a6acda54c2268a3fda4d7afafab5a7e600846f856b582ed224230f983d266eea

Analysis

max time kernel
10s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26/08/2024, 01:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c20ba488f338182af6591ae4b92280b6_JaffaCakes118.exe
Size

1.4MB
MD5

c20ba488f338182af6591ae4b92280b6
SHA1

6389d14ddc02284bd1eb128cce788b72060f2f91
SHA256

a6acda54c2268a3fda4d7afafab5a7e600846f856b582ed224230f983d266eea
SHA512

c8b817936055ec8128f2f4567220d8dd1af9790a49ebbb518e57328b7325433cb21b04c8206698ea2dd0ab890b2fe4dc6840c8acae680df23bb3874a625b9869
SSDEEP

24576:t8UpE7WjSq7WjS70bISMFSRx+SILin5QxhNQ7lck+MHPY9LXfmsXpV2jr1VT7g+l:tH+WjS6WjS7KdvIW5Qxk+xJXxWjr1xnl

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Executes dropped EXE 17 IoCs

pid	Process
4700	DECB07.EXE
4864	DECB07.EXE
5068	DECB07.EXE
4456	DECB07.EXE
3984	DECB07.EXE
2480	DECB07.EXE
1564	DECB07.EXE
4820	DECB07.EXE
4540	DECB07.EXE
4060	DECB07.EXE
3972	DECB07.EXE
3020	DECB07.EXE
8	DECB07.EXE
5100	DECB07.EXE
3672	DECB07.EXE
1072	DECB07.EXE
3368	DECB07.EXE

Loads dropped DLL 64 IoCs

pid	Process
3288	c20ba488f338182af6591ae4b92280b6_JaffaCakes118.exe
3288	c20ba488f338182af6591ae4b92280b6_JaffaCakes118.exe
3288	c20ba488f338182af6591ae4b92280b6_JaffaCakes118.exe
3288	c20ba488f338182af6591ae4b92280b6_JaffaCakes118.exe
3288	c20ba488f338182af6591ae4b92280b6_JaffaCakes118.exe
3288	c20ba488f338182af6591ae4b92280b6_JaffaCakes118.exe
3288	c20ba488f338182af6591ae4b92280b6_JaffaCakes118.exe
4700	DECB07.EXE
4700	DECB07.EXE
4700	DECB07.EXE
4700	DECB07.EXE
4700	DECB07.EXE
4700	DECB07.EXE
4700	DECB07.EXE
4864	DECB07.EXE
4864	DECB07.EXE
4864	DECB07.EXE
4864	DECB07.EXE
4864	DECB07.EXE
4864	DECB07.EXE
4864	DECB07.EXE
5068	DECB07.EXE
5068	DECB07.EXE
5068	DECB07.EXE
5068	DECB07.EXE
5068	DECB07.EXE
5068	DECB07.EXE
5068	DECB07.EXE
4456	DECB07.EXE
4456	DECB07.EXE
4456	DECB07.EXE
4456	DECB07.EXE
4456	DECB07.EXE
4456	DECB07.EXE
4456	DECB07.EXE
3984	DECB07.EXE
3984	DECB07.EXE
3984	DECB07.EXE
3984	DECB07.EXE
3984	DECB07.EXE
3984	DECB07.EXE
3984	DECB07.EXE
2480	DECB07.EXE
2480	DECB07.EXE
2480	DECB07.EXE
2480	DECB07.EXE
2480	DECB07.EXE
2480	DECB07.EXE
2480	DECB07.EXE
1564	DECB07.EXE
1564	DECB07.EXE
1564	DECB07.EXE
1564	DECB07.EXE
1564	DECB07.EXE
1564	DECB07.EXE
1564	DECB07.EXE
4820	DECB07.EXE
4820	DECB07.EXE
4820	DECB07.EXE
4820	DECB07.EXE
4820	DECB07.EXE
4820	DECB07.EXE
4820	DECB07.EXE
4540	DECB07.EXE

Writes to the Master Boot Record (MBR) 1 TTPs 17 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	c20ba488f338182af6591ae4b92280b6_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\06794E\	c20ba488f338182af6591ae4b92280b6_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\02A732\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\06794E\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\06794E\	DECB07.EXE
File created	C:\Windows\SysWOW64\B526A5\DECB07.EXE	c20ba488f338182af6591ae4b92280b6_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\04764D\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\04764D\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\	c20ba488f338182af6591ae4b92280b6_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\	DECB07.EXE
File created	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\02A732\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\04764D\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\06794E\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\04764D\	DECB07.EXE
File created	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\02A732\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File created	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\02A732\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\	DECB07.EXE
File created	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File created	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File created	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\02A732\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\06794E\	DECB07.EXE
File created	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\04764D\	DECB07.EXE
File created	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\06794E\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\06794E\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\02A732\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\06794E\	DECB07.EXE
File created	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\02A732\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\	DECB07.EXE
File created	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\02A732\	DECB07.EXE
File created	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\02A732\	DECB07.EXE
File created	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\DECB07.EXE	c20ba488f338182af6591ae4b92280b6_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\06794E\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\02A732\	c20ba488f338182af6591ae4b92280b6_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\04764D\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\06794E\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\02A732\	DECB07.EXE

System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c20ba488f338182af6591ae4b92280b6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Modifies Internet Explorer settings 1 TTPs 54 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe

Suspicious behavior: AddClipboardFormatListener 10 IoCs

pid	Process
3312	explorer.exe
2720	explorer.exe
1560	explorer.exe
4148	explorer.exe
1112	explorer.exe
2348	explorer.exe
4288	explorer.exe
4312	explorer.exe
1340	explorer.exe
2900	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3288	c20ba488f338182af6591ae4b92280b6_JaffaCakes118.exe
3288	c20ba488f338182af6591ae4b92280b6_JaffaCakes118.exe
3288	c20ba488f338182af6591ae4b92280b6_JaffaCakes118.exe
3288	c20ba488f338182af6591ae4b92280b6_JaffaCakes118.exe
3288	c20ba488f338182af6591ae4b92280b6_JaffaCakes118.exe
3288	c20ba488f338182af6591ae4b92280b6_JaffaCakes118.exe
4700	DECB07.EXE
4700	DECB07.EXE
4700	DECB07.EXE
4700	DECB07.EXE
4700	DECB07.EXE
4700	DECB07.EXE
4864	DECB07.EXE
4864	DECB07.EXE
4864	DECB07.EXE
4864	DECB07.EXE
4864	DECB07.EXE
4864	DECB07.EXE
3312	explorer.exe
3312	explorer.exe
5068	DECB07.EXE
5068	DECB07.EXE
5068	DECB07.EXE
5068	DECB07.EXE
5068	DECB07.EXE
5068	DECB07.EXE
2720	explorer.exe
2720	explorer.exe
4456	DECB07.EXE
4456	DECB07.EXE
4456	DECB07.EXE
4456	DECB07.EXE
4456	DECB07.EXE
4456	DECB07.EXE
3984	DECB07.EXE
3984	DECB07.EXE
3984	DECB07.EXE
3984	DECB07.EXE
3984	DECB07.EXE
3984	DECB07.EXE
1560	explorer.exe
1560	explorer.exe
4148	explorer.exe
4148	explorer.exe
2480	DECB07.EXE
2480	DECB07.EXE
2480	DECB07.EXE
2480	DECB07.EXE
2480	DECB07.EXE
2480	DECB07.EXE
1112	explorer.exe
1112	explorer.exe
1564	DECB07.EXE
1564	DECB07.EXE
1564	DECB07.EXE
1564	DECB07.EXE
1564	DECB07.EXE
1564	DECB07.EXE
2348	explorer.exe
2348	explorer.exe
4820	DECB07.EXE
4820	DECB07.EXE
4820	DECB07.EXE
4820	DECB07.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3288 wrote to memory of 3352	3288	c20ba488f338182af6591ae4b92280b6_JaffaCakes118.exe	84
PID 3288 wrote to memory of 3352	3288	c20ba488f338182af6591ae4b92280b6_JaffaCakes118.exe	84
PID 3288 wrote to memory of 3352	3288	c20ba488f338182af6591ae4b92280b6_JaffaCakes118.exe	84
PID 3288 wrote to memory of 4700	3288	c20ba488f338182af6591ae4b92280b6_JaffaCakes118.exe	86
PID 3288 wrote to memory of 4700	3288	c20ba488f338182af6591ae4b92280b6_JaffaCakes118.exe	86
PID 3288 wrote to memory of 4700	3288	c20ba488f338182af6591ae4b92280b6_JaffaCakes118.exe	86
PID 4700 wrote to memory of 3092	4700	DECB07.EXE	87
PID 4700 wrote to memory of 3092	4700	DECB07.EXE	87
PID 4700 wrote to memory of 3092	4700	DECB07.EXE	87
PID 4700 wrote to memory of 4864	4700	DECB07.EXE	88
PID 4700 wrote to memory of 4864	4700	DECB07.EXE	88
PID 4700 wrote to memory of 4864	4700	DECB07.EXE	88
PID 4864 wrote to memory of 3844	4864	DECB07.EXE	90
PID 4864 wrote to memory of 3844	4864	DECB07.EXE	90
PID 4864 wrote to memory of 3844	4864	DECB07.EXE	90
PID 4864 wrote to memory of 5068	4864	DECB07.EXE	124
PID 4864 wrote to memory of 5068	4864	DECB07.EXE	124
PID 4864 wrote to memory of 5068	4864	DECB07.EXE	124
PID 5068 wrote to memory of 4184	5068	DECB07.EXE	288
PID 5068 wrote to memory of 4184	5068	DECB07.EXE	288
PID 5068 wrote to memory of 4184	5068	DECB07.EXE	288
PID 5068 wrote to memory of 4456	5068	DECB07.EXE	125
PID 5068 wrote to memory of 4456	5068	DECB07.EXE	125
PID 5068 wrote to memory of 4456	5068	DECB07.EXE	125
PID 4456 wrote to memory of 3152	4456	DECB07.EXE	97
PID 4456 wrote to memory of 3152	4456	DECB07.EXE	97
PID 4456 wrote to memory of 3152	4456	DECB07.EXE	97
PID 4456 wrote to memory of 3984	4456	DECB07.EXE	98
PID 4456 wrote to memory of 3984	4456	DECB07.EXE	98
PID 4456 wrote to memory of 3984	4456	DECB07.EXE	98
PID 3984 wrote to memory of 4020	3984	DECB07.EXE	100
PID 3984 wrote to memory of 4020	3984	DECB07.EXE	100
PID 3984 wrote to memory of 4020	3984	DECB07.EXE	100
PID 3984 wrote to memory of 2480	3984	DECB07.EXE	101
PID 3984 wrote to memory of 2480	3984	DECB07.EXE	101
PID 3984 wrote to memory of 2480	3984	DECB07.EXE	101
PID 2480 wrote to memory of 5100	2480	DECB07.EXE	126
PID 2480 wrote to memory of 5100	2480	DECB07.EXE	126
PID 2480 wrote to memory of 5100	2480	DECB07.EXE	126
PID 2480 wrote to memory of 1564	2480	DECB07.EXE	104
PID 2480 wrote to memory of 1564	2480	DECB07.EXE	104
PID 2480 wrote to memory of 1564	2480	DECB07.EXE	104
PID 1564 wrote to memory of 4520	1564	DECB07.EXE	106
PID 1564 wrote to memory of 4520	1564	DECB07.EXE	106
PID 1564 wrote to memory of 4520	1564	DECB07.EXE	106
PID 1564 wrote to memory of 4820	1564	DECB07.EXE	147
PID 1564 wrote to memory of 4820	1564	DECB07.EXE	147
PID 1564 wrote to memory of 4820	1564	DECB07.EXE	147
PID 4820 wrote to memory of 5024	4820	DECB07.EXE	110
PID 4820 wrote to memory of 5024	4820	DECB07.EXE	110
PID 4820 wrote to memory of 5024	4820	DECB07.EXE	110
PID 4820 wrote to memory of 4540	4820	DECB07.EXE	111
PID 4820 wrote to memory of 4540	4820	DECB07.EXE	111
PID 4820 wrote to memory of 4540	4820	DECB07.EXE	111
PID 4540 wrote to memory of 1368	4540	DECB07.EXE	113
PID 4540 wrote to memory of 1368	4540	DECB07.EXE	113
PID 4540 wrote to memory of 1368	4540	DECB07.EXE	113
PID 4540 wrote to memory of 4060	4540	DECB07.EXE	114
PID 4540 wrote to memory of 4060	4540	DECB07.EXE	114
PID 4540 wrote to memory of 4060	4540	DECB07.EXE	114
PID 4060 wrote to memory of 2464	4060	DECB07.EXE	116
PID 4060 wrote to memory of 2464	4060	DECB07.EXE	116
PID 4060 wrote to memory of 2464	4060	DECB07.EXE	116
PID 4060 wrote to memory of 3972	4060	DECB07.EXE	141

C:\Users\Admin\AppData\Local\Temp\c20ba488f338182af6591ae4b92280b6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c20ba488f338182af6591ae4b92280b6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3288
- C:\Windows\SysWOW64\explorer.exe
  explorer C:\Users\Admin\AppData\Local\Temp\c20ba488f338182af6591ae4b92280b6_JaffaCakes118
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3352
- C:\Windows\SysWOW64\B526A5\DECB07.EXE
  C:\Windows\system32\B526A5\DECB07.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4700
- - C:\Windows\SysWOW64\explorer.exe
    explorer C:\Windows\SysWOW64\B526A5\DECB07
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3092
- - C:\Windows\SysWOW64\B526A5\DECB07.EXE
    C:\Windows\system32\B526A5\DECB07.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4864
  - - C:\Windows\SysWOW64\explorer.exe
      explorer C:\Windows\SysWOW64\B526A5\DECB07
      4⤵
      System Location Discovery: System Language Discovery
      PID:3844
  - - C:\Windows\SysWOW64\B526A5\DECB07.EXE
      C:\Windows\system32\B526A5\DECB07.EXE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:5068
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4184
    - - C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4456
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3152
      - C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4020
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4520
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5024
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1368
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        11⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        12⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3972
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4388
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        13⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        14⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:8
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:4456
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        15⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:3132
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        16⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3672
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:5076
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        17⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1072
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:552
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3368
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        19⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        19⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        20⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        20⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        21⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        21⤵
        
        PID:836
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        22⤵
        
        PID:744
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        22⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        23⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        23⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        24⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        24⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        25⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        25⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        26⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        26⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        27⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        27⤵
        
        PID:5788
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        28⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        28⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        29⤵
        
        PID:6132
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        29⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        30⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        30⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        31⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        31⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        32⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        32⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        33⤵
        
        PID:5628
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        33⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        34⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        34⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        35⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        35⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        36⤵
        
        PID:6208
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        36⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        37⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        37⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        38⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        38⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        39⤵
        
        PID:6748
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        39⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        40⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        40⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        41⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        41⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        42⤵
        
        PID:6516
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        42⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        43⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        43⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        44⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        44⤵
        
        PID:6544
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        45⤵
        
        PID:7016
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        45⤵
        
        PID:6284
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        46⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        46⤵
        
        PID:6776
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        47⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        47⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        48⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        48⤵
        
        PID:6620
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        49⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        49⤵
        
        PID:7180
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        50⤵
        
        PID:7300
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        50⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        51⤵
        
        PID:7480
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        51⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        52⤵
        
        PID:7652
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        52⤵
        
        PID:7688
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        53⤵
        
        PID:7788
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        53⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        54⤵
        
        PID:7964
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        54⤵
        
        PID:8016
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        55⤵
        
        PID:8128
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        55⤵
        
        PID:8160
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        56⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        56⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        57⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        57⤵
        
        PID:7520
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        58⤵
        
        PID:7684
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        58⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        59⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        59⤵
        
        PID:8012
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        60⤵
        
        PID:8148
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        60⤵
        
        PID:7716
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        61⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        61⤵
        
        PID:7376
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        62⤵
        
        PID:7964
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        62⤵
        
        PID:7656
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        63⤵
        
        PID:8068
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        63⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        64⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        64⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        65⤵
        
        PID:7728
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        65⤵
        
        PID:8020
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        66⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        66⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        67⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        67⤵
        
        PID:8232
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        68⤵
        
        PID:8324
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        68⤵
        
        PID:8388
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        69⤵
        
        PID:8520
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        69⤵
        
        PID:8588
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        70⤵
        
        PID:8668
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        70⤵
        
        PID:8704
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        71⤵
        
        PID:8828
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        71⤵
        
        PID:8896
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        72⤵
        
        PID:9008
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        72⤵
        
        PID:9044
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        73⤵
        
        PID:9156
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        73⤵
        
        PID:9196
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        74⤵
        
        PID:8224
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        74⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        75⤵
        
        PID:8164
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        75⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        76⤵
        
        PID:8520
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        76⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        77⤵
        
        PID:8936
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        77⤵
        
        PID:8608
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        78⤵
        
        PID:8704
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        78⤵
        
        PID:8436
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        79⤵
        
        PID:5508
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        79⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        80⤵
        
        PID:9196
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        80⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        81⤵
        
        PID:8636
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        81⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        82⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        82⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        83⤵
        
        PID:8212
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        83⤵
        
        PID:9016
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        84⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        84⤵
        
        PID:8296
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        85⤵
        
        PID:8540
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        85⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        86⤵
        
        PID:9324
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        86⤵
        
        PID:9364
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        87⤵
        
        PID:9472
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        87⤵
        
        PID:9516
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        88⤵
        
        PID:9640
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        88⤵
        
        PID:9696
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        89⤵
        
        PID:9804
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        89⤵
        
        PID:9876
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        90⤵
        
        PID:9992
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        90⤵
        
        PID:10032
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        91⤵
        
        PID:10140
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        91⤵
        
        PID:10208
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        92⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        92⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        93⤵
        
        PID:9580
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        93⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        94⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        94⤵
        
        PID:9736
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        95⤵
        
        PID:9440
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        95⤵
        
        PID:9884
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        96⤵
        
        PID:9856
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        96⤵
        
        PID:10012
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        97⤵
        
        PID:10196
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        97⤵
        
        PID:10140
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        98⤵
        
        PID:10132
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        98⤵
        
        PID:10212
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        99⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        99⤵
        
        PID:8648
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        100⤵
        
        PID:9620
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        100⤵
        
        PID:9880
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        101⤵
        
        PID:9408
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        101⤵
        
        PID:9692
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        102⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        102⤵
        
        PID:9892
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        103⤵
        
        PID:9304
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        103⤵
        
        PID:10196
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        104⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        104⤵
        
        PID:7808
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        105⤵
        
        PID:10340
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        105⤵
        
        PID:10584
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        106⤵
        
        PID:10720
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        106⤵
        
        PID:10756
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        107⤵
        
        PID:10880
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        107⤵
        
        PID:10928
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        108⤵
        
        PID:11040
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        108⤵
        
        PID:11112
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        109⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        109⤵
        
        PID:8364
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        110⤵
        
        PID:8836
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        110⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        111⤵
        
        PID:8844
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        111⤵
        
        PID:10720
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        112⤵
        
        PID:10704
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        112⤵
        
        PID:11044
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        113⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        113⤵
        
        PID:8492
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        114⤵
        
        PID:10676
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        114⤵
        
        PID:8396
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        115⤵
        
        PID:6832
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        115⤵
        
        PID:11152
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        116⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        116⤵
        
        PID:10608
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        117⤵
        
        PID:10756
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        117⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        118⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        118⤵
        
        PID:10920
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        119⤵
        
        PID:10756
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        119⤵
        
        PID:11300
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        120⤵
        
        PID:11420
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        120⤵
        
        PID:11448
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        121⤵
        
        PID:11584
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        121⤵
        
        PID:11640
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        122⤵
        
        PID:11760
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        122⤵
        
        PID:11828
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        123⤵
        
        PID:11968
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        123⤵
        
        PID:12028
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        124⤵
        
        PID:12136
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        124⤵
        
        PID:12176
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        125⤵
        
        PID:10744
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        125⤵
        
        PID:11320
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        126⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        126⤵
        
        PID:11976
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        127⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        127⤵
        
        PID:11616
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        128⤵
        
        PID:12216
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        128⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        129⤵
        
        PID:8492
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        129⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        130⤵
        
        PID:9836
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        130⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        131⤵
        
        PID:12128
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        131⤵
        
        PID:12176
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        132⤵
        
        PID:12372
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        132⤵
        
        PID:12412
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        133⤵
        
        PID:12560
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        133⤵
        
        PID:12604
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        134⤵
        
        PID:12700
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        134⤵
        
        PID:12736
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        135⤵
        
        PID:12924
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        135⤵
        
        PID:13020
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        136⤵
        
        PID:13136
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        136⤵
        
        PID:13208
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        137⤵
        
        PID:12308
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        137⤵
        
        PID:12032
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        138⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        138⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        139⤵
        
        PID:7804
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        139⤵
        
        PID:12820
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        140⤵
        
        PID:12880
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        140⤵
        
        PID:12544
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        141⤵
        
        PID:12716
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        141⤵
        
        PID:12952
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        142⤵
        
        PID:12752
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        142⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        143⤵
        
        PID:13244

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3312

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2720

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1560

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4148

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1112

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2348

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:4288

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:4312

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:1340

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:2900

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1176

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1800

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:5068

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2672

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:968

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:2912

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3392

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3972

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5012

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4820

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4448

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4692

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5216

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5384

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5584

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5800

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6004

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5272

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5344

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6044

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5336

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6060

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6136

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5280

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6268

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6444

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6664

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6844

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7148

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5188

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6608

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6364

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5696

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6416

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6404

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6288

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5764

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7188

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7356

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7572

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7696

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7876

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8028

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8172

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6284

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7724

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1608

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:5076

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7988

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8100

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7204

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7596

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2340

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6776

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3352

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4564

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8260

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8424

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8600

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8716

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8904

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9060

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9212

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1088

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8624

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8496

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5236

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1868

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4324

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2372

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8452

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8400

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8244

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8936

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6424

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9372

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9528

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9704

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9920

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10044

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10216

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5836

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9588

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9724

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6560

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10232

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9928

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5508

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8004

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3364

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7208

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10068

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5112

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:212

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10620

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10780

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10936

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11124

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6896

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10568

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4352

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11076

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9668

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10724

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10712

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10640

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6024

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10584

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11332

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11464

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11652

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11844

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:12040

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:12192

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11356

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:12172

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3372

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11732

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7008

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11828

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11792

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:12420

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:12636

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:12744

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:13036

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:13236

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6204

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6088

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5016

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:12412

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:12928

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:860

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:6808

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:6940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E_N4\HtmlView.fne

Filesize
212KB

MD5
16066e46282086a3ea5d4e26f1d9d8e7

SHA1
1aca58665615eb513c76c2c6698b477eb80446bd

SHA256
0713c8dee0e33d3f49b9eb34e088091b1ac50c92e23b3ea247c3be5edba5d799

SHA512
f8ba11ab86f6fa14a49b0c84781903af5e5b1e914238b6161fca2d23ddacf524f4d223a181d131ecb9ba7d0cafa0e6a2d3dc0b7ab57a5eb64ec7a0c3e9890a01

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\cnvpe.fne

Filesize
60KB

MD5
02f701fadeb5f9abbb15a5034cecd597

SHA1
865fed5c3824aad688fed567d35e2e6d1748e39b

SHA256
ca1ec9c32fc57fa5154f9a8a4f9e9817f035a52bc6f9dcb1c5b798ef52b2550d

SHA512
d8f2d3ed818ce6542bd0566eda2f49bb74885af5d602e49bee170609d602bf0e1ca579e53091206addf06241e540128a5e4f87e3a700cbf03f6ae465aba5755f

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\dp1.fne

Filesize
112KB

MD5
e5aca770deee371d2fd03906f88c96a5

SHA1
b337eaa52062a4c3f29bfac4ea76c6bb2baf3b62

SHA256
be226d635a61091bd5a406511486b1321cb87d40717b9a24e843da831a566b17

SHA512
c6150b1882217581967fe8b9140b46818c28910a6aa211169e0767a68f73d3983c9411066b691654e98f278f18df2d4e7d97a0de3bd9c50430461ffe340104c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\eAPI.fne

Filesize
316KB

MD5
1ff72730125472c77a431f99c6abadcf

SHA1
b9b11e1156798f51fd5d2c229cd853dded9b04a1

SHA256
ff525534a36c4a206ea5e62a96762590b7693edd561d4d3e05deba114571a3d1

SHA512
99ed124c7e149f819fc652028bd098f9ae52d345920d7d8a549d572b92cccd868fcd3ffc50e3d44a3b4e2608df9510e9901dc1342624281b8e3b9dab1065379e

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\internet.fne

Filesize
180KB

MD5
4f35365e06ee82f1a112e7bde7796b24

SHA1
037dfb9b4630836f075e1ef6272c26e1e1f949e2

SHA256
c1d97faf2cdd4faf0d5c2ebd485b9778ec6eb35ef84fd40947a19516b5272396

SHA512
af2a6c2552d15807e7f215e71f428f54b43ad06ddcff9fafd24f637bfaa9220083433b80a4cfb8268457cd9a464aeaf5daa458fec96bf0baa2d16b601c21bbb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

Filesize
1.1MB

MD5
9ef04777ff361461bd2f382a71debfa7

SHA1
b7ed0dad797c51bac9ce4431afb446eb1f7a23a0

SHA256
493455ea3db00730f807475f1a7b7c2973d19b942a5c3b33edc01c1268ea55a6

SHA512
6b18408e61281fe32564960ac845349dafa2e0392d44477b8597d8d141b8060c8b779b680fcebd5c4f53ecd1bd3faf0c2516eaeab5b50709c35b639f799a86e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\shell.fne

Filesize
40KB

MD5
c336efd9885bf385478ffca714b05535

SHA1
c9deb1f6d6f2c8a93c5e2b2717c59da4916bde5e

SHA256
a6e1b01bb97487ec5ae8e72f482637ece992b63cb8b5c10ecb72d5b664999e8d

SHA512
3304e16879c4c428c8fa0a590f6fbe40b4d724fd376d1933fece02701f67b45b658867471991eee3e8ef26da45d85fed926b7dd7bc4e8f3588a60bb50bc8d1b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\spec.fne

Filesize
72KB

MD5
783c288fea538da7a561ea6ff40e4371

SHA1
dc2eac5d38a1b20118795ea30baa7da6546b7ad8

SHA256
396ead09cc31ca8b5a22262d57848e0629bc6bfb4457ea3fa30b0799568e08f4

SHA512
3e01805e33106998512c3b28a3b9b06fd8fbf5cf41d7207493201ae8039f6953d60d2c7b63dfe2444722e5c9814e5888302619e3f1b73b83920c5e334aeed6fe

Download Submit
C:\Windows\SysWOW64\B526A5\DECB07.EXE

Filesize
1.4MB

MD5
c20ba488f338182af6591ae4b92280b6

SHA1
6389d14ddc02284bd1eb128cce788b72060f2f91

SHA256
a6acda54c2268a3fda4d7afafab5a7e600846f856b582ed224230f983d266eea

SHA512
c8b817936055ec8128f2f4567220d8dd1af9790a49ebbb518e57328b7325433cb21b04c8206698ea2dd0ab890b2fe4dc6840c8acae680df23bb3874a625b9869

Download Submit
memory/8-223-0x00000000024A0000-0x00000000024BE000-memory.dmp

Filesize
120KB

Download
memory/8-222-0x0000000002230000-0x0000000002241000-memory.dmp

Filesize
68KB

Download
memory/8-219-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/8-221-0x0000000002110000-0x0000000002148000-memory.dmp

Filesize
224KB

Download
memory/8-220-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/1340-1153-0x00007FF848F10000-0x00007FF849105000-memory.dmp

Filesize
2.0MB

Download
memory/1564-163-0x00000000026E0000-0x00000000026FE000-memory.dmp

Filesize
120KB

Download
memory/1564-190-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1564-191-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/1564-161-0x00000000021B0000-0x00000000021E8000-memory.dmp

Filesize
224KB

Download
memory/1564-154-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1564-162-0x00000000026C0000-0x00000000026D1000-memory.dmp

Filesize
68KB

Download
memory/2480-153-0x00000000026F0000-0x000000000270E000-memory.dmp

Filesize
120KB

Download
memory/2480-183-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2480-184-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2480-148-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2480-152-0x0000000002550000-0x0000000002561000-memory.dmp

Filesize
68KB

Download
memory/2480-149-0x0000000002290000-0x00000000022C8000-memory.dmp

Filesize
224KB

Download
memory/3020-209-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3020-212-0x0000000002120000-0x0000000002158000-memory.dmp

Filesize
224KB

Download
memory/3020-213-0x00000000024D0000-0x00000000024E1000-memory.dmp

Filesize
68KB

Download
memory/3020-210-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/3020-214-0x00000000024F0000-0x000000000250E000-memory.dmp

Filesize
120KB

Download
memory/3288-18-0x0000000002500000-0x0000000002538000-memory.dmp

Filesize
224KB

Download
memory/3288-115-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3288-116-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/3288-10-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/3288-19-0x0000000002500000-0x0000000002538000-memory.dmp

Filesize
224KB

Download
memory/3288-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3288-25-0x00000000027B0000-0x00000000027C1000-memory.dmp

Filesize
68KB

Download
memory/3288-31-0x00000000027D0000-0x00000000027EE000-memory.dmp

Filesize
120KB

Download
memory/3288-32-0x00000000027D0000-0x00000000027EE000-memory.dmp

Filesize
120KB

Download
memory/3672-241-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/3972-236-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/3972-203-0x0000000002140000-0x0000000002151000-memory.dmp

Filesize
68KB

Download
memory/3972-200-0x00000000020B0000-0x00000000020E8000-memory.dmp

Filesize
224KB

Download
memory/3972-199-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/3972-198-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3972-204-0x00000000022B0000-0x00000000022CE000-memory.dmp

Filesize
120KB

Download
memory/3972-235-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3984-172-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3984-141-0x00000000028E0000-0x00000000028FE000-memory.dmp

Filesize
120KB

Download
memory/3984-138-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/3984-140-0x00000000028A0000-0x00000000028B1000-memory.dmp

Filesize
68KB

Download
memory/3984-173-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/3984-139-0x00000000022B0000-0x00000000022E8000-memory.dmp

Filesize
224KB

Download
memory/3984-130-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4060-189-0x0000000002290000-0x00000000022C8000-memory.dmp

Filesize
224KB

Download
memory/4060-192-0x00000000023C0000-0x00000000023D1000-memory.dmp

Filesize
68KB

Download
memory/4060-193-0x0000000002520000-0x000000000253E000-memory.dmp

Filesize
120KB

Download
memory/4060-225-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/4060-224-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4456-160-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4456-126-0x00000000023C0000-0x00000000023DE000-memory.dmp

Filesize
120KB

Download
memory/4456-114-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/4456-159-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/4456-113-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4456-120-0x0000000002150000-0x0000000002188000-memory.dmp

Filesize
224KB

Download
memory/4456-119-0x0000000002150000-0x0000000002188000-memory.dmp

Filesize
224KB

Download
memory/4456-125-0x0000000002380000-0x0000000002391000-memory.dmp

Filesize
68KB

Download
memory/4540-179-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/4540-182-0x0000000002470000-0x000000000248E000-memory.dmp

Filesize
120KB

Download
memory/4540-181-0x0000000002440000-0x0000000002451000-memory.dmp

Filesize
68KB

Download
memory/4540-180-0x0000000000600000-0x0000000000638000-memory.dmp

Filesize
224KB

Download
memory/4540-178-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4540-211-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4700-56-0x0000000002420000-0x0000000002431000-memory.dmp

Filesize
68KB

Download
memory/4700-60-0x0000000002440000-0x000000000245E000-memory.dmp

Filesize
120KB

Download
memory/4700-52-0x0000000002090000-0x00000000020C8000-memory.dmp

Filesize
224KB

Download
memory/4700-128-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/4700-127-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4700-40-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4820-202-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/4820-201-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4820-171-0x00000000026C0000-0x00000000026DE000-memory.dmp

Filesize
120KB

Download
memory/4820-170-0x0000000002360000-0x0000000002371000-memory.dmp

Filesize
68KB

Download
memory/4820-169-0x0000000002230000-0x0000000002268000-memory.dmp

Filesize
224KB

Download
memory/4820-168-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/4864-62-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4864-72-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/4864-142-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/4864-143-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/4864-75-0x0000000000670000-0x00000000006A8000-memory.dmp

Filesize
224KB

Download
memory/4864-81-0x00000000022B0000-0x00000000022CE000-memory.dmp

Filesize
120KB

Download
memory/4864-80-0x0000000002200000-0x0000000002211000-memory.dmp

Filesize
68KB

Download
memory/5068-93-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/5068-102-0x00000000024D0000-0x00000000024EE000-memory.dmp

Filesize
120KB

Download
memory/5068-96-0x0000000002140000-0x0000000002178000-memory.dmp

Filesize
224KB

Download
memory/5068-150-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5068-83-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/5068-151-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/5068-101-0x0000000002370000-0x0000000002381000-memory.dmp

Filesize
68KB

Download
memory/5100-231-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/5100-234-0x0000000002770000-0x000000000278E000-memory.dmp

Filesize
120KB

Download
memory/5100-233-0x0000000002390000-0x00000000023A1000-memory.dmp

Filesize
68KB

Download
memory/5100-232-0x0000000002060000-0x0000000002098000-memory.dmp

Filesize
224KB

Download
memory/5100-226-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/6884-1142-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/12544-1140-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads