2102e29354033a95134059568e6588c6cd75e340623963c60cefc6a3c1076b73

Analysis

max time kernel
44s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/09/2024, 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f05436672c48f11c277c2299ae4e841d_JaffaCakes118.exe
Size

1.2MB
MD5

f05436672c48f11c277c2299ae4e841d
SHA1

2a84eea28608d9079fd2f4bcdb349489daa0ec9b
SHA256

2102e29354033a95134059568e6588c6cd75e340623963c60cefc6a3c1076b73
SHA512

0a3f98cf507095fd1e3c3a0412479f7b0f02c03c74879d829a7c295218347cfca9f5a51d2d39f182ac87561d0ef8c758ae35290ced9f917dde4d5dd9e20d0b4b
SSDEEP

24576:LivobEvmoCmN4MVVnxLtPxr410aQXIcZ9T7TZ4CHMVKI3KHKLrTRJFY:+vo1lqRtPxMxQXI89RHRI3KHuTW

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Executes dropped EXE 63 IoCs

pid	Process
2180	XP-0EE37CC5.EXE
2748	XP-0EE37CC5.EXE
2520	XP-0EE37CC5.EXE
1652	XP-0EE37CC5.EXE
1744	XP-0EE37CC5.EXE
2860	XP-0EE37CC5.EXE
1124	XP-0EE37CC5.EXE
1724	XP-0EE37CC5.EXE
1132	XP-0EE37CC5.EXE
768	XP-0EE37CC5.EXE
472	XP-0EE37CC5.EXE
3036	XP-0EE37CC5.EXE
2384	XP-0EE37CC5.EXE
1304	XP-0EE37CC5.EXE
2268	XP-0EE37CC5.EXE
1968	XP-0EE37CC5.EXE
2296	XP-0EE37CC5.EXE
264	XP-0EE37CC5.EXE
352	XP-0EE37CC5.EXE
2552	XP-0EE37CC5.EXE
1316	XP-0EE37CC5.EXE
2840	XP-0EE37CC5.EXE
892	XP-0EE37CC5.EXE
1908	XP-0EE37CC5.EXE
1136	XP-0EE37CC5.EXE
1740	XP-0EE37CC5.EXE
3068	XP-0EE37CC5.EXE
3192	XP-0EE37CC5.EXE
3348	XP-0EE37CC5.EXE
3484	XP-0EE37CC5.EXE
3628	XP-0EE37CC5.EXE
3776	XP-0EE37CC5.EXE
3904	XP-0EE37CC5.EXE
4052	XP-0EE37CC5.EXE
3224	XP-0EE37CC5.EXE
3412	XP-0EE37CC5.EXE
3648	XP-0EE37CC5.EXE
3856	XP-0EE37CC5.EXE
4032	XP-0EE37CC5.EXE
3372	XP-0EE37CC5.EXE
3784	XP-0EE37CC5.EXE
4012	XP-0EE37CC5.EXE
3908	XP-0EE37CC5.EXE
3796	XP-0EE37CC5.EXE
3424	XP-0EE37CC5.EXE
3600	XP-0EE37CC5.EXE
4232	XP-0EE37CC5.EXE
4380	XP-0EE37CC5.EXE
4540	XP-0EE37CC5.EXE
4696	XP-0EE37CC5.EXE
4824	XP-0EE37CC5.EXE
4976	XP-0EE37CC5.EXE
5112	XP-0EE37CC5.EXE
4200	XP-0EE37CC5.EXE
4560	XP-0EE37CC5.EXE
4764	XP-0EE37CC5.EXE
5036	XP-0EE37CC5.EXE
4192	XP-0EE37CC5.EXE
3424	XP-0EE37CC5.EXE
5040	XP-0EE37CC5.EXE
4248	XP-0EE37CC5.EXE
4108	XP-0EE37CC5.EXE
4992	XP-0EE37CC5.EXE

Loads dropped DLL 64 IoCs

pid	Process
2204	f05436672c48f11c277c2299ae4e841d_JaffaCakes118.exe
2204	f05436672c48f11c277c2299ae4e841d_JaffaCakes118.exe
2204	f05436672c48f11c277c2299ae4e841d_JaffaCakes118.exe
2204	f05436672c48f11c277c2299ae4e841d_JaffaCakes118.exe
2204	f05436672c48f11c277c2299ae4e841d_JaffaCakes118.exe
2204	f05436672c48f11c277c2299ae4e841d_JaffaCakes118.exe
2180	XP-0EE37CC5.EXE
2180	XP-0EE37CC5.EXE
2180	XP-0EE37CC5.EXE
2180	XP-0EE37CC5.EXE
2180	XP-0EE37CC5.EXE
2180	XP-0EE37CC5.EXE
2748	XP-0EE37CC5.EXE
2748	XP-0EE37CC5.EXE
2748	XP-0EE37CC5.EXE
2748	XP-0EE37CC5.EXE
2748	XP-0EE37CC5.EXE
2748	XP-0EE37CC5.EXE
2520	XP-0EE37CC5.EXE
2520	XP-0EE37CC5.EXE
2520	XP-0EE37CC5.EXE
2520	XP-0EE37CC5.EXE
2520	XP-0EE37CC5.EXE
2520	XP-0EE37CC5.EXE
1652	XP-0EE37CC5.EXE
1652	XP-0EE37CC5.EXE
1652	XP-0EE37CC5.EXE
1652	XP-0EE37CC5.EXE
1652	XP-0EE37CC5.EXE
1652	XP-0EE37CC5.EXE
1744	XP-0EE37CC5.EXE
1744	XP-0EE37CC5.EXE
1744	XP-0EE37CC5.EXE
1744	XP-0EE37CC5.EXE
1744	XP-0EE37CC5.EXE
1744	XP-0EE37CC5.EXE
2860	XP-0EE37CC5.EXE
2860	XP-0EE37CC5.EXE
2860	XP-0EE37CC5.EXE
2860	XP-0EE37CC5.EXE
2860	XP-0EE37CC5.EXE
2860	XP-0EE37CC5.EXE
1124	XP-0EE37CC5.EXE
1124	XP-0EE37CC5.EXE
1124	XP-0EE37CC5.EXE
1124	XP-0EE37CC5.EXE
1124	XP-0EE37CC5.EXE
1124	XP-0EE37CC5.EXE
1724	XP-0EE37CC5.EXE
1724	XP-0EE37CC5.EXE
1724	XP-0EE37CC5.EXE
1724	XP-0EE37CC5.EXE
1724	XP-0EE37CC5.EXE
1724	XP-0EE37CC5.EXE
1132	XP-0EE37CC5.EXE
1132	XP-0EE37CC5.EXE
1132	XP-0EE37CC5.EXE
1132	XP-0EE37CC5.EXE
1132	XP-0EE37CC5.EXE
1132	XP-0EE37CC5.EXE
768	XP-0EE37CC5.EXE
768	XP-0EE37CC5.EXE
768	XP-0EE37CC5.EXE
768	XP-0EE37CC5.EXE

Writes to the Master Boot Record (MBR) 1 TTPs 64 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	f05436672c48f11c277c2299ae4e841d_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\XP-0EE37CC5.EXE	f05436672c48f11c277c2299ae4e841d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\XP-0EE37CC5.EXE	f05436672c48f11c277c2299ae4e841d_JaffaCakes118.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f05436672c48f11c277c2299ae4e841d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000f00000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000f00000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000f00000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000f00000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2204	f05436672c48f11c277c2299ae4e841d_JaffaCakes118.exe
2204	f05436672c48f11c277c2299ae4e841d_JaffaCakes118.exe
2204	f05436672c48f11c277c2299ae4e841d_JaffaCakes118.exe
2204	f05436672c48f11c277c2299ae4e841d_JaffaCakes118.exe
2204	f05436672c48f11c277c2299ae4e841d_JaffaCakes118.exe
2204	f05436672c48f11c277c2299ae4e841d_JaffaCakes118.exe
2180	XP-0EE37CC5.EXE
2180	XP-0EE37CC5.EXE
2180	XP-0EE37CC5.EXE
2180	XP-0EE37CC5.EXE
2180	XP-0EE37CC5.EXE
2180	XP-0EE37CC5.EXE
2748	XP-0EE37CC5.EXE
2748	XP-0EE37CC5.EXE
2748	XP-0EE37CC5.EXE
2748	XP-0EE37CC5.EXE
2748	XP-0EE37CC5.EXE
2748	XP-0EE37CC5.EXE
2520	XP-0EE37CC5.EXE
2520	XP-0EE37CC5.EXE
2520	XP-0EE37CC5.EXE
2520	XP-0EE37CC5.EXE
2520	XP-0EE37CC5.EXE
2520	XP-0EE37CC5.EXE
1652	XP-0EE37CC5.EXE
1652	XP-0EE37CC5.EXE
1652	XP-0EE37CC5.EXE
1652	XP-0EE37CC5.EXE
1652	XP-0EE37CC5.EXE
1652	XP-0EE37CC5.EXE
1744	XP-0EE37CC5.EXE
1744	XP-0EE37CC5.EXE
1744	XP-0EE37CC5.EXE
1744	XP-0EE37CC5.EXE
1744	XP-0EE37CC5.EXE
1744	XP-0EE37CC5.EXE
2860	XP-0EE37CC5.EXE
2860	XP-0EE37CC5.EXE
2860	XP-0EE37CC5.EXE
2860	XP-0EE37CC5.EXE
2860	XP-0EE37CC5.EXE
2860	XP-0EE37CC5.EXE
1124	XP-0EE37CC5.EXE
1124	XP-0EE37CC5.EXE
1124	XP-0EE37CC5.EXE
1124	XP-0EE37CC5.EXE
1124	XP-0EE37CC5.EXE
1124	XP-0EE37CC5.EXE
1724	XP-0EE37CC5.EXE
1724	XP-0EE37CC5.EXE
1724	XP-0EE37CC5.EXE
1724	XP-0EE37CC5.EXE
1724	XP-0EE37CC5.EXE
1724	XP-0EE37CC5.EXE
1132	XP-0EE37CC5.EXE
1132	XP-0EE37CC5.EXE
1132	XP-0EE37CC5.EXE
1132	XP-0EE37CC5.EXE
1132	XP-0EE37CC5.EXE
1132	XP-0EE37CC5.EXE
768	XP-0EE37CC5.EXE
768	XP-0EE37CC5.EXE
768	XP-0EE37CC5.EXE
768	XP-0EE37CC5.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2972	2204	f05436672c48f11c277c2299ae4e841d_JaffaCakes118.exe	30
PID 2204 wrote to memory of 2972	2204	f05436672c48f11c277c2299ae4e841d_JaffaCakes118.exe	30
PID 2204 wrote to memory of 2972	2204	f05436672c48f11c277c2299ae4e841d_JaffaCakes118.exe	30
PID 2204 wrote to memory of 2972	2204	f05436672c48f11c277c2299ae4e841d_JaffaCakes118.exe	30
PID 2204 wrote to memory of 2180	2204	f05436672c48f11c277c2299ae4e841d_JaffaCakes118.exe	32
PID 2204 wrote to memory of 2180	2204	f05436672c48f11c277c2299ae4e841d_JaffaCakes118.exe	32
PID 2204 wrote to memory of 2180	2204	f05436672c48f11c277c2299ae4e841d_JaffaCakes118.exe	32
PID 2204 wrote to memory of 2180	2204	f05436672c48f11c277c2299ae4e841d_JaffaCakes118.exe	32
PID 2180 wrote to memory of 2712	2180	XP-0EE37CC5.EXE	33
PID 2180 wrote to memory of 2712	2180	XP-0EE37CC5.EXE	33
PID 2180 wrote to memory of 2712	2180	XP-0EE37CC5.EXE	33
PID 2180 wrote to memory of 2712	2180	XP-0EE37CC5.EXE	33
PID 2180 wrote to memory of 2748	2180	XP-0EE37CC5.EXE	34
PID 2180 wrote to memory of 2748	2180	XP-0EE37CC5.EXE	34
PID 2180 wrote to memory of 2748	2180	XP-0EE37CC5.EXE	34
PID 2180 wrote to memory of 2748	2180	XP-0EE37CC5.EXE	34
PID 2748 wrote to memory of 2624	2748	XP-0EE37CC5.EXE	36
PID 2748 wrote to memory of 2624	2748	XP-0EE37CC5.EXE	36
PID 2748 wrote to memory of 2624	2748	XP-0EE37CC5.EXE	36
PID 2748 wrote to memory of 2624	2748	XP-0EE37CC5.EXE	36
PID 2748 wrote to memory of 2520	2748	XP-0EE37CC5.EXE	38
PID 2748 wrote to memory of 2520	2748	XP-0EE37CC5.EXE	38
PID 2748 wrote to memory of 2520	2748	XP-0EE37CC5.EXE	38
PID 2748 wrote to memory of 2520	2748	XP-0EE37CC5.EXE	38
PID 2520 wrote to memory of 1244	2520	XP-0EE37CC5.EXE	39
PID 2520 wrote to memory of 1244	2520	XP-0EE37CC5.EXE	39
PID 2520 wrote to memory of 1244	2520	XP-0EE37CC5.EXE	39
PID 2520 wrote to memory of 1244	2520	XP-0EE37CC5.EXE	39
PID 2520 wrote to memory of 1652	2520	XP-0EE37CC5.EXE	41
PID 2520 wrote to memory of 1652	2520	XP-0EE37CC5.EXE	41
PID 2520 wrote to memory of 1652	2520	XP-0EE37CC5.EXE	41
PID 2520 wrote to memory of 1652	2520	XP-0EE37CC5.EXE	41
PID 1652 wrote to memory of 2368	1652	XP-0EE37CC5.EXE	42
PID 1652 wrote to memory of 2368	1652	XP-0EE37CC5.EXE	42
PID 1652 wrote to memory of 2368	1652	XP-0EE37CC5.EXE	42
PID 1652 wrote to memory of 2368	1652	XP-0EE37CC5.EXE	42
PID 1652 wrote to memory of 1744	1652	XP-0EE37CC5.EXE	43
PID 1652 wrote to memory of 1744	1652	XP-0EE37CC5.EXE	43
PID 1652 wrote to memory of 1744	1652	XP-0EE37CC5.EXE	43
PID 1652 wrote to memory of 1744	1652	XP-0EE37CC5.EXE	43
PID 1744 wrote to memory of 2892	1744	XP-0EE37CC5.EXE	44
PID 1744 wrote to memory of 2892	1744	XP-0EE37CC5.EXE	44
PID 1744 wrote to memory of 2892	1744	XP-0EE37CC5.EXE	44
PID 1744 wrote to memory of 2892	1744	XP-0EE37CC5.EXE	44
PID 1744 wrote to memory of 2860	1744	XP-0EE37CC5.EXE	86
PID 1744 wrote to memory of 2860	1744	XP-0EE37CC5.EXE	86
PID 1744 wrote to memory of 2860	1744	XP-0EE37CC5.EXE	86
PID 1744 wrote to memory of 2860	1744	XP-0EE37CC5.EXE	86
PID 2860 wrote to memory of 1240	2860	XP-0EE37CC5.EXE	47
PID 2860 wrote to memory of 1240	2860	XP-0EE37CC5.EXE	47
PID 2860 wrote to memory of 1240	2860	XP-0EE37CC5.EXE	47
PID 2860 wrote to memory of 1240	2860	XP-0EE37CC5.EXE	47
PID 2860 wrote to memory of 1124	2860	XP-0EE37CC5.EXE	48
PID 2860 wrote to memory of 1124	2860	XP-0EE37CC5.EXE	48
PID 2860 wrote to memory of 1124	2860	XP-0EE37CC5.EXE	48
PID 2860 wrote to memory of 1124	2860	XP-0EE37CC5.EXE	48
PID 1124 wrote to memory of 2284	1124	XP-0EE37CC5.EXE	49
PID 1124 wrote to memory of 2284	1124	XP-0EE37CC5.EXE	49
PID 1124 wrote to memory of 2284	1124	XP-0EE37CC5.EXE	49
PID 1124 wrote to memory of 2284	1124	XP-0EE37CC5.EXE	49
PID 1124 wrote to memory of 1724	1124	XP-0EE37CC5.EXE	51
PID 1124 wrote to memory of 1724	1124	XP-0EE37CC5.EXE	51
PID 1124 wrote to memory of 1724	1124	XP-0EE37CC5.EXE	51
PID 1124 wrote to memory of 1724	1124	XP-0EE37CC5.EXE	51

C:\Users\Admin\AppData\Local\Temp\f05436672c48f11c277c2299ae4e841d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f05436672c48f11c277c2299ae4e841d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\SysWOW64\explorer.exe
  explorer C:\Users\Admin\AppData\Local\Temp\f05436672c48f11c277c2299ae4e841d_JaffaCakes118
  2⤵
  PID:2972
- C:\Windows\SysWOW64\XP-0EE37CC5.EXE
  C:\Windows\system32\XP-0EE37CC5.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\SysWOW64\explorer.exe
    explorer C:\Windows\SysWOW64\XP-0EE37CC5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2712
- - C:\Windows\SysWOW64\XP-0EE37CC5.EXE
    C:\Windows\system32\XP-0EE37CC5.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\SysWOW64\explorer.exe
      explorer C:\Windows\SysWOW64\XP-0EE37CC5
      4⤵
      PID:2624
  - - C:\Windows\SysWOW64\XP-0EE37CC5.EXE
      C:\Windows\system32\XP-0EE37CC5.EXE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2520
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        5⤵
        
        PID:1244
    - - C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1652
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        6⤵
        
        PID:2368
      - C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        7⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1240
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1124
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        9⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1724
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1880
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetWindowsHookEx
        
        PID:1132
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        11⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetWindowsHookEx
        
        PID:768
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        12⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:472
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        13⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        13⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:3036
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:1072
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        14⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        15⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        15⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:1304
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        16⤵
        
        PID:880
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        16⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        17⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        17⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        18⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        18⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:2296
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        19⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        19⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:264
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        20⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        20⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:352
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:2568
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        21⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:2552
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:1908
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        22⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:1316
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:1872
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        23⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:2840
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        24⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        24⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:892
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        25⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:1908
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:1872
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        26⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:1136
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        27⤵
        
        PID:620
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        27⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:1740
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:2332
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        28⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:3068
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:3144
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        29⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:3192
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        30⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        30⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:3348
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:3448
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        31⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:3484
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        32⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        32⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:3628
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        33⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        33⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:3776
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:3868
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        34⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:3904
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:4012
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        35⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:4052
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        36⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        36⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:3224
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        37⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        37⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:3412
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        38⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        38⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:3648
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:3764
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        39⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:3856
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:4064
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        40⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:4032
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:3200
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        41⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:3372
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        42⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        42⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:3784
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:3740
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        43⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:4012
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:3516
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        44⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:3908
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        45⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        45⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:3796
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        46⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        46⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:3424
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:3372
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        47⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:3600
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:4196
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        48⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:4232
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:4348
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        49⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:4380
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:4500
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        50⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:4540
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:4656
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        51⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:4696
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        52⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        52⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:4824
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        53⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        53⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:4976
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:5076
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        54⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:5112
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        55⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        55⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:4200
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        56⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        56⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:4560
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        57⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        57⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:4764
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        58⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        58⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:5036
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        59⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        59⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:4192
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        60⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        60⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:3424
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        61⤵
        System Location Discovery: System Language Discovery
        
        PID:4236
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        61⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:5040
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:4564
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        62⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:4248
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        63⤵
        System Location Discovery: System Language Discovery
        
        PID:5112
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        63⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:4108
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        64⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:4992
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        65⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        65⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        66⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        66⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        67⤵
        
        PID:5296
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        67⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        68⤵
        
        PID:5464
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        68⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        69⤵
        
        PID:5596
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        69⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        70⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        70⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        71⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        71⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        72⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        72⤵
        
        PID:6088
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        73⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        73⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        74⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        74⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        75⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        75⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        76⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        76⤵
        
        PID:5880
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        77⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        77⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        78⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        78⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        79⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        79⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        80⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        80⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        81⤵
        
        PID:5928
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        81⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        82⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        82⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        83⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        83⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        84⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        84⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        85⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        85⤵
        
        PID:6476
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        86⤵
        
        PID:6576
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        86⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        87⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        87⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        88⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        88⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        89⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        89⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        90⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        90⤵
        
        PID:6280
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        91⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        91⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        92⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        92⤵
        
        PID:6836
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        93⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        93⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        94⤵
        
        PID:6252
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        94⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        95⤵
        
        PID:884
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        95⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        96⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        96⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        97⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        97⤵
        
        PID:6616
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        98⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        98⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        99⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        99⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        100⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        100⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        101⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        101⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        102⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        102⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        103⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        103⤵
        
        PID:7304
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        104⤵
        
        PID:7416
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        104⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        105⤵
        
        PID:7552
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        105⤵
        
        PID:7588
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        106⤵
        
        PID:7700
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        106⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        107⤵
        
        PID:7884
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        107⤵
        
        PID:7924
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        108⤵
        
        PID:8060
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        108⤵
        
        PID:8100
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        109⤵
        
        PID:7196
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        109⤵
        
        PID:6800
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        110⤵
        
        PID:7460
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        110⤵
        
        PID:7432
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        111⤵
        
        PID:7172
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        111⤵
        
        PID:7856
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        112⤵
        
        PID:7904
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        112⤵
        
        PID:8136
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        113⤵
        
        PID:7592
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        113⤵
        
        PID:7600
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        114⤵
        
        PID:7924
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        114⤵
        
        PID:7900
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        115⤵
        
        PID:7664
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        115⤵
        
        PID:7416
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        116⤵
        
        PID:7592
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        116⤵
        
        PID:7704
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        117⤵
        
        PID:7880
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        117⤵
        
        PID:8204
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        118⤵
        
        PID:8316
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        118⤵
        
        PID:8348
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        119⤵
        
        PID:8440
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        119⤵
        
        PID:8480
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        120⤵
        
        PID:8596
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        120⤵
        
        PID:8648
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        121⤵
        
        PID:8752
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        121⤵
        
        PID:8788
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        122⤵
        
        PID:8888
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        122⤵
        
        PID:8928
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        123⤵
        
        PID:9020
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        123⤵
        
        PID:9064
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        124⤵
        
        PID:9164
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        124⤵
        
        PID:9200
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        125⤵
        
        PID:8356
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        125⤵
        
        PID:8316
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        126⤵
        
        PID:8440
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        126⤵
        
        PID:8664
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        127⤵
        
        PID:8812
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        127⤵
        
        PID:8752
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        128⤵
        
        PID:8888
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        128⤵
        
        PID:9088
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        129⤵
        
        PID:8788
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        129⤵
        
        PID:8312
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        130⤵
        
        PID:8208
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        130⤵
        
        PID:8440
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        131⤵
        
        PID:8900
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        131⤵
        
        PID:8228
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        132⤵
        
        PID:8360
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        132⤵
        
        PID:8884
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        133⤵
        
        PID:8444
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        133⤵
        
        PID:8748
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        134⤵
        
        PID:8564
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        134⤵
        
        PID:9236
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        135⤵
        
        PID:9368
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        135⤵
        
        PID:9416
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        136⤵
        
        PID:9528
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        136⤵
        
        PID:9568
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        137⤵
        
        PID:9700
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        137⤵
        
        PID:9744
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        138⤵
        
        PID:9876
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        138⤵
        
        PID:9912
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        139⤵
        
        PID:10040
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        139⤵
        
        PID:10084
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        140⤵
        
        PID:10188
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        140⤵
        
        PID:10228
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        141⤵
        
        PID:9428
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        141⤵
        
        PID:9388
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        142⤵
        
        PID:9240
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        142⤵
        
        PID:9772
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        143⤵
        
        PID:9572
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        143⤵
        
        PID:9880
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        144⤵
        
        PID:9744
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        144⤵
        
        PID:8804
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        145⤵
        
        PID:9548
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        145⤵
        
        PID:9728
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        146⤵
        
        PID:10156
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        146⤵
        
        PID:10204
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        147⤵
        
        PID:10092
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        147⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        148⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        148⤵
        
        PID:10144
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        149⤵
        
        PID:10016
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        149⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        150⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        150⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        151⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        151⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        152⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        152⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        153⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        153⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        154⤵
        
        PID:10092
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        154⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        155⤵
        
        PID:10296
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        155⤵
        
        PID:10328
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        156⤵
        
        PID:10456
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        156⤵
        
        PID:10504
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        157⤵
        
        PID:10612
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        157⤵
        
        PID:10648
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        158⤵
        
        PID:10760
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        158⤵
        
        PID:10796

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:3064

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:2584

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:2248

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:1856

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:2432

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:2460

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:2212

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1864

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1704

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2500

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1044

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
PID:1060

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
PID:1608

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:944

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:1396

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
PID:2884

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:1912

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:2180

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2860

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
PID:1084

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2868

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2744

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:316

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:2012

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2324

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1656

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2236

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:3184

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3340

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:3476

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3620

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3768

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3896

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4044

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3212

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3316

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3640

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3348

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4040

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3356

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3068

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3792

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3200

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4080

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:3860

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
PID:3076

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4224

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4372

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4532

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4688

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:4816

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:4968

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:5104

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4212

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:4552

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4660

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:5004

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:5080

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4976

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:4960

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4172

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4200

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3172

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4312

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5196

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5332

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5492

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5624

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5764

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5912

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6080

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5188

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5316

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5660

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5720

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6076

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5920

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5936

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6120

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6008

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5296

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6156

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6312

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6468

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6604

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6732

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6900

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7056

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5932

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6456

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6708

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7084

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5652

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:772

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6720

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6440

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6444

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6308

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6836

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1736

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5504

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7296

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7444

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7580

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7740

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7916

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8092

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7256

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7436

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7732

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8108

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7548

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7524

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7700

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8136

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8196

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8340

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8472

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8640

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8780

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8920

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9056

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9192

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8392

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8656

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8772

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9080

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9164

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6728

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9156

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8808

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2352

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9228

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9408

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9560

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9736

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9904

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10076

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10220

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9480

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9756

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9892

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9916

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9732

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10196

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10040

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9776

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9572

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10204

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2112

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6272

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3040

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2836

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10320

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10496

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10640

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E_4\RegEx.fnr

Filesize
212KB

MD5
a67daddcb30335163cf7d99f282f5ae0

SHA1
c033169006bef68bebfa77405c4a35688ab41a99

SHA256
8027e7512cf17388b14c3e2bbf9c3700f875c26d942a4dd27d1dcf8203a192f8

SHA512
16cb5cffdf935d10bb06b86b874a63e9594e4854359885890fe4641f0e4329fd047daa5f0ddd5a02d241974834b67666b2ad65ef791e110d29637434057808c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\eAPI.fne

Filesize
316KB

MD5
25b794b18bd8d03dc9530111cbce4173

SHA1
a6774d62bd1e9497fdfe6c61c495011fc6c274c6

SHA256
81757b48f2caecd6fd4f6699906e9320704c10b5c5dadc6c796b9809f0359ee4

SHA512
5892dc3c681571b2130695c4e8f598e732462746b9f5b8e7689108e393fb6d4edc32c97ef1f39f0c0abc901a590677f92c1abd1b809e5a875d025f4131d831ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\internet.fne

Filesize
180KB

MD5
56e9e121d68b5631a360d56b2ef4777f

SHA1
e9d11a2baf46769c90ee1671cd17072efd8cfb52

SHA256
c247997b04fc5535bb07ab43c3628326c6365aa6a0bd82a6f380b8ab66a09d2f

SHA512
1ef52e0283d286a308fa1c927ff12aa43975a49d94d9386ee4a02b7e4f47de2e239a340a4427534c73c0039ea2c249e91b68f2dce1dfebf13c9879c4ea60b97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\spec.fne

Filesize
68KB

MD5
1518651c682109e9b9c304c9c109d777

SHA1
6c440810bf11907fc16dbca17a9494377c0bdcf1

SHA256
0496ea1f78bf11204491388bc9c1dfbb49bebdaeffe32717bffdf688b148bfaa

SHA512
e6e03475b37f8463ac47dd559b31b81e254b07280e083200e21cc66f022c8730d45924776684d96e6bc1ce2d5cf9350a13ca37cda966de1c430eeec602e00535

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\com.run

Filesize
260KB

MD5
ce2f773275d3fe8b78f4cf067d5e6a0f

SHA1
b7135e34d46eb4303147492d5cee5e1ef7b392ab

SHA256
eb8099c0ad2d82d9d80530443e2909f3b34be0844d445e844f1c994476c86d2d

SHA512
d733dc01c047be56680629a385abdd2aa1598a2b5459269028446da9097b6f6c1e7ade5b74e3ac3809dd8a3f8d1cbbe7fd669f2762be61f9c38fd4a2cca9e063

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\dp1.fne

Filesize
112KB

MD5
6d4b2e73f6f8ecff02f19f7e8ef9a8c7

SHA1
09c32ca167136a17fd69df8c525ea5ffeca6c534

SHA256
fe5783e64aa70fac10c2e42d460732d9770534357329d8bc78576557c165f040

SHA512
2fd7a95cb632e9c4ac6b34e5b6b875aae94e73cd4b1f213e78f46dadab4846227a030776461bca08f9d75a1d61a0d45427f7b0c8b71406b7debc14db04b2ce04

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
1.0MB

MD5
1081d7eb7a17faedfa588b93fc85365e

SHA1
884e264fa37bfb9e71d24f3f5c7554fdf94a8b9f

SHA256
0351d055cf1e194302ab125cc93208a8c733efb45dc301ca6e7e2a4051f411e0

SHA512
1ff9e7c495b9e005c8d3b56219794c31d804fe1944429e3d4fe013fd8fcb3f51c02b588748c7d9d869fdb115851932e8db4e6792aecd9c83f28237702582ba81

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\shell.fne

Filesize
40KB

MD5
d54753e7fc3ea03aec0181447969c0e8

SHA1
824e7007b6569ae36f174c146ae1b7242f98f734

SHA256
192608ff371400c1529aa05f1adba0fe4fdd769fcbf35ee5f8b4f78a838a7ec9

SHA512
c25ed4cb38d5d5e95a267979f0f3f9398c04a1bf5822dceb03d6f6d9b4832dfb227f1e6868327e52a0303f45c36b9ba806e75b16bd7419a7c5203c2ecbae838f

Download Submit
\Windows\SysWOW64\XP-0EE37CC5.EXE

Filesize
1.2MB

MD5
f05436672c48f11c277c2299ae4e841d

SHA1
2a84eea28608d9079fd2f4bcdb349489daa0ec9b

SHA256
2102e29354033a95134059568e6588c6cd75e340623963c60cefc6a3c1076b73

SHA512
0a3f98cf507095fd1e3c3a0412479f7b0f02c03c74879d829a7c295218347cfca9f5a51d2d39f182ac87561d0ef8c758ae35290ced9f917dde4d5dd9e20d0b4b

Download Submit
memory/264-314-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/264-282-0x0000000001DD0000-0x0000000001DFB000-memory.dmp

Filesize
172KB

Download
memory/264-283-0x0000000001DD0000-0x0000000001DFB000-memory.dmp

Filesize
172KB

Download
memory/352-294-0x0000000001EB0000-0x0000000001EDB000-memory.dmp

Filesize
172KB

Download
memory/352-293-0x0000000001EB0000-0x0000000001EDB000-memory.dmp

Filesize
172KB

Download
memory/352-320-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/472-236-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/472-202-0x00000000004E0000-0x000000000050B000-memory.dmp

Filesize
172KB

Download
memory/472-203-0x00000000004E0000-0x000000000050B000-memory.dmp

Filesize
172KB

Download
memory/472-193-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/472-201-0x00000000004C0000-0x00000000004D1000-memory.dmp

Filesize
68KB

Download
memory/472-200-0x0000000000480000-0x000000000049E000-memory.dmp

Filesize
120KB

Download
memory/472-198-0x0000000000230000-0x000000000027A000-memory.dmp

Filesize
296KB

Download
memory/768-191-0x0000000000630000-0x0000000000641000-memory.dmp

Filesize
68KB

Download
memory/768-188-0x00000000003B0000-0x00000000003FA000-memory.dmp

Filesize
296KB

Download
memory/768-190-0x0000000000290000-0x00000000002AE000-memory.dmp

Filesize
120KB

Download
memory/768-225-0x0000000001D90000-0x0000000001DBB000-memory.dmp

Filesize
172KB

Download
memory/768-192-0x0000000001D90000-0x0000000001DBB000-memory.dmp

Filesize
172KB

Download
memory/768-224-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/768-183-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/892-342-0x0000000001EF0000-0x0000000001F1B000-memory.dmp

Filesize
172KB

Download
memory/892-341-0x0000000001EF0000-0x0000000001F1B000-memory.dmp

Filesize
172KB

Download
memory/892-376-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1124-156-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1124-157-0x0000000001DE0000-0x0000000001DFE000-memory.dmp

Filesize
120KB

Download
memory/1124-158-0x0000000001E00000-0x0000000001E11000-memory.dmp

Filesize
68KB

Download
memory/1124-154-0x0000000001D90000-0x0000000001DDA000-memory.dmp

Filesize
296KB

Download
memory/1132-182-0x0000000000520000-0x000000000054B000-memory.dmp

Filesize
172KB

Download
memory/1132-175-0x0000000000350000-0x000000000039A000-memory.dmp

Filesize
296KB

Download
memory/1132-177-0x00000000004B0000-0x00000000004CE000-memory.dmp

Filesize
120KB

Download
memory/1132-180-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1132-178-0x00000000004F0000-0x0000000000501000-memory.dmp

Filesize
68KB

Download
memory/1136-371-0x0000000001DC0000-0x0000000001DEB000-memory.dmp

Filesize
172KB

Download
memory/1136-370-0x0000000001DC0000-0x0000000001DEB000-memory.dmp

Filesize
172KB

Download
memory/1136-400-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1304-235-0x00000000004C0000-0x00000000004EB000-memory.dmp

Filesize
172KB

Download
memory/1304-271-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1316-319-0x0000000000550000-0x000000000057B000-memory.dmp

Filesize
172KB

Download
memory/1316-347-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1316-318-0x0000000000550000-0x000000000057B000-memory.dmp

Filesize
172KB

Download
memory/1652-109-0x0000000000360000-0x00000000003AA000-memory.dmp

Filesize
296KB

Download
memory/1652-114-0x00000000003E0000-0x00000000003F1000-memory.dmp

Filesize
68KB

Download
memory/1652-116-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1652-112-0x00000000003B0000-0x00000000003CE000-memory.dmp

Filesize
120KB

Download
memory/1724-166-0x0000000000860000-0x000000000087E000-memory.dmp

Filesize
120KB

Download
memory/1724-169-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1724-167-0x0000000001E60000-0x0000000001E71000-memory.dmp

Filesize
68KB

Download
memory/1724-179-0x0000000001E80000-0x0000000001EAB000-memory.dmp

Filesize
172KB

Download
memory/1724-164-0x0000000001CA0000-0x0000000001CEA000-memory.dmp

Filesize
296KB

Download
memory/1740-372-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1740-380-0x0000000001D90000-0x0000000001DBB000-memory.dmp

Filesize
172KB

Download
memory/1740-379-0x0000000001D90000-0x0000000001DBB000-memory.dmp

Filesize
172KB

Download
memory/1740-412-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1744-132-0x0000000001BF0000-0x0000000001C3A000-memory.dmp

Filesize
296KB

Download
memory/1744-137-0x0000000001CB0000-0x0000000001CC1000-memory.dmp

Filesize
68KB

Download
memory/1744-138-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1744-135-0x0000000001C80000-0x0000000001C9E000-memory.dmp

Filesize
120KB

Download
memory/1908-354-0x0000000001EE0000-0x0000000001F0B000-memory.dmp

Filesize
172KB

Download
memory/1908-355-0x0000000001EE0000-0x0000000001F0B000-memory.dmp

Filesize
172KB

Download
memory/1908-388-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1968-259-0x0000000001CF0000-0x0000000001D1B000-memory.dmp

Filesize
172KB

Download
memory/1968-290-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2180-70-0x0000000001F90000-0x0000000001FBB000-memory.dmp

Filesize
172KB

Download
memory/2180-50-0x0000000000320000-0x000000000033E000-memory.dmp

Filesize
120KB

Download
memory/2180-53-0x00000000003D0000-0x00000000003E1000-memory.dmp

Filesize
68KB

Download
memory/2180-32-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2180-46-0x0000000001F40000-0x0000000001F8A000-memory.dmp

Filesize
296KB

Download
memory/2180-139-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2204-118-0x0000000001F80000-0x0000000001FAB000-memory.dmp

Filesize
172KB

Download
memory/2204-12-0x0000000001CD0000-0x0000000001D1A000-memory.dmp

Filesize
296KB

Download
memory/2204-115-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2204-117-0x0000000001F80000-0x0000000001FAB000-memory.dmp

Filesize
172KB

Download
memory/2204-19-0x0000000001F60000-0x0000000001F71000-memory.dmp

Filesize
68KB

Download
memory/2204-29-0x0000000001F80000-0x0000000001FAB000-memory.dmp

Filesize
172KB

Download
memory/2204-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2204-16-0x0000000001D30000-0x0000000001D4E000-memory.dmp

Filesize
120KB

Download
memory/2204-30-0x0000000001F80000-0x0000000001FAB000-memory.dmp

Filesize
172KB

Download
memory/2268-281-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2268-237-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2268-246-0x0000000000750000-0x000000000077B000-memory.dmp

Filesize
172KB

Download
memory/2296-270-0x0000000000470000-0x000000000049B000-memory.dmp

Filesize
172KB

Download
memory/2296-269-0x0000000000470000-0x000000000049B000-memory.dmp

Filesize
172KB

Download
memory/2296-300-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2384-223-0x0000000000890000-0x00000000008A1000-memory.dmp

Filesize
68KB

Download
memory/2384-218-0x0000000001DE0000-0x0000000001E2A000-memory.dmp

Filesize
296KB

Download
memory/2384-258-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2384-222-0x00000000005D0000-0x00000000005EE000-memory.dmp

Filesize
120KB

Download
memory/2520-92-0x0000000001BC0000-0x0000000001BDE000-memory.dmp

Filesize
120KB

Download
memory/2520-89-0x0000000001B50000-0x0000000001B9A000-memory.dmp

Filesize
296KB

Download
memory/2520-94-0x0000000001BE0000-0x0000000001BF1000-memory.dmp

Filesize
68KB

Download
memory/2520-96-0x0000000001DA0000-0x0000000001DCB000-memory.dmp

Filesize
172KB

Download
memory/2520-168-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2520-170-0x0000000001DA0000-0x0000000001DCB000-memory.dmp

Filesize
172KB

Download
memory/2552-338-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2552-306-0x00000000003D0000-0x00000000003FB000-memory.dmp

Filesize
172KB

Download
memory/2552-307-0x00000000003D0000-0x00000000003FB000-memory.dmp

Filesize
172KB

Download
memory/2748-68-0x00000000003A0000-0x00000000003EA000-memory.dmp

Filesize
296KB

Download
memory/2748-71-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2748-73-0x0000000001D80000-0x0000000001D9E000-memory.dmp

Filesize
120KB

Download
memory/2748-75-0x0000000001DA0000-0x0000000001DB1000-memory.dmp

Filesize
68KB

Download
memory/2840-362-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2840-331-0x0000000001FE0000-0x000000000200B000-memory.dmp

Filesize
172KB

Download
memory/2840-330-0x0000000001FE0000-0x000000000200B000-memory.dmp

Filesize
172KB

Download
memory/2860-145-0x00000000002F0000-0x000000000033A000-memory.dmp

Filesize
296KB

Download
memory/2860-149-0x00000000003B0000-0x00000000003C1000-memory.dmp

Filesize
68KB

Download
memory/2860-148-0x0000000000370000-0x000000000038E000-memory.dmp

Filesize
120KB

Download
memory/2860-147-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3036-247-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3036-213-0x0000000001FF0000-0x000000000201B000-memory.dmp

Filesize
172KB

Download
memory/3036-211-0x0000000001EC0000-0x0000000001ED1000-memory.dmp

Filesize
68KB

Download
memory/3036-210-0x0000000000540000-0x000000000055E000-memory.dmp

Filesize
120KB

Download
memory/3036-208-0x0000000000250000-0x000000000029A000-memory.dmp

Filesize
296KB

Download
memory/3064-54-0x0000000003B10000-0x0000000003B20000-memory.dmp

Filesize
64KB

Download
memory/3068-417-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3068-392-0x0000000001FA0000-0x0000000001FCB000-memory.dmp

Filesize
172KB

Download
memory/3068-391-0x0000000001FA0000-0x0000000001FCB000-memory.dmp

Filesize
172KB

Download
memory/3192-404-0x0000000001DD0000-0x0000000001DFB000-memory.dmp

Filesize
172KB

Download
memory/3192-403-0x0000000001DD0000-0x0000000001DFB000-memory.dmp

Filesize
172KB

Download
memory/3192-436-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3224-486-0x0000000001E00000-0x0000000001E2B000-memory.dmp

Filesize
172KB

Download
memory/3348-416-0x0000000002830000-0x000000000285B000-memory.dmp

Filesize
172KB

Download
memory/3348-415-0x0000000002830000-0x000000000285B000-memory.dmp

Filesize
172KB

Download
memory/3348-446-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3412-496-0x0000000000810000-0x000000000083B000-memory.dmp

Filesize
172KB

Download
memory/3412-497-0x0000000000810000-0x000000000083B000-memory.dmp

Filesize
172KB

Download
memory/3484-428-0x0000000002020000-0x000000000204B000-memory.dmp

Filesize
172KB

Download
memory/3484-458-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3484-427-0x0000000002020000-0x000000000204B000-memory.dmp

Filesize
172KB

Download
memory/3628-439-0x00000000006E0000-0x000000000070B000-memory.dmp

Filesize
172KB

Download
memory/3628-470-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3776-482-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3776-450-0x0000000000830000-0x000000000085B000-memory.dmp

Filesize
172KB

Download
memory/3776-451-0x0000000000830000-0x000000000085B000-memory.dmp

Filesize
172KB

Download
memory/3904-493-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/3904-462-0x0000000001D00000-0x0000000001D2B000-memory.dmp

Filesize
172KB

Download
memory/3904-463-0x0000000001D00000-0x0000000001D2B000-memory.dmp

Filesize
172KB

Download
memory/4052-474-0x0000000001DE0000-0x0000000001E0B000-memory.dmp

Filesize
172KB

Download
memory/4052-475-0x0000000001DE0000-0x0000000001E0B000-memory.dmp

Filesize
172KB

Download
memory/4052-498-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads