dd27b1faf788dd21cf40a32f2b2d4b0ee82468683afdad5614c4237da7e901fb

Analysis

max time kernel
55s
max time network
131s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee28239c6265e09d12593d3ba41c615b_JaffaCakes118.exe
Size

75KB
MD5

ee28239c6265e09d12593d3ba41c615b
SHA1

5bfbca1bf36cdc27667eeb019dc242b2c31783ce
SHA256

dd27b1faf788dd21cf40a32f2b2d4b0ee82468683afdad5614c4237da7e901fb
SHA512

a870f4d098b6a03e08f3a80dbcda542d534c05cd00127c71ffaa31846534fb169245ac6b03bea78a8e2e657c8af05d67cd116e6d840783deab68defcb222c7b8
SSDEEP

1536:cRqYWQObkupSdfUqlvmQeCSwQvCqZZ9QQrAQxILcd:eWfbdSdoESwQXfp0Qx

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 64 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winfile.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winfile.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winfile.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	winfile.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winfile.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winfile.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	winfile.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winfile.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	winfile.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winfile.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winfile.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winfile.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winfile.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winfile.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	winfile.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	winfile.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	winfile.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	winfile.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	winfile.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	winfile.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winfile.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winfile.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winfile.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winfile.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	winfile.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	winfile.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winfile.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	winfile.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	winfile.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	winfile.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	winfile.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winfile.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	winfile.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	winfile.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winfile.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winfile.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winfile.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winfile.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	winfile.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	winfile.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	winfile.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winfile.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winfile.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winfile.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winfile.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winfile.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	winfile.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winfile.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	winfile.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	winfile.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winfile.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	winfile.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winfile.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winfile.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	winfile.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	winfile.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winfile.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	winfile.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winfile.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	winfile.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	winfile.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winfile.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winfile.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	winfile.exe

Executes dropped EXE 64 IoCs

pid	Process
2644	winfile.exe
2672	winfile.exe
2508	winfile.exe
1664	winfile.exe
2908	winfile.exe
1420	winfile.exe
2580	winfile.exe
668	winfile.exe
2248	winfile.exe
2924	winfile.exe
1180	winfile.exe
1408	winfile.exe
588	winfile.exe
1704	winfile.exe
2124	winfile.exe
1044	winfile.exe
2012	winfile.exe
2516	winfile.exe
2512	winfile.exe
3036	winfile.exe
2784	winfile.exe
860	winfile.exe
1968	winfile.exe
2572	winfile.exe
1136	winfile.exe
1208	winfile.exe
1180	winfile.exe
1792	winfile.exe
2596	winfile.exe
2732	winfile.exe
2728	winfile.exe
2648	winfile.exe
2964	winfile.exe
2516	winfile.exe
1564	winfile.exe
2044	winfile.exe
1208	winfile.exe
2464	winfile.exe
1180	winfile.exe
1776	winfile.exe
2404	winfile.exe
1704	winfile.exe
468	winfile.exe
2980	winfile.exe
1180	winfile.exe
1564	winfile.exe
916	winfile.exe
3092	winfile.exe
3168	winfile.exe
3324	winfile.exe
3336	winfile.exe
3480	winfile.exe
3552	winfile.exe
3636	winfile.exe
3644	winfile.exe
3688	winfile.exe
3760	winfile.exe
3768	winfile.exe
3956	winfile.exe
3968	winfile.exe
4088	winfile.exe
912	winfile.exe
3396	winfile.exe
2464	winfile.exe

Loads dropped DLL 64 IoCs

pid	Process
2732	ee28239c6265e09d12593d3ba41c615b_JaffaCakes118.exe
2732	ee28239c6265e09d12593d3ba41c615b_JaffaCakes118.exe
2880	notepad.exe
2880	notepad.exe
2656	notepad.exe
2656	notepad.exe
2960	notepad.exe
2960	notepad.exe
2468	notepad.exe
2468	notepad.exe
2828	notepad.exe
2828	notepad.exe
2804	notepad.exe
2804	notepad.exe
2168	notepad.exe
2168	notepad.exe
1748	notepad.exe
1748	notepad.exe
2928	notepad.exe
2928	notepad.exe
1188	notepad.exe
1188	notepad.exe
2684	notepad.exe
2684	notepad.exe
1976	notepad.exe
1976	notepad.exe
2352	notepad.exe
2352	notepad.exe
2308	notepad.exe
2880	notepad.exe
2308	notepad.exe
2892	notepad.exe
2320	notepad.exe
2892	notepad.exe
2320	notepad.exe
2656	notepad.exe
1900	notepad.exe
3064	notepad.exe
1900	notepad.exe
1764	notepad.exe
3064	notepad.exe
1764	notepad.exe
2960	notepad.exe
1804	notepad.exe
1856	notepad.exe
1856	notepad.exe
768	notepad.exe
2052	notepad.exe
1804	notepad.exe
768	notepad.exe
2052	notepad.exe
2468	notepad.exe
1612	notepad.exe
1808	notepad.exe
1612	notepad.exe
2324	notepad.exe
1532	notepad.exe
1808	notepad.exe
2324	notepad.exe
1532	notepad.exe
1328	notepad.exe
2828	notepad.exe
1328	notepad.exe
2640	notepad.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	ee28239c6265e09d12593d3ba41c615b_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	winfile.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	winfile.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	notepad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	winfile.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	winfile.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	winfile.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	winfile.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	winfile.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	winfile.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	winfile.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	winfile.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	winfile.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	winfile.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	winfile.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	winfile.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	notepad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	winfile.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	winfile.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	notepad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	winfile.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	notepad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	winfile.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	notepad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	winfile.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	winfile.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	winfile.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	winfile.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	winfile.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	winfile.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	winfile.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	winfile.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	winfile.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	winfile.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	notepad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	winfile.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	winfile.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	winfile.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	winfile.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	winfile.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	winfile.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	winfile.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	winfile.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	winfile.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	winfile.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	notepad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	winfile.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	winfile.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	winfile.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	winfile.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Key = "C:\\Users\\Admin\\AppData\\Roaming\\Key Folder\\winfile.exe"	notepad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winfile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winfile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winfile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winfile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winfile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winfile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winfile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winfile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winfile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winfile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winfile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winfile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winfile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winfile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winfile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winfile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winfile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winfile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winfile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winfile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winfile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winfile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winfile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winfile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winfile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winfile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winfile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winfile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winfile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winfile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winfile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winfile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winfile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winfile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winfile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winfile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winfile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 2644	2732	ee28239c6265e09d12593d3ba41c615b_JaffaCakes118.exe	30
PID 2732 wrote to memory of 2644	2732	ee28239c6265e09d12593d3ba41c615b_JaffaCakes118.exe	30
PID 2732 wrote to memory of 2644	2732	ee28239c6265e09d12593d3ba41c615b_JaffaCakes118.exe	30
PID 2732 wrote to memory of 2644	2732	ee28239c6265e09d12593d3ba41c615b_JaffaCakes118.exe	30
PID 2644 wrote to memory of 3028	2644	winfile.exe	31
PID 2644 wrote to memory of 3028	2644	winfile.exe	31
PID 2644 wrote to memory of 3028	2644	winfile.exe	31
PID 2644 wrote to memory of 3028	2644	winfile.exe	31
PID 2644 wrote to memory of 3028	2644	winfile.exe	31
PID 2644 wrote to memory of 2880	2644	winfile.exe	32
PID 2644 wrote to memory of 2880	2644	winfile.exe	32
PID 2644 wrote to memory of 2880	2644	winfile.exe	32
PID 2644 wrote to memory of 2880	2644	winfile.exe	32
PID 2644 wrote to memory of 2880	2644	winfile.exe	32
PID 2880 wrote to memory of 2672	2880	notepad.exe	33
PID 2880 wrote to memory of 2672	2880	notepad.exe	33
PID 2880 wrote to memory of 2672	2880	notepad.exe	33
PID 2880 wrote to memory of 2672	2880	notepad.exe	33
PID 2672 wrote to memory of 2704	2672	winfile.exe	34
PID 2672 wrote to memory of 2704	2672	winfile.exe	34
PID 2672 wrote to memory of 2704	2672	winfile.exe	34
PID 2672 wrote to memory of 2704	2672	winfile.exe	34
PID 2672 wrote to memory of 2704	2672	winfile.exe	34
PID 2672 wrote to memory of 2656	2672	winfile.exe	35
PID 2672 wrote to memory of 2656	2672	winfile.exe	35
PID 2672 wrote to memory of 2656	2672	winfile.exe	35
PID 2672 wrote to memory of 2656	2672	winfile.exe	35
PID 2672 wrote to memory of 2656	2672	winfile.exe	35
PID 2656 wrote to memory of 2508	2656	notepad.exe	36
PID 2656 wrote to memory of 2508	2656	notepad.exe	36
PID 2656 wrote to memory of 2508	2656	notepad.exe	36
PID 2656 wrote to memory of 2508	2656	notepad.exe	36
PID 2508 wrote to memory of 2564	2508	winfile.exe	37
PID 2508 wrote to memory of 2564	2508	winfile.exe	37
PID 2508 wrote to memory of 2564	2508	winfile.exe	37
PID 2508 wrote to memory of 2564	2508	winfile.exe	37
PID 2508 wrote to memory of 2564	2508	winfile.exe	37
PID 2508 wrote to memory of 2960	2508	winfile.exe	38
PID 2508 wrote to memory of 2960	2508	winfile.exe	38
PID 2508 wrote to memory of 2960	2508	winfile.exe	38
PID 2508 wrote to memory of 2960	2508	winfile.exe	38
PID 2508 wrote to memory of 2960	2508	winfile.exe	38
PID 2960 wrote to memory of 1664	2960	notepad.exe	39
PID 2960 wrote to memory of 1664	2960	notepad.exe	39
PID 2960 wrote to memory of 1664	2960	notepad.exe	39
PID 2960 wrote to memory of 1664	2960	notepad.exe	39
PID 1664 wrote to memory of 2112	1664	winfile.exe	40
PID 1664 wrote to memory of 2112	1664	winfile.exe	40
PID 1664 wrote to memory of 2112	1664	winfile.exe	40
PID 1664 wrote to memory of 2112	1664	winfile.exe	40
PID 1664 wrote to memory of 2112	1664	winfile.exe	40
PID 1664 wrote to memory of 2468	1664	winfile.exe	41
PID 1664 wrote to memory of 2468	1664	winfile.exe	41
PID 1664 wrote to memory of 2468	1664	winfile.exe	41
PID 1664 wrote to memory of 2468	1664	winfile.exe	41
PID 1664 wrote to memory of 2468	1664	winfile.exe	41
PID 2468 wrote to memory of 2908	2468	notepad.exe	42
PID 2468 wrote to memory of 2908	2468	notepad.exe	42
PID 2468 wrote to memory of 2908	2468	notepad.exe	42
PID 2468 wrote to memory of 2908	2468	notepad.exe	42
PID 2908 wrote to memory of 1192	2908	winfile.exe	43
PID 2908 wrote to memory of 1192	2908	winfile.exe	43
PID 2908 wrote to memory of 1192	2908	winfile.exe	43
PID 2908 wrote to memory of 1192	2908	winfile.exe	43

C:\Users\Admin\AppData\Local\Temp\ee28239c6265e09d12593d3ba41c615b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ee28239c6265e09d12593d3ba41c615b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
  "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
  2⤵
  - Modifies firewall policy service
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe"
    3⤵
    PID:3028
- - C:\Windows\SysWOW64\notepad.exe
    C:\Windows\system32\notepad.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
      "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2672
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2704
    - - C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        5⤵
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2656
      - C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        6⤵
        Modifies firewall policy service
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        8⤵
        Modifies firewall policy service
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        9⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        11⤵
        Loads dropped DLL
        
        PID:2828
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        12⤵
        Modifies firewall policy service
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1420
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:608
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        13⤵
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        14⤵
        Modifies firewall policy service
        Executes dropped EXE
        
        PID:2580
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        15⤵
        Loads dropped DLL
        
        PID:2168
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:668
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:524
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        17⤵
        Loads dropped DLL
        
        PID:1748
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2248
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        19⤵
        Loads dropped DLL
        
        PID:2928
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        20⤵
        Modifies firewall policy service
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        21⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1188
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        22⤵
        Modifies firewall policy service
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1180
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        23⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        24⤵
        Modifies firewall policy service
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1408
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        25⤵
        Loads dropped DLL
        
        PID:1976
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        26⤵
        Modifies firewall policy service
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:588
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        27⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2352
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        28⤵
        Executes dropped EXE
        
        PID:1704
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        29⤵
        Loads dropped DLL
        
        PID:2308
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        30⤵
        Executes dropped EXE
        
        PID:1044
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        31⤵
        Loads dropped DLL
        
        PID:2320
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        32⤵
        Modifies firewall policy service
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2516
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        33⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        34⤵
        Modifies firewall policy service
        Executes dropped EXE
        
        PID:2784
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        35⤵
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1856
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        36⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2572
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:944
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        37⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1612
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        38⤵
        Executes dropped EXE
        
        PID:2596
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        39⤵
        Loads dropped DLL
        
        PID:2640
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        40⤵
        Executes dropped EXE
        
        PID:2044
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:932
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        41⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        42⤵
        Modifies firewall policy service
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:468
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        43⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        44⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3336
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        45⤵
        
        PID:3816
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        46⤵
        Modifies firewall policy service
        Executes dropped EXE
        
        PID:3968
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        47⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        47⤵
        Adds Run key to start application
        
        PID:3324
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        48⤵
        Modifies firewall policy service
        Adds Run key to start application
        
        PID:3644
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        49⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        49⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        50⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        
        PID:4312
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        51⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        51⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        52⤵
        
        PID:4228
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        53⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        53⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        54⤵
        
        PID:4928
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        55⤵
        
        PID:5136
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        55⤵
        
        PID:5688
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        56⤵
        
        PID:6128
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        57⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        57⤵
        
        PID:5976
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        58⤵
        
        PID:4928
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        59⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        59⤵
        
        PID:6664
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        60⤵
        
        PID:4772
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        61⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        61⤵
        
        PID:6556
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        62⤵
        
        PID:7500
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        63⤵
        
        PID:7536
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        63⤵
        
        PID:7352
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        64⤵
        
        PID:8464
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        65⤵
        
        PID:8496
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        65⤵
        
        PID:9136
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        66⤵
        
        PID:9644
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        67⤵
        
        PID:9704
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        67⤵
        
        PID:8620
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        68⤵
        
        PID:9416
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        69⤵
        
        PID:10716
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        69⤵
        
        PID:11964
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        46⤵
        
        PID:12684
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        44⤵
        
        PID:11716
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        45⤵
        
        PID:11768
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        45⤵
        
        PID:11628
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        42⤵
        
        PID:10868
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:10916
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        43⤵
        
        PID:9648
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        44⤵
        
        PID:11060
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        45⤵
        
        PID:12660
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        40⤵
        
        PID:9236
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:9256
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        41⤵
        
        PID:8636
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        42⤵
        
        PID:11676
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:11704
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        43⤵
        
        PID:10404
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        38⤵
        
        PID:7804
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:8736
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        39⤵
        
        PID:9400
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        40⤵
        
        PID:8780
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:10260
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        41⤵
        
        PID:10988
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        42⤵
        
        PID:10540
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        43⤵
        
        PID:12940
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        36⤵
        
        PID:5724
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        37⤵
        
        PID:8552
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        38⤵
        
        PID:8068
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:8164
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        39⤵
        
        PID:9436
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        40⤵
        
        PID:9076
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:9488
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        41⤵
        
        PID:10932
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        42⤵
        
        PID:11660
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:10516
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        43⤵
        
        PID:12864
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        34⤵
        
        PID:7080
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        35⤵
        
        PID:7624
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        36⤵
        
        PID:4276
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        37⤵
        
        PID:8788
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        38⤵
        
        PID:8380
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:9116
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        39⤵
        
        PID:9924
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        40⤵
        
        PID:10568
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:10580
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        41⤵
        
        PID:10544
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        42⤵
        
        PID:12528
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:12540
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        32⤵
        
        PID:7060
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        33⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        34⤵
        
        PID:7360
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:7384
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        35⤵
        
        PID:7792
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        36⤵
        
        PID:8204
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:8348
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        37⤵
        
        PID:9044
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        38⤵
        
        PID:9628
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:9676
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        39⤵
        
        PID:9572
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        40⤵
        
        PID:11292
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:11340
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        41⤵
        
        PID:12116
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        30⤵
        
        PID:5916
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        31⤵
        
        PID:6164
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        32⤵
        
        PID:7100
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        33⤵
        
        PID:6676
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        34⤵
        
        PID:7264
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:7320
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        35⤵
        
        PID:7732
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        36⤵
        
        PID:7316
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:8320
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        37⤵
        
        PID:9016
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        38⤵
        
        PID:9276
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:9364
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        39⤵
        
        PID:10112
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        40⤵
        
        PID:11196
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:11224
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        41⤵
        
        PID:8424
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        42⤵
        
        PID:11296
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        28⤵
        
        PID:5892
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:5908
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        29⤵
        
        PID:5132
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        30⤵
        
        PID:5564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        31⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        32⤵
        
        PID:6916
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        33⤵
        
        PID:6036
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        34⤵
        
        PID:6916
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:7136
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        35⤵
        
        PID:7592
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        36⤵
        
        PID:7824
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:6632
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        37⤵
        
        PID:8592
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        38⤵
        
        PID:6256
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        39⤵
        
        PID:9800
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        40⤵
        
        PID:10440
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:10492
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        41⤵
        
        PID:11212
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        42⤵
        
        PID:10856
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:11712
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        43⤵
        
        PID:13160
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        26⤵
        
        PID:4704
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        27⤵
        
        PID:5176
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        28⤵
        
        PID:5928
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:5956
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        29⤵
        
        PID:5216
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        30⤵
        
        PID:5524
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        31⤵
        
        PID:6148
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        32⤵
        
        PID:6976
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        33⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        34⤵
        
        PID:7180
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:7300
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        35⤵
        
        PID:7712
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        36⤵
        
        PID:6504
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:8260
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        37⤵
        
        PID:8960
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        38⤵
        
        PID:9296
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:9408
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        39⤵
        
        PID:10128
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        40⤵
        
        PID:10268
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:10432
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        41⤵
        
        PID:9720
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        42⤵
        
        PID:9248
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:11152
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        24⤵
        
        PID:4864
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        25⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        26⤵
        
        PID:2404
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        27⤵
        
        PID:688
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        28⤵
        
        PID:5720
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        29⤵
        
        PID:6064
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        30⤵
        
        PID:4276
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        31⤵
        
        PID:5952
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        32⤵
        
        PID:6708
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        33⤵
        
        PID:6280
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        34⤵
        
        PID:6532
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:540
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        35⤵
        
        PID:7428
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        36⤵
        
        PID:7328
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        37⤵
        
        PID:8272
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        38⤵
        
        PID:9144
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:9184
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        39⤵
        
        PID:9260
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        40⤵
        
        PID:10324
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:10356
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        41⤵
        
        PID:11076
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        42⤵
        
        PID:10444
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:10860
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        43⤵
        
        PID:13168
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        22⤵
        Modifies firewall policy service
        
        PID:4020
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        23⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        24⤵
        
        PID:4924
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        25⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        26⤵
        
        PID:4788
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        27⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        28⤵
        
        PID:5860
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        29⤵
        
        PID:6116
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        30⤵
        
        PID:4416
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        31⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        32⤵
        
        PID:6764
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        33⤵
        
        PID:6324
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        34⤵
        
        PID:6180
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        35⤵
        
        PID:7452
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        36⤵
        
        PID:8184
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:7444
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        37⤵
        
        PID:8336
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        38⤵
        
        PID:9208
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:8232
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        39⤵
        
        PID:9268
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        40⤵
        
        PID:10332
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:10348
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        41⤵
        
        PID:11052
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        42⤵
        
        PID:9076
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:11520
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        43⤵
        
        PID:13176
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        20⤵
        Modifies firewall policy service
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3384
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        21⤵
        Adds Run key to start application
        
        PID:3620
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        22⤵
        Modifies firewall policy service
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3192
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        23⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        24⤵
        
        PID:4912
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        25⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        26⤵
        
        PID:4552
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        27⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        28⤵
        
        PID:5772
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        29⤵
        
        PID:6104
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        30⤵
        
        PID:5400
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        31⤵
        
        PID:6128
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        32⤵
        
        PID:6784
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        33⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        34⤵
        
        PID:6816
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        35⤵
        
        PID:7548
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        36⤵
        
        PID:7028
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:7760
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        37⤵
        
        PID:8544
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        38⤵
        
        PID:7676
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:7752
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        39⤵
        
        PID:9312
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        40⤵
        
        PID:6256
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:10296
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        41⤵
        
        PID:11004
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        42⤵
        
        PID:10664
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:11536
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        43⤵
        
        PID:13080
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        20⤵
        
        PID:11656
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:11000
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3768
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        19⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        20⤵
        Modifies firewall policy service
        Adds Run key to start application
        
        PID:3684
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        21⤵
        Adds Run key to start application
        
        PID:4028
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        22⤵
        Modifies firewall policy service
        
        PID:3048
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        23⤵
        Adds Run key to start application
        
        PID:4204
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        24⤵
        
        PID:4772
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        25⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        26⤵
        
        PID:5112
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        27⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        28⤵
        
        PID:5676
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        29⤵
        
        PID:6056
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        30⤵
        
        PID:5128
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        31⤵
        
        PID:5224
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        32⤵
        
        PID:6604
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        33⤵
        
        PID:6212
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        34⤵
        
        PID:6408
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        35⤵
        
        PID:7420
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        36⤵
        
        PID:8076
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:8104
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        37⤵
        
        PID:8196
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        38⤵
        
        PID:9128
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:9156
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        39⤵
        
        PID:9240
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        40⤵
        
        PID:9552
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:8080
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        41⤵
        
        PID:10900
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        42⤵
        
        PID:11608
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:10448
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        43⤵
        
        PID:12596
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        20⤵
        
        PID:13292
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:12376
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        18⤵
        
        PID:12280
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:11408
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        19⤵
        
        PID:12344
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        16⤵
        Modifies firewall policy service
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3092
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        17⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3644
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:3864
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        20⤵
        Executes dropped EXE
        
        PID:2464
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        21⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        22⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3696
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        23⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        24⤵
        Modifies firewall policy service
        Adds Run key to start application
        
        PID:4636
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        25⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        26⤵
        
        PID:4860
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        27⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        28⤵
        
        PID:5536
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:5556
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        29⤵
        
        PID:6020
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        30⤵
        
        PID:4780
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        31⤵
        
        PID:3900
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        32⤵
        
        PID:6508
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        33⤵
        
        PID:6188
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        34⤵
        
        PID:5488
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        35⤵
        
        PID:7412
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        36⤵
        
        PID:8060
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:8088
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        37⤵
        
        PID:8040
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        38⤵
        
        PID:9068
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:9108
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        39⤵
        
        PID:8512
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        40⤵
        
        PID:10168
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:10184
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        41⤵
        
        PID:10164
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        42⤵
        
        PID:11480
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:11508
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        43⤵
        
        PID:11528
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        20⤵
        
        PID:13096
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:13116
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        18⤵
        
        PID:12064
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:12092
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        19⤵
        
        PID:11448
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        16⤵
        
        PID:11148
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:11176
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        17⤵
        
        PID:8872
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        18⤵
        
        PID:11808
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:10984
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        14⤵
        Modifies firewall policy service
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2404
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        15⤵
        Adds Run key to start application
        
        PID:1964
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        16⤵
        Executes dropped EXE
        
        PID:3168
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        17⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        18⤵
        Modifies firewall policy service
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3760
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        19⤵
        
        PID:3880
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:3168
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        21⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        22⤵
        Modifies firewall policy service
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:468
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        23⤵
        Adds Run key to start application
        
        PID:4196
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        24⤵
        
        PID:4716
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        25⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        26⤵
        
        PID:4832
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        27⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        28⤵
        
        PID:5464
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        29⤵
        
        PID:6012
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        30⤵
        
        PID:4460
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        31⤵
        
        PID:5936
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        32⤵
        
        PID:6372
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        33⤵
        
        PID:6176
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        34⤵
        
        PID:5820
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        35⤵
        
        PID:7232
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        36⤵
        
        PID:7900
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:7956
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        37⤵
        
        PID:7820
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        38⤵
        
        PID:9076
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:9092
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        39⤵
        
        PID:8296
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        40⤵
        
        PID:10140
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:10152
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        41⤵
        
        PID:10204
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        42⤵
        
        PID:11416
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:11432
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        43⤵
        
        PID:11500
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        20⤵
        
        PID:13252
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:13308
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        18⤵
        
        PID:12256
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:8716
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        19⤵
        
        PID:12296
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        16⤵
        
        PID:9324
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:10556
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        17⤵
        
        PID:9944
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        18⤵
        
        PID:12680
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:11272
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        14⤵
        
        PID:7360
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:7328
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        15⤵
        
        PID:10456
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        16⤵
        
        PID:7840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:11576
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        17⤵
        
        PID:12508
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        12⤵
        Modifies firewall policy service
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2964
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        13⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        14⤵
        Modifies firewall policy service
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1208
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:1556
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1180
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        17⤵
        
        PID:3232
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        18⤵
        Modifies firewall policy service
        Executes dropped EXE
        
        PID:3552
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        19⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3848
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        20⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:912
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        21⤵
        
        PID:3832
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        22⤵
        Modifies firewall policy service
        System Location Discovery: System Language Discovery
        
        PID:4052
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        23⤵
        
        PID:4164
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        24⤵
        Modifies firewall policy service
        Adds Run key to start application
        
        PID:4536
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        25⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        26⤵
        
        PID:4428
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        27⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        28⤵
        
        PID:5288
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        29⤵
        
        PID:5988
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        30⤵
        
        PID:5332
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        31⤵
        
        PID:5864
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        32⤵
        
        PID:6252
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        33⤵
        
        PID:7052
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        34⤵
        
        PID:5852
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        35⤵
        
        PID:7016
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        36⤵
        
        PID:7888
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:7912
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        37⤵
        
        PID:7688
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        38⤵
        
        PID:8868
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:8912
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        39⤵
        
        PID:7768
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        40⤵
        
        PID:10012
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:10036
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        41⤵
        
        PID:7804
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        42⤵
        
        PID:11384
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:11396
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        43⤵
        
        PID:12268
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        20⤵
        
        PID:12976
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:13016
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        18⤵
        
        PID:12028
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:12048
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        19⤵
        
        PID:12244
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        16⤵
        
        PID:11044
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:11064
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        17⤵
        
        PID:10148
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        18⤵
        
        PID:13124
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:10028
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        14⤵
        
        PID:9900
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        15⤵
        
        PID:8300
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        16⤵
        
        PID:11304
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:9320
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        17⤵
        
        PID:12388
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        12⤵
        
        PID:8976
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:9028
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        13⤵
        
        PID:9636
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        14⤵
        
        PID:10464
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:10528
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        15⤵
        
        PID:11244
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        16⤵
        
        PID:10568
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:12228
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        17⤵
        
        PID:12928
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        10⤵
        Modifies firewall policy service
        Executes dropped EXE
        
        PID:1792
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        11⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1328
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        12⤵
        Modifies firewall policy service
        Executes dropped EXE
        
        PID:2516
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        13⤵
        Adds Run key to start application
        
        PID:1628
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        14⤵
        Modifies firewall policy service
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1776
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        15⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        16⤵
        Modifies firewall policy service
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:3224
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3636
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        19⤵
        
        PID:3856
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        20⤵
        Modifies firewall policy service
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3396
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:3580
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        22⤵
        Modifies firewall policy service
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4088
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:916
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        23⤵
        Adds Run key to start application
        
        PID:4180
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:4588
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        25⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        26⤵
        
        PID:4596
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        27⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        28⤵
        
        PID:5400
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        29⤵
        
        PID:6004
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        30⤵
        
        PID:5496
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        31⤵
        
        PID:6084
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        32⤵
        
        PID:6384
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        33⤵
        
        PID:5308
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        34⤵
        
        PID:4692
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        35⤵
        
        PID:7212
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        36⤵
        
        PID:7804
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        37⤵
        
        PID:7088
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        38⤵
        
        PID:8692
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:8728
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        39⤵
        
        PID:7780
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        40⤵
        
        PID:9864
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:9880
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        41⤵
        
        PID:10208
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        42⤵
        
        PID:7572
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:11280
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        43⤵
        
        PID:12104
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        20⤵
        
        PID:13104
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:13140
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        18⤵
        
        PID:12080
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:12140
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        19⤵
        
        PID:10804
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        16⤵
        
        PID:11088
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:11108
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        17⤵
        
        PID:9348
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        18⤵
        
        PID:10912
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:10168
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        14⤵
        
        PID:8236
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        15⤵
        
        PID:7568
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        16⤵
        
        PID:7492
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:10336
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        17⤵
        
        PID:12556
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        12⤵
        
        PID:5752
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:8288
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        13⤵
        
        PID:9740
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        14⤵
        
        PID:10388
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:10416
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        15⤵
        
        PID:11168
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        16⤵
        
        PID:11828
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:12024
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        17⤵
        
        PID:12904
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        10⤵
        
        PID:7544
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        11⤵
        
        PID:8828
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        12⤵
        
        PID:8384
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:9356
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        13⤵
        
        PID:10120
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        14⤵
        
        PID:11252
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:7968
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        15⤵
        
        PID:9132
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        8⤵
        Executes dropped EXE
        
        PID:1968
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        9⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:768
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        10⤵
        Executes dropped EXE
        
        PID:1136
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:900
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        11⤵
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1808
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        12⤵
        Modifies firewall policy service
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        13⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        14⤵
        Modifies firewall policy service
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        15⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        16⤵
        Modifies firewall policy service
        Executes dropped EXE
        Adds Run key to start application
        
        PID:916
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        17⤵
        Adds Run key to start application
        
        PID:3240
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3688
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        19⤵
        
        PID:3872
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        20⤵
        Modifies firewall policy service
        
        PID:3096
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        21⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:3172
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        23⤵
        
        PID:4188
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        24⤵
        
        PID:4792
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        25⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        26⤵
        
        PID:4476
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        27⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        28⤵
        
        PID:5600
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        29⤵
        
        PID:6028
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        30⤵
        
        PID:4800
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        31⤵
        
        PID:5896
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        32⤵
        
        PID:6524
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        33⤵
        
        PID:6204
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        34⤵
        
        PID:5652
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:6268
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        35⤵
        
        PID:7404
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        36⤵
        
        PID:7976
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:8016
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        37⤵
        
        PID:7368
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        38⤵
        
        PID:8840
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:8856
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        39⤵
        
        PID:7976
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        40⤵
        
        PID:10024
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:10052
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        41⤵
        
        PID:9844
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        42⤵
        
        PID:11272
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:11320
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        43⤵
        
        PID:12072
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        20⤵
        
        PID:13196
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:13220
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        18⤵
        
        PID:12124
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:12164
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        19⤵
        
        PID:10280
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        16⤵
        
        PID:11096
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:11128
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        17⤵
        
        PID:9352
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        18⤵
        
        PID:12832
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:12952
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        14⤵
        
        PID:9888
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:9072
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        15⤵
        
        PID:9228
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        16⤵
        
        PID:12196
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:12212
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        17⤵
        
        PID:10776
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        12⤵
        
        PID:8756
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:8808
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        13⤵
        
        PID:9556
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        14⤵
        
        PID:8532
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:9292
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        15⤵
        
        PID:10940
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        16⤵
        
        PID:10760
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:10628
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        17⤵
        
        PID:13004
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        10⤵
        
        PID:7936
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        11⤵
        
        PID:8672
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        12⤵
        
        PID:8716
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:7100
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        13⤵
        
        PID:9960
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        14⤵
        
        PID:10612
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:10636
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        15⤵
        
        PID:10644
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        16⤵
        
        PID:12396
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:12436
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        17⤵
        
        PID:12460
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        8⤵
        
        PID:7100
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        9⤵
        
        PID:7636
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        10⤵
        
        PID:7768
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        11⤵
        
        PID:8900
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        12⤵
        
        PID:6928
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:9336
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        13⤵
        
        PID:10096
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        14⤵
        
        PID:10972
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:11012
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        15⤵
        
        PID:11188
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        16⤵
        
        PID:6928
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:12792
      - C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2512
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        7⤵
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1764
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:860
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        9⤵
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        10⤵
        Modifies firewall policy service
        Executes dropped EXE
        
        PID:1180
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        11⤵
        Loads dropped DLL
        
        PID:2324
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        12⤵
        Executes dropped EXE
        
        PID:2728
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1972
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        14⤵
        Modifies firewall policy service
        Executes dropped EXE
        
        PID:1180
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        15⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2088
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        16⤵
        Modifies firewall policy service
        Executes dropped EXE
        
        PID:2980
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        17⤵
        
        PID:3216
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        18⤵
        Executes dropped EXE
        
        PID:3480
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        19⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        20⤵
        Modifies firewall policy service
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4088
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        21⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        22⤵
        Adds Run key to start application
        
        PID:3460
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:4156
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        24⤵
        Modifies firewall policy service
        
        PID:4460
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        25⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        26⤵
        
        PID:4052
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        27⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        28⤵
        
        PID:5276
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        29⤵
        
        PID:5980
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        30⤵
        
        PID:5308
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        31⤵
        
        PID:6044
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        32⤵
        
        PID:6240
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        33⤵
        
        PID:7044
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        34⤵
        
        PID:4832
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        35⤵
        
        PID:7108
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        36⤵
        
        PID:7668
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:7680
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        37⤵
        
        PID:6408
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        38⤵
        
        PID:8616
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:8628
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        39⤵
        
        PID:8812
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        40⤵
        
        PID:9760
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:9788
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        41⤵
        
        PID:8852
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        42⤵
        
        PID:10172
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:9252
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        43⤵
        
        PID:11920
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        20⤵
        
        PID:12964
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:12988
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        18⤵
        
        PID:11972
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:12012
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        19⤵
        
        PID:12100
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        16⤵
        
        PID:10980
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:11028
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        17⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        18⤵
        
        PID:10364
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:11252
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        14⤵
        
        PID:8872
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:9088
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        15⤵
        
        PID:8212
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        16⤵
        
        PID:12184
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:12232
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        17⤵
        
        PID:10464
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        12⤵
        
        PID:8064
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        13⤵
        
        PID:9536
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        14⤵
        
        PID:8432
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:8380
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        15⤵
        
        PID:10892
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        16⤵
        
        PID:11620
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:11632
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        17⤵
        
        PID:12584
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        10⤵
        
        PID:7608
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:8116
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        11⤵
        
        PID:8796
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        12⤵
        
        PID:8212
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:7704
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        13⤵
        
        PID:9968
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        14⤵
        
        PID:10624
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:10656
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        15⤵
        
        PID:10684
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        16⤵
        
        PID:12424
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:12488
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        17⤵
        
        PID:12548
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        8⤵
        
        PID:4836
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        9⤵
        
        PID:7648
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        10⤵
        
        PID:6376
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:8216
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        11⤵
        
        PID:8924
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        12⤵
        
        PID:9288
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:9328
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        13⤵
        
        PID:10104
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        14⤵
        
        PID:10832
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:10844
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        15⤵
        
        PID:9520
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        16⤵
        
        PID:13212
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:13264
      - C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        6⤵
        
        PID:7088
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:7112
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        7⤵
        
        PID:5512
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        8⤵
        
        PID:7284
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        9⤵
        
        PID:7744
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        10⤵
        
        PID:7580
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:8304
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        11⤵
        
        PID:8992
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        12⤵
        
        PID:8204
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:9220
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        13⤵
        
        PID:10072
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        14⤵
        
        PID:10756
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:10788
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        15⤵
        
        PID:9656
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        16⤵
        
        PID:12416
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:12468
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        17⤵
        
        PID:12500
  - - C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
      "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
      4⤵
      Modifies firewall policy service
      Executes dropped EXE
      PID:2124
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:1580
    - - C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        5⤵
        Loads dropped DLL
        
        PID:2892
      - C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        6⤵
        Modifies firewall policy service
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        7⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        7⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1900
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        8⤵
        Modifies firewall policy service
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3036
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        9⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1804
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        10⤵
        Modifies firewall policy service
        Executes dropped EXE
        
        PID:1208
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        11⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1532
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        12⤵
        Modifies firewall policy service
        Executes dropped EXE
        
        PID:2648
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        14⤵
        Modifies firewall policy service
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        15⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        16⤵
        Modifies firewall policy service
        Executes dropped EXE
        
        PID:1704
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:964
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        17⤵
        
        PID:3200
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        18⤵
        Modifies firewall policy service
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3324
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        19⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3824
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        20⤵
        Modifies firewall policy service
        Executes dropped EXE
        
        PID:3956
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:3904
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:3128
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        23⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        23⤵
        
        PID:4148
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        24⤵
        
        PID:4324
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        25⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        25⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        26⤵
        
        PID:3744
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        27⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        27⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        28⤵
        
        PID:5168
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        29⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        29⤵
        
        PID:5824
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        30⤵
        
        PID:3128
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        31⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        31⤵
        
        PID:5220
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        32⤵
        
        PID:5372
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        33⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        33⤵
        
        PID:6752
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        34⤵
        
        PID:6404
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        35⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        35⤵
        
        PID:5404
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        36⤵
        
        PID:7524
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        37⤵
        
        PID:7560
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        37⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        38⤵
        
        PID:8484
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        39⤵
        
        PID:8520
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        39⤵
        
        PID:9168
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        40⤵
        
        PID:9604
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        41⤵
        
        PID:9660
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        41⤵
        
        PID:8516
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        42⤵
        
        PID:9736
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        43⤵
        
        PID:10712
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        43⤵
        
        PID:11912
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        20⤵
        
        PID:12648
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        21⤵
        
        PID:12700
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        18⤵
        
        PID:11756
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:11816
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        19⤵
        
        PID:11636
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        16⤵
        
        PID:10860
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:10880
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        17⤵
        
        PID:9868
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        18⤵
        
        PID:13244
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        19⤵
        
        PID:13280
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        14⤵
        
        PID:8484
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:8652
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        15⤵
        
        PID:8692
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        16⤵
        
        PID:11984
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:11996
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        17⤵
        
        PID:10592
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        12⤵
        
        PID:8076
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        13⤵
        
        PID:9584
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        14⤵
        
        PID:7492
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:10244
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        15⤵
        
        PID:10964
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        16⤵
        
        PID:11460
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:9628
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        17⤵
        
        PID:13028
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        10⤵
        
        PID:7812
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        11⤵
        
        PID:8580
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        12⤵
        
        PID:7468
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:9164
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        13⤵
        
        PID:9688
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        14⤵
        
        PID:7276
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:9840
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        15⤵
        
        PID:10948
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        16⤵
        
        PID:11736
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:11776
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        17⤵
        
        PID:12880
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        8⤵
        
        PID:6956
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        9⤵
        
        PID:7584
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        10⤵
        
        PID:7756
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        11⤵
        
        PID:8536
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        12⤵
        
        PID:8508
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:8564
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        13⤵
        
        PID:9388
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        14⤵
        
        PID:10400
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        15⤵
        
        PID:11156
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        16⤵
        
        PID:10876
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:12320
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        17⤵
        
        PID:13184
      - C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        6⤵
        
        PID:7032
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        7⤵
        
        PID:6580
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        8⤵
        
        PID:7272
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        9⤵
        
        PID:7724
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        10⤵
        
        PID:6780
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:8244
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        11⤵
        
        PID:8952
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        12⤵
        
        PID:7276
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        13⤵
        
        PID:10080
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        14⤵
        
        PID:10776
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:10808
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        15⤵
        
        PID:9300
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        16⤵
        
        PID:12576
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:12608
  - - C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
      "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
      4⤵
      PID:4692
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:5720
    - - C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        5⤵
        
        PID:6156
      - C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        6⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        7⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        8⤵
        
        PID:4276
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        9⤵
        
        PID:7068
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        9⤵
        
        PID:7600
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        10⤵
        
        PID:7944
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        11⤵
        
        PID:6916
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        11⤵
        
        PID:8640
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        12⤵
        
        PID:8292
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        13⤵
        
        PID:8712
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        13⤵
        
        PID:9824
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        14⤵
        
        PID:10448
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        15⤵
        
        PID:10484
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        15⤵
        
        PID:11204
        
        C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe
        
        "C:\Users\Admin\AppData\Roaming\Key Folder\winfile.exe"
        16⤵
        
        PID:12356
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        17⤵
        
        PID:12368
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\system32\notepad.exe
        17⤵
        
        PID:13232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Key Folder\gp2007.dll

Filesize
18KB

MD5
db84d7d9649fcab7fab11d512ec696aa

SHA1
240ebbd98717c34d648cea3b4bbd8fe5cda5f951

SHA256
d7c3dd03762b60aa7ea66fc9660f442c0cdfd37dafd93bd72c2ff5a8ac3ccb96

SHA512
5da7fb085a0562ce2a055da9bfb72040c9795846295f67ba2755aaad75a695a37324dbea20018fae5b23a8fd9cd0055a42c1a4f86e4c30f5b1dceae4f0c2dfad

Download Submit
C:\Users\Admin\AppData\Roaming\Key Folder\sql2005.dll

Filesize
32KB

MD5
26c93d75c8333ec7eaf2675ac159526a

SHA1
65184918b520673c38fa5bae0600b644caf2ae11

SHA256
a77defdc8dab1d22e261b912aba716bc755d0c67b65f3e1fb99244074151ed3f

SHA512
6316ccf355e1ea2819f5f4e5f2ad51cf882e096d27976af7df0d6b26359f7490ddb87a62ffff61c9a2d4a78be22b3f913ce9042dac0274deb1145c9b047bcb23

Download Submit
\Users\Admin\AppData\Roaming\Key Folder\winfile.exe

Filesize
75KB

MD5
ee28239c6265e09d12593d3ba41c615b

SHA1
5bfbca1bf36cdc27667eeb019dc242b2c31783ce

SHA256
dd27b1faf788dd21cf40a32f2b2d4b0ee82468683afdad5614c4237da7e901fb

SHA512
a870f4d098b6a03e08f3a80dbcda542d534c05cd00127c71ffaa31846534fb169245ac6b03bea78a8e2e657c8af05d67cd116e6d840783deab68defcb222c7b8

Download Submit
memory/588-124-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/668-74-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1180-103-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1188-145-0x0000000000150000-0x000000000015A000-memory.dmp

Filesize
40KB

Download
memory/1408-113-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1420-56-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1664-39-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1704-134-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/1748-115-0x00000000000E0000-0x00000000000EA000-memory.dmp

Filesize
40KB

Download
memory/2124-149-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2168-110-0x0000000000390000-0x000000000039A000-memory.dmp

Filesize
40KB

Download
memory/2248-83-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2468-80-0x00000000000A0000-0x00000000000AA000-memory.dmp

Filesize
40KB

Download
memory/2508-31-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2580-65-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2644-13-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2656-57-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2672-23-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2732-9-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2804-91-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2828-85-0x00000000000E0000-0x00000000000EA000-memory.dmp

Filesize
40KB

Download
memory/2880-53-0x0000000000150000-0x000000000015A000-memory.dmp

Filesize
40KB

Download
memory/2880-12-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2908-47-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2924-94-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2928-121-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2960-71-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads