 1840 wrote to memory of 4320	1840	73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe	89
PID 4320 wrote to memory of 804	4320	A29FDD.EXE	90
PID 4320 wrote to memory of 804	4320	A29FDD.EXE	90
PID 4320 wrote to memory of 804	4320	A29FDD.EXE	90
PID 4320 wrote to memory of 4316	4320	A29FDD.EXE	91
PID 4320 wrote to memory of 4316	4320	A29FDD.EXE	91
PID 4320 wrote to memory of 4316	4320	A29FDD.EXE	91
PID 4316 wrote to memory of 3592	4316	A29FDD.EXE	93
PID 4316 wrote to memory of 3592	4316	A29FDD.EXE	93
PID 4316 wrote to memory of 3592	4316	A29FDD.EXE	93
PID 4316 wrote to memory of 3964	4316	A29FDD.EXE	95
PID 4316 wrote to memory of 3964	4316	A29FDD.EXE	95
PID 4316 wrote to memory of 3964	4316	A29FDD.EXE	95
PID 3964 wrote to memory of 1612	3964	A29FDD.EXE	122
PID 3964 wrote to memory of 1612	3964	A29FDD.EXE	122
PID 3964 wrote to memory of 1612	3964	A29FDD.EXE	122
PID 3964 wrote to memory of 4084	3964	A29FDD.EXE	129
PID 3964 wrote to memory of 4084	3964	A29FDD.EXE	129
PID 3964 wrote to memory of 4084	3964	A29FDD.EXE	129
PID 4084 wrote to memory of 4772	4084	A29FDD.EXE	99
PID 4084 wrote to memory of 4772	4084	A29FDD.EXE	99
PID 4084 wrote to memory of 4772	4084	A29FDD.EXE	99
PID 4084 wrote to memory of 568	4084	A29FDD.EXE	101
PID 4084 wrote to memory of 568	4084	A29FDD.EXE	101
PID 4084 wrote to memory of 568	4084	A29FDD.EXE	101
PID 568 wrote to memory of 1484	568	A29FDD.EXE	102
PID 568 wrote to memory of 1484	568	A29FDD.EXE	102
PID 568 wrote to memory of 1484	568	A29FDD.EXE	102
PID 568 wrote to memory of 2452	568	A29FDD.EXE	104
PID 568 wrote to memory of 2452	568	A29FDD.EXE	104
PID 568 wrote to memory of 2452	568	A29FDD.EXE	104
PID 2452 wrote to memory of 3732	2452	A29FDD.EXE	105
PID 2452 wrote to memory of 3732	2452	A29FDD.EXE	105
PID 2452 wrote to memory of 3732	2452	A29FDD.EXE	105
PID 2452 wrote to memory of 4260	2452	A29FDD.EXE	106
PID 2452 wrote to memory of 4260	2452	A29FDD.EXE	106
PID 2452 wrote to memory of 4260	2452	A29FDD.EXE	106
PID 4260 wrote to memory of 4276	4260	A29FDD.EXE	108
PID 4260 wrote to memory of 4276	4260	A29FDD.EXE	108
PID 4260 wrote to memory of 4276	4260	A29FDD.EXE	108
PID 4260 wrote to memory of 2252	4260	A29FDD.EXE	109
PID 4260 wrote to memory of 2252	4260	A29FDD.EXE	109
PID 4260 wrote to memory of 2252	4260	A29FDD.EXE	109
PID 2252 wrote to memory of 4924	2252	A29FDD.EXE	149
PID 2252 wrote to memory of 4924	2252	A29FDD.EXE	149
PID 2252 wrote to memory of 4924	2252	A29FDD.EXE	149
PID 2252 wrote to memory of 3596	2252	A29FDD.EXE	112
PID 2252 wrote to memory of 3596	2252	A29FDD.EXE	112
PID 2252 wrote to memory of 3596	2252	A29FDD.EXE	112
PID 3596 wrote to memory of 4816	3596	A29FDD.EXE	116
PID 3596 wrote to memory of 4816	3596	A29FDD.EXE	116
PID 3596 wrote to memory of 4816	3596	A29FDD.EXE	116
PID 3596 wrote to memory of 4600	3596	A29FDD.EXE	117
PID 3596 wrote to memory of 4600	3596	A29FDD.EXE	117
PID 3596 wrote to memory of 4600	3596	A29FDD.EXE	117
PID 4600 wrote to memory of 1140	4600	A29FDD.EXE	119
PID 4600 wrote to memory of 1140	4600	A29FDD.EXE	119
PID 4600 wrote to memory of 1140	4600	A29FDD.EXE	119
PID 4600 wrote to memory of 532	4600	A29FDD.EXE	120

C:\Users\Admin\AppData\Local\Temp\73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\73e3898ded99d9f062cfb167d5b57635_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Windows\SysWOW64\explorer.exe
  explorer C:\Users\Admin\AppData\Local\Temp\73e3898ded99d9f062cfb167d5b57635_JaffaCakes118
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4912
- C:\Windows\SysWOW64\E9804A\A29FDD.EXE
  C:\Windows\system32\E9804A\A29FDD.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4320
- - C:\Windows\SysWOW64\explorer.exe
    explorer C:\Windows\SysWOW64\E9804A\A29FDD
    3⤵
    - System Location Discovery: System Language Discovery
    PID:804
- - C:\Windows\SysWOW64\E9804A\A29FDD.EXE
    C:\Windows\system32\E9804A\A29FDD.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4316
  - - C:\Windows\SysWOW64\explorer.exe
      explorer C:\Windows\SysWOW64\E9804A\A29FDD
      4⤵
      System Location Discovery: System Language Discovery
      PID:3592
  - - C:\Windows\SysWOW64\E9804A\A29FDD.EXE
      C:\Windows\system32\E9804A\A29FDD.EXE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3964
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1612
    - - C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4084
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4772
      - C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:568
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3732
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4260
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4276
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        9⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4924
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        10⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4816
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        11⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1140
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        12⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:532
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2848
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4840
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        14⤵
        
        PID:32
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        14⤵
        
        PID:956
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        15⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        15⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        16⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        16⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        17⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        17⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        18⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        18⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        19⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        19⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        20⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        20⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        21⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        21⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        22⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        22⤵
        
        PID:5236
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        23⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        23⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        24⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        24⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        25⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        25⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        26⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        26⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        27⤵
        
        PID:6080
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        27⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        28⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        28⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        29⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        29⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        30⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        30⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        31⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        31⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        32⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        32⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        33⤵
        
        PID:5644
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        33⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        34⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        34⤵
        
        PID:348
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        35⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        35⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        36⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        36⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        37⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        37⤵
        
        PID:6428
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        38⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        38⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        39⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        39⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        40⤵
        
        PID:6932
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        40⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        41⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        41⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        42⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        42⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        43⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        43⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        44⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        44⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        45⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        45⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        46⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        46⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        47⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        47⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        48⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        48⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        49⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        49⤵
        
        PID:6964
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        50⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        50⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        51⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        51⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        52⤵
        
        PID:6676
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        52⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        53⤵
        
        PID:7260
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        53⤵
        
        PID:7296
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        54⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        54⤵
        
        PID:7432
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        55⤵
        
        PID:7564
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        55⤵
        
        PID:7592
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        56⤵
        
        PID:7696
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        56⤵
        
        PID:7744
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        57⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        57⤵
        
        PID:7892
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        58⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        58⤵
        
        PID:8048
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        59⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        59⤵
        
        PID:7044
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        60⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        60⤵
        
        PID:7456
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        61⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        61⤵
        
        PID:7660
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        62⤵
        
        PID:7716
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        62⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        63⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        63⤵
        
        PID:7828
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        64⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        64⤵
        
        PID:7532
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        65⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        65⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        66⤵
        
        PID:7456
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        66⤵
        
        PID:7324
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        67⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        67⤵
        
        PID:8012
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        68⤵
        
        PID:7628
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        68⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        69⤵
        
        PID:7772
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        69⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        70⤵
        
        PID:3768
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        70⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        71⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        71⤵
        
        PID:6408
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        72⤵
        
        PID:8264
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        72⤵
        
        PID:8324
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        73⤵
        
        PID:8456
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        73⤵
        
        PID:8492
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        74⤵
        
        PID:8620
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        74⤵
        
        PID:8696
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        75⤵
        
        PID:8828
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        75⤵
        
        PID:8868
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        76⤵
        
        PID:8984
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        76⤵
        
        PID:9060
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        77⤵
        
        PID:9200
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        77⤵
        
        PID:8208
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        78⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        78⤵
        
        PID:8308
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        79⤵
        
        PID:8560
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        79⤵
        
        PID:8472
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        80⤵
        
        PID:8436
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        80⤵
        
        PID:8660
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        81⤵
        
        PID:8856
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        81⤵
        
        PID:9112
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        82⤵
        
        PID:8980
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        82⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        83⤵
        
        PID:8328
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        83⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        84⤵
        
        PID:472
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        84⤵
        
        PID:640
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        85⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        85⤵
        
        PID:7896
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        86⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        86⤵
        
        PID:6032
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        87⤵
        
        PID:800
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        87⤵
        
        PID:9112
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        88⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        88⤵
        
        PID:8028
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        89⤵
        
        PID:9236
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        89⤵
        
        PID:9272
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        90⤵
        
        PID:9360
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        90⤵
        
        PID:9396
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        91⤵
        
        PID:9528
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        91⤵
        
        PID:9588
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        92⤵
        
        PID:9816
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        92⤵
        
        PID:9860
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        93⤵
        
        PID:9968
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        93⤵
        
        PID:10032
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        94⤵
        
        PID:10140
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        94⤵
        
        PID:10220
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        95⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        95⤵
        
        PID:9616
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        96⤵
        
        PID:9296
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        96⤵
        
        PID:8052
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        97⤵
        
        PID:9736
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        97⤵
        
        PID:10080
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        98⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        98⤵
        
        PID:9864
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        99⤵
        
        PID:8308
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        99⤵
        
        PID:9400
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        100⤵
        
        PID:9972
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        100⤵
        
        PID:9852
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        101⤵
        
        PID:8432
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        101⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        102⤵
        
        PID:9980
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        102⤵
        
        PID:10036
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        103⤵
        
        PID:4504
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        103⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        104⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        104⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        105⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        105⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        106⤵
        
        PID:10332
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        106⤵
        
        PID:10388
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        107⤵
        
        PID:10512
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        107⤵
        
        PID:10564
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        108⤵
        
        PID:10656
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        108⤵
        
        PID:10708
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        109⤵
        
        PID:10800
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        109⤵
        
        PID:10844
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        110⤵
        
        PID:10968
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        110⤵
        
        PID:11016
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        111⤵
        
        PID:11124
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        111⤵
        
        PID:11164
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        112⤵
        
        PID:9936
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        112⤵
        
        PID:9352
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        113⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        113⤵
        
        PID:7940
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        114⤵
        
        PID:10888
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        114⤵
        
        PID:10424
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        115⤵
        
        PID:10920
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        115⤵
        
        PID:10728
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        116⤵
        
        PID:11132
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        116⤵
        
        PID:11088
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        117⤵
        
        PID:180
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        117⤵
        
        PID:11192
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        118⤵
        
        PID:10988
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        118⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        119⤵
        
        PID:11132
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        119⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        120⤵
        
        PID:10920
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        120⤵
        
        PID:8660
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        121⤵
        
        PID:456
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        121⤵
        
        PID:9856
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        122⤵
        
        PID:876
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        122⤵
        
        PID:10740
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        123⤵
        
        PID:9720
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        123⤵
        
        PID:10824
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        124⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        124⤵
        
        PID:7056
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        125⤵
        
        PID:11360
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        125⤵
        
        PID:11400
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        126⤵
        
        PID:11488
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        126⤵
        
        PID:11536
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        127⤵
        
        PID:11628
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        127⤵
        
        PID:11692
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        128⤵
        
        PID:11828
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        128⤵
        
        PID:11856
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        129⤵
        
        PID:11976
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        129⤵
        
        PID:12008
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        130⤵
        
        PID:12116
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        130⤵
        
        PID:12172
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        131⤵
        
        PID:12268
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        131⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        132⤵
        
        PID:9204
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        132⤵
        
        PID:9940
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        133⤵
        
        PID:11716
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        133⤵
        
        PID:11644
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        134⤵
        
        PID:12036
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        134⤵
        
        PID:11984
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        135⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        135⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        136⤵
        
        PID:12128
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        136⤵
        
        PID:11160
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        137⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        137⤵
        
        PID:11564
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        138⤵
        
        PID:11704
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        138⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\E9804A\A29FDD
        139⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\E9804A\A29FDD.EXE
        
        C:\Windows\system32\E9804A\A29FDD.EXE
        139⤵
        
        PID:11536

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2332

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4016

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2924

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1768

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1540

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:4500

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2936

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4908

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:1952

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:4540

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:1344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:1612

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3200

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4084

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1428

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3692

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2804

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3920

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3100

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3888

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3436

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5268

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5492

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5636

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5824

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5984

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5152

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5520

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5604

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5244

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5400

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5740

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5600

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6012

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5584

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6212

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6464

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6628

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6828

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6996

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6252

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5748

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2896

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7028

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6620

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6416

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4976

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4948

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6640

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6180

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3348

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6664

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7304

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7440

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7604

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7736

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7924

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8056

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3172

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7468

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2076

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7912

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6624

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7188

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6184

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6104

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8040

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7372

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4972

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8136

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8132

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8360

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8500

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8684

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8876

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9036

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7296

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4108

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8480

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8648

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9032

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2672

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1532

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1832

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7704

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7900

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8968

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7612

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9288

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9404

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9580

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9868

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10040

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4248

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9624

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6476

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6124

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9248

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9364

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9876

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1052

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9864

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8920

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9196

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7024

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10380

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10556

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10716

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10856

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11008

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11196

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9508

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10324

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10500

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10788

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1028

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8408

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5108

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10868

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11048

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6500

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4256

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9188

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4504

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11392

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11528

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11680

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11868

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:12020

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:12156

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4568

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11596

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11640

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11996

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5800

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10692

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11572

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4100

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E_N4\HtmlView.fne

Filesize
212KB

MD5
4090eea7ff62af1474cc25def4bf96de

SHA1
51e6e22386720c61633e85c732e56453e798042c

SHA256
296964311893988cf93fb8455734b52a6ccba806c8195cbd1a25ed0f08ff1089

SHA512
b3140fa67cc86c02c18e4eb5a23d3757d2bbd1149b3df0b6139164ca6b256fe9bf2687fbec89feaeee7c94e92067832a3a4d42092f1d7bd8b94944d0bab8609b

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\RegEx.fnr

Filesize
212KB

MD5
28ffc842ee89ed477df08e3e20d42bac

SHA1
846b09702c04b846b9e8be0c117f583fc418d930

SHA256
e574b4e24b7e97d9c766661f4fcdf5f04af5e134ba8a4d1f237ad4654c7b6d52

SHA512
8d85765f9d8009037e682f3123e9d4f65ca8a798051b01d1eb4449bc896689b3399632a0c6ff2e8fd2ab148af518b202b194a231f63431c2348bbb94ff8b9063

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\cnvpe.fne

Filesize
60KB

MD5
b1b6c344460a50795b2e879933c25672

SHA1
141ab6f35cd2ccb774d2294dcacd620c08b86a3e

SHA256
d242dbcd34b10bb6f8ec19abf83c6b59ee7f4c749654b74892224a3fec419f0b

SHA512
4969a54e42644bb4bc96f536011c502efc769f7484ca29f45064a318e4578262dbc3fd52d9b9319e6fc9140457ee22724b5590f0459cecf44cbbf8d4cd9a8f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\dp1.fne

Filesize
112KB

MD5
bc0fa124c36332cebc56e3f7823946c8

SHA1
8c3afac4a00f1ee43323a98ea93fa438bf750e0c

SHA256
23b9224692f3e52e74f233fff77e4330449bb0b01bfbccc41703e268b311cefd

SHA512
59391c2d92ccdfd2cdedfaef2e7d58ada1ad2f05df448a5cdc871be5331db68cf9fc92d32c4ef4df44337d6ef5a0de514c58d8c797e5a256948e58977d79fce2

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\eAPI.fne

Filesize
316KB

MD5
5e73aae0958c5d70a87f9be353bd9c05

SHA1
a9ddb8fd9f53c61b139e3e152d584feceba8bed3

SHA256
8863827bce01dd32c49aa69228f2510c499ee747334a343461e092972e22791a

SHA512
c0d2f3b9f8b12292ea449264cacf240b5fbcf22e00a2f6948d510c524d49c0808d2de7044f261aca780cfc0fa1d15ab0eed3a2713e7f1748ffd4bc12ffb48b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\internet.fne

Filesize
180KB

MD5
d930345881169556267b3cd8fcabec9a

SHA1
ff39ec537782fb325d550cb1d43a13d9b5bd1e2f

SHA256
8e0acd1eca636cbf44059ed97697b4756b832ec89f676bb71de53f56c7045d48

SHA512
0771834beab9ab43cb49d9b30a775d78936f68dc90f92ef9afdff37e732f38eae5af1d844c7c459924168f2c9cef1244ab5a2c32eee7b5555f7790312e9b5095

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

Filesize
1.1MB

MD5
f4c291989b183ee5b94592fbfdeaecf8

SHA1
986701d3f885e14b0c5f4544f3ec1e6db341e1e1

SHA256
0a211f4ef38ca8c5bf5b1f7073e36b11c5f5a68287c8cfece5413381ba24fe28

SHA512
cd33eb482f7ee21a6bcc4a83bbe6b73d86ba636493627540b0ece73e5842603b47d8b2a0d386b4731496551243217c6dbbcaf4dd9a60a8cad50fc20813f396f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\shell.fne

Filesize
40KB

MD5
aacd07acb523e773f9ab8f94dd6fba03

SHA1
fe7446c31cb83618a69c6e932fb4181390045db2

SHA256
98f4bd493409a798d8b970c91fe20701d186ec0e2ec9a010188ab4cf74cc3b77

SHA512
ada8510e5f9702daf0507fae3c91c27eeeb1ae1cf5d00807e0baee713a55b27e289e07daf52a4108452929a1421636a788bebd60273e075a88b6736b2c39c905

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\spec.fne

Filesize
72KB

MD5
a6e193d30034c0bf9de1d896c2bd5463

SHA1
d71ff0f76e164701e078b9d1883feb3d8fd0b2ce

SHA256
8021ee99c11d3e75d02b7b49d2a22a0b0284e3ffc7a4a0ce9eef711168e96c9e

SHA512
75e13717c31fb10399ea5b6bee2a8e5e0f7a413064f7ebb3019539cd2b8f88f70da2c2e58b1f6323199578795c12488c0110f171892918a2dba8db63528a1be2

Download Submit
C:\Windows\SysWOW64\E9804A\A29FDD.EXE

Filesize
1.4MB

MD5
73e3898ded99d9f062cfb167d5b57635

SHA1
0b2aa86bccbed7a61a066f48c259433b6af25c1a

SHA256
ff647e3d6a50d31f4a526cdef1af0f7b428716e1e57597ac27ef374580c63925

SHA512
0f7d58c3d1fea43659a6f4ce93150e0d5f1199d9f9465100e099aeb578f7311469e3db4f08c0d3e281d6ffc298bf0945a5cf422430c2e762d8437664762e75cb

Download Submit
memory/532-213-0x0000000002140000-0x0000000002178000-memory.dmp

Filesize
224KB

Download
memory/532-215-0x0000000002400000-0x0000000002411000-memory.dmp

Filesize
68KB

Download
memory/532-214-0x00000000026B0000-0x00000000026E6000-memory.dmp

Filesize
216KB

Download
memory/532-209-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/532-210-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/532-216-0x00000000026F0000-0x000000000270E000-memory.dmp

Filesize
120KB

Download
memory/568-176-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/568-142-0x0000000002E50000-0x0000000002E6E000-memory.dmp

Filesize
120KB

Download
memory/568-140-0x0000000002E10000-0x0000000002E46000-memory.dmp

Filesize
216KB

Download
memory/568-139-0x0000000002270000-0x00000000022A8000-memory.dmp

Filesize
224KB

Download
memory/568-141-0x00000000022D0000-0x00000000022E1000-memory.dmp

Filesize
68KB

Download
memory/568-177-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/956-233-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/956-234-0x0000000002410000-0x0000000002448000-memory.dmp

Filesize
224KB

Download
memory/956-237-0x0000000002E50000-0x0000000002E86000-memory.dmp

Filesize
216KB

Download
memory/956-232-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1840-11-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/1840-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1840-19-0x0000000002240000-0x0000000002278000-memory.dmp

Filesize
224KB

Download
memory/1840-37-0x0000000002A30000-0x0000000002A4E000-memory.dmp

Filesize
120KB

Download
memory/1840-36-0x0000000002A10000-0x0000000002A21000-memory.dmp

Filesize
68KB

Download
memory/1840-127-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/1840-126-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1840-35-0x00000000029D0000-0x0000000002A06000-memory.dmp

Filesize
216KB

Download
memory/2252-212-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2252-178-0x0000000002E70000-0x0000000002EA6000-memory.dmp

Filesize
216KB

Download
memory/2252-180-0x00000000025A0000-0x00000000025BE000-memory.dmp

Filesize
120KB

Download
memory/2252-211-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2252-174-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2252-179-0x0000000002440000-0x0000000002451000-memory.dmp

Filesize
68KB

Download
memory/2252-175-0x00000000022B0000-0x00000000022E8000-memory.dmp

Filesize
224KB

Download
memory/2452-187-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2452-155-0x0000000002E70000-0x0000000002E8E000-memory.dmp

Filesize
120KB

Download
memory/2452-153-0x00000000027B0000-0x00000000027E6000-memory.dmp

Filesize
216KB

Download
memory/2452-188-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2452-150-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2452-149-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2452-152-0x00000000020B0000-0x00000000020E8000-memory.dmp

Filesize
224KB

Download
memory/2452-151-0x00000000020B0000-0x00000000020E8000-memory.dmp

Filesize
224KB

Download
memory/2452-154-0x0000000002E50000-0x0000000002E61000-memory.dmp

Filesize
68KB

Download
memory/3596-182-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3596-186-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/3596-192-0x00000000025F0000-0x000000000260E000-memory.dmp

Filesize
120KB

Download
memory/3596-191-0x00000000025C0000-0x00000000025D1000-memory.dmp

Filesize
68KB

Download
memory/3596-190-0x0000000002580000-0x00000000025B6000-memory.dmp

Filesize
216KB

Download
memory/3596-189-0x0000000002210000-0x0000000002248000-memory.dmp

Filesize
224KB

Download
memory/3596-224-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/3596-223-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3964-157-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/3964-102-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/3964-112-0x0000000002480000-0x00000000024B6000-memory.dmp

Filesize
216KB

Download
memory/3964-113-0x00000000024C0000-0x00000000024D1000-memory.dmp

Filesize
68KB

Download
memory/3964-114-0x00000000024E0000-0x00000000024FE000-memory.dmp

Filesize
120KB

Download
memory/3964-105-0x0000000002260000-0x0000000002298000-memory.dmp

Filesize
224KB

Download
memory/3964-100-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3964-156-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4084-131-0x00000000023D0000-0x00000000023E1000-memory.dmp

Filesize
68KB

Download
memory/4084-132-0x0000000002550000-0x000000000256E000-memory.dmp

Filesize
120KB

Download
memory/4084-168-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/4084-169-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4084-130-0x0000000002E50000-0x0000000002E86000-memory.dmp

Filesize
216KB

Download
memory/4084-125-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4084-129-0x0000000002130000-0x0000000002168000-memory.dmp

Filesize
224KB

Download
memory/4260-163-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/4260-203-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4260-167-0x0000000002E50000-0x0000000002E6E000-memory.dmp

Filesize
120KB

Download
memory/4260-164-0x0000000002420000-0x0000000002458000-memory.dmp

Filesize
224KB

Download
memory/4260-166-0x00000000026F0000-0x0000000002701000-memory.dmp

Filesize
68KB

Download
memory/4260-162-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4260-165-0x00000000028C0000-0x00000000028F6000-memory.dmp

Filesize
216KB

Download
memory/4260-204-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/4316-89-0x00000000022C0000-0x00000000022D1000-memory.dmp

Filesize
68KB

Download
memory/4316-144-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/4316-81-0x0000000000780000-0x00000000007B8000-memory.dmp

Filesize
224KB

Download
memory/4316-90-0x0000000002510000-0x000000000252E000-memory.dmp

Filesize
120KB

Download
memory/4316-143-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4316-88-0x00000000024D0000-0x0000000002506000-memory.dmp

Filesize
216KB

Download
memory/4320-65-0x0000000002250000-0x0000000002288000-memory.dmp

Filesize
224KB

Download
memory/4320-133-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4320-134-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/4320-68-0x00000000024F0000-0x000000000250E000-memory.dmp

Filesize
120KB

Download
memory/4320-67-0x00000000024D0000-0x00000000024E1000-memory.dmp

Filesize
68KB

Download
memory/4320-66-0x0000000002490000-0x00000000024C6000-memory.dmp

Filesize
216KB

Download
memory/4600-200-0x0000000002E10000-0x0000000002E46000-memory.dmp

Filesize
216KB

Download
memory/4600-202-0x0000000002E50000-0x0000000002E6E000-memory.dmp

Filesize
120KB

Download
memory/4600-201-0x0000000002650000-0x0000000002661000-memory.dmp

Filesize
68KB

Download
memory/4600-199-0x00000000022B0000-0x00000000022E8000-memory.dmp

Filesize
224KB

Download
memory/4600-197-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4600-236-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/4600-235-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4600-198-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/4840-222-0x0000000002570000-0x00000000025A8000-memory.dmp

Filesize
224KB

Download
memory/4840-221-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/4840-225-0x00000000028A0000-0x00000000028D6000-memory.dmp

Filesize
216KB

Download
memory/4840-227-0x0000000002A20000-0x0000000002A3E000-memory.dmp

Filesize
120KB

Download
memory/4840-226-0x00000000028E0000-0x00000000028F1000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads