12d7c3950d7cc14a258aa625f547cb911037ff1f1108859f3dc81bd9952f9624

Analysis

max time kernel
40s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-09-2024 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

015669113f4cd43538b6ebae14aed713_JaffaCakes118.exe
Size

1.4MB
MD5

015669113f4cd43538b6ebae14aed713
SHA1

d9229da5e1d349bbdea0f59338f3aa51b6ed4c9c
SHA256

12d7c3950d7cc14a258aa625f547cb911037ff1f1108859f3dc81bd9952f9624
SHA512

e71f75d96fc41838e7ff33f97c5f2e27bfd45e5fe4abda5f600ea07f0bee9ed48b8d7639f1d43d769d931ad502ec1a4e064d86beb512335e9c74eb20c31c8306
SSDEEP

24576:X4JH/TYq8ppSkhB4q/yOvAZLDwPc25AFB3KWS/hdkAkiOippg+YiV:X4JH8Bn6pZLiZ54aWQhdkAkipWeV

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Executes dropped EXE 55 IoCs

pid	Process
2344	DECB07.EXE
316	DECB07.EXE
572	DECB07.EXE
1656	DECB07.EXE
2456	DECB07.EXE
1328	DECB07.EXE
392	DECB07.EXE
884	DECB07.EXE
776	DECB07.EXE
2628	DECB07.EXE
2968	DECB07.EXE
2004	DECB07.EXE
3024	DECB07.EXE
844	DECB07.EXE
2072	DECB07.EXE
1580	DECB07.EXE
2160	DECB07.EXE
2512	DECB07.EXE
952	DECB07.EXE
1284	DECB07.EXE
2612	DECB07.EXE
1640	DECB07.EXE
1616	DECB07.EXE
2160	DECB07.EXE
1352	DECB07.EXE
1624	DECB07.EXE
2072	DECB07.EXE
3100	DECB07.EXE
3232	DECB07.EXE
3372	DECB07.EXE
3520	DECB07.EXE
3652	DECB07.EXE
3788	DECB07.EXE
3920	DECB07.EXE
4060	DECB07.EXE
3268	DECB07.EXE
3444	DECB07.EXE
3712	DECB07.EXE
3932	DECB07.EXE
4040	DECB07.EXE
3476	DECB07.EXE
3752	DECB07.EXE
3656	DECB07.EXE
3944	DECB07.EXE
3088	DECB07.EXE
3824	DECB07.EXE
4112	DECB07.EXE
4252	DECB07.EXE
4356	DECB07.EXE
4468	DECB07.EXE
4584	DECB07.EXE
4704	DECB07.EXE
4812	DECB07.EXE
4920	DECB07.EXE
5060	DECB07.EXE

Loads dropped DLL 64 IoCs

pid	Process
3056	015669113f4cd43538b6ebae14aed713_JaffaCakes118.exe
3056	015669113f4cd43538b6ebae14aed713_JaffaCakes118.exe
3056	015669113f4cd43538b6ebae14aed713_JaffaCakes118.exe
3056	015669113f4cd43538b6ebae14aed713_JaffaCakes118.exe
3056	015669113f4cd43538b6ebae14aed713_JaffaCakes118.exe
3056	015669113f4cd43538b6ebae14aed713_JaffaCakes118.exe
2344	DECB07.EXE
2344	DECB07.EXE
2344	DECB07.EXE
2344	DECB07.EXE
2344	DECB07.EXE
2344	DECB07.EXE
316	DECB07.EXE
316	DECB07.EXE
316	DECB07.EXE
316	DECB07.EXE
316	DECB07.EXE
316	DECB07.EXE
572	DECB07.EXE
572	DECB07.EXE
572	DECB07.EXE
572	DECB07.EXE
572	DECB07.EXE
572	DECB07.EXE
1656	DECB07.EXE
1656	DECB07.EXE
1656	DECB07.EXE
1656	DECB07.EXE
1656	DECB07.EXE
1656	DECB07.EXE
2456	DECB07.EXE
2456	DECB07.EXE
2456	DECB07.EXE
2456	DECB07.EXE
2456	DECB07.EXE
2456	DECB07.EXE
1328	DECB07.EXE
1328	DECB07.EXE
1328	DECB07.EXE
1328	DECB07.EXE
1328	DECB07.EXE
1328	DECB07.EXE
392	DECB07.EXE
392	DECB07.EXE
392	DECB07.EXE
392	DECB07.EXE
392	DECB07.EXE
392	DECB07.EXE
884	DECB07.EXE
884	DECB07.EXE
884	DECB07.EXE
884	DECB07.EXE
884	DECB07.EXE
884	DECB07.EXE
776	DECB07.EXE
776	DECB07.EXE
776	DECB07.EXE
776	DECB07.EXE
776	DECB07.EXE
776	DECB07.EXE
2628	DECB07.EXE
2628	DECB07.EXE
2628	DECB07.EXE
2628	DECB07.EXE

Writes to the Master Boot Record (MBR) 1 TTPs 55 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	015669113f4cd43538b6ebae14aed713_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\02A732\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\06794E\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\04764D\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\02A732\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\06794E\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\04764D\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\02A732\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\02A732\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\06794E\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\06794E\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\04764D\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\04764D\	DECB07.EXE
File created	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\02A732\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\04764D\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\04764D\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\02A732\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\02A732\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\06794E\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\06794E\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\02A732\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\06794E\	015669113f4cd43538b6ebae14aed713_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\04764D\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\02A732\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\04764D\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\04764D\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\06794E\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\	DECB07.EXE
File created	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File created	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\04764D\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\06794E\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\04764D\	DECB07.EXE
File created	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\02A732\	DECB07.EXE
File created	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\06794E\	DECB07.EXE
File created	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\02A732\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	015669113f4cd43538b6ebae14aed713_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000f00000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000f00000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000f00000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000f00000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000f00000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000f00000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3056	015669113f4cd43538b6ebae14aed713_JaffaCakes118.exe
3056	015669113f4cd43538b6ebae14aed713_JaffaCakes118.exe
3056	015669113f4cd43538b6ebae14aed713_JaffaCakes118.exe
3056	015669113f4cd43538b6ebae14aed713_JaffaCakes118.exe
3056	015669113f4cd43538b6ebae14aed713_JaffaCakes118.exe
3056	015669113f4cd43538b6ebae14aed713_JaffaCakes118.exe
2344	DECB07.EXE
2344	DECB07.EXE
2344	DECB07.EXE
2344	DECB07.EXE
2344	DECB07.EXE
2344	DECB07.EXE
316	DECB07.EXE
316	DECB07.EXE
316	DECB07.EXE
316	DECB07.EXE
316	DECB07.EXE
316	DECB07.EXE
572	DECB07.EXE
572	DECB07.EXE
572	DECB07.EXE
572	DECB07.EXE
572	DECB07.EXE
572	DECB07.EXE
1656	DECB07.EXE
1656	DECB07.EXE
1656	DECB07.EXE
1656	DECB07.EXE
1656	DECB07.EXE
1656	DECB07.EXE
2456	DECB07.EXE
2456	DECB07.EXE
2456	DECB07.EXE
2456	DECB07.EXE
2456	DECB07.EXE
2456	DECB07.EXE
1328	DECB07.EXE
1328	DECB07.EXE
1328	DECB07.EXE
1328	DECB07.EXE
1328	DECB07.EXE
1328	DECB07.EXE
392	DECB07.EXE
392	DECB07.EXE
392	DECB07.EXE
392	DECB07.EXE
392	DECB07.EXE
392	DECB07.EXE
884	DECB07.EXE
884	DECB07.EXE
884	DECB07.EXE
884	DECB07.EXE
884	DECB07.EXE
884	DECB07.EXE
776	DECB07.EXE
776	DECB07.EXE
776	DECB07.EXE
776	DECB07.EXE
776	DECB07.EXE
776	DECB07.EXE
2628	DECB07.EXE
2628	DECB07.EXE
2628	DECB07.EXE
2628	DECB07.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2340	3056	015669113f4cd43538b6ebae14aed713_JaffaCakes118.exe	30
PID 3056 wrote to memory of 2340	3056	015669113f4cd43538b6ebae14aed713_JaffaCakes118.exe	30
PID 3056 wrote to memory of 2340	3056	015669113f4cd43538b6ebae14aed713_JaffaCakes118.exe	30
PID 3056 wrote to memory of 2340	3056	015669113f4cd43538b6ebae14aed713_JaffaCakes118.exe	30
PID 3056 wrote to memory of 2344	3056	015669113f4cd43538b6ebae14aed713_JaffaCakes118.exe	32
PID 3056 wrote to memory of 2344	3056	015669113f4cd43538b6ebae14aed713_JaffaCakes118.exe	32
PID 3056 wrote to memory of 2344	3056	015669113f4cd43538b6ebae14aed713_JaffaCakes118.exe	32
PID 3056 wrote to memory of 2344	3056	015669113f4cd43538b6ebae14aed713_JaffaCakes118.exe	32
PID 2344 wrote to memory of 1700	2344	DECB07.EXE	33
PID 2344 wrote to memory of 1700	2344	DECB07.EXE	33
PID 2344 wrote to memory of 1700	2344	DECB07.EXE	33
PID 2344 wrote to memory of 1700	2344	DECB07.EXE	33
PID 2344 wrote to memory of 316	2344	DECB07.EXE	35
PID 2344 wrote to memory of 316	2344	DECB07.EXE	35
PID 2344 wrote to memory of 316	2344	DECB07.EXE	35
PID 2344 wrote to memory of 316	2344	DECB07.EXE	35
PID 316 wrote to memory of 2084	316	DECB07.EXE	36
PID 316 wrote to memory of 2084	316	DECB07.EXE	36
PID 316 wrote to memory of 2084	316	DECB07.EXE	36
PID 316 wrote to memory of 2084	316	DECB07.EXE	36
PID 316 wrote to memory of 572	316	DECB07.EXE	37
PID 316 wrote to memory of 572	316	DECB07.EXE	37
PID 316 wrote to memory of 572	316	DECB07.EXE	37
PID 316 wrote to memory of 572	316	DECB07.EXE	37
PID 572 wrote to memory of 1716	572	DECB07.EXE	39
PID 572 wrote to memory of 1716	572	DECB07.EXE	39
PID 572 wrote to memory of 1716	572	DECB07.EXE	39
PID 572 wrote to memory of 1716	572	DECB07.EXE	39
PID 572 wrote to memory of 1656	572	DECB07.EXE	40
PID 572 wrote to memory of 1656	572	DECB07.EXE	40
PID 572 wrote to memory of 1656	572	DECB07.EXE	40
PID 572 wrote to memory of 1656	572	DECB07.EXE	40
PID 1656 wrote to memory of 2144	1656	DECB07.EXE	105
PID 1656 wrote to memory of 2144	1656	DECB07.EXE	105
PID 1656 wrote to memory of 2144	1656	DECB07.EXE	105
PID 1656 wrote to memory of 2144	1656	DECB07.EXE	105
PID 1656 wrote to memory of 2456	1656	DECB07.EXE	44
PID 1656 wrote to memory of 2456	1656	DECB07.EXE	44
PID 1656 wrote to memory of 2456	1656	DECB07.EXE	44
PID 1656 wrote to memory of 2456	1656	DECB07.EXE	44
PID 2456 wrote to memory of 1272	2456	DECB07.EXE	45
PID 2456 wrote to memory of 1272	2456	DECB07.EXE	45
PID 2456 wrote to memory of 1272	2456	DECB07.EXE	45
PID 2456 wrote to memory of 1272	2456	DECB07.EXE	45
PID 2456 wrote to memory of 1328	2456	DECB07.EXE	46
PID 2456 wrote to memory of 1328	2456	DECB07.EXE	46
PID 2456 wrote to memory of 1328	2456	DECB07.EXE	46
PID 2456 wrote to memory of 1328	2456	DECB07.EXE	46
PID 1328 wrote to memory of 2472	1328	DECB07.EXE	48
PID 1328 wrote to memory of 2472	1328	DECB07.EXE	48
PID 1328 wrote to memory of 2472	1328	DECB07.EXE	48
PID 1328 wrote to memory of 2472	1328	DECB07.EXE	48
PID 1328 wrote to memory of 392	1328	DECB07.EXE	50
PID 1328 wrote to memory of 392	1328	DECB07.EXE	50
PID 1328 wrote to memory of 392	1328	DECB07.EXE	50
PID 1328 wrote to memory of 392	1328	DECB07.EXE	50
PID 392 wrote to memory of 2104	392	DECB07.EXE	51
PID 392 wrote to memory of 2104	392	DECB07.EXE	51
PID 392 wrote to memory of 2104	392	DECB07.EXE	51
PID 392 wrote to memory of 2104	392	DECB07.EXE	51
PID 392 wrote to memory of 884	392	DECB07.EXE	52
PID 392 wrote to memory of 884	392	DECB07.EXE	52
PID 392 wrote to memory of 884	392	DECB07.EXE	52
PID 392 wrote to memory of 884	392	DECB07.EXE	52

C:\Users\Admin\AppData\Local\Temp\015669113f4cd43538b6ebae14aed713_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\015669113f4cd43538b6ebae14aed713_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Windows\SysWOW64\explorer.exe
  explorer C:\Users\Admin\AppData\Local\Temp\015669113f4cd43538b6ebae14aed713_JaffaCakes118
  2⤵
  PID:2340
- C:\Windows\SysWOW64\B526A5\DECB07.EXE
  C:\Windows\system32\B526A5\DECB07.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\SysWOW64\explorer.exe
    explorer C:\Windows\SysWOW64\B526A5\DECB07
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\B526A5\DECB07.EXE
    C:\Windows\system32\B526A5\DECB07.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:316
  - - C:\Windows\SysWOW64\explorer.exe
      explorer C:\Windows\SysWOW64\B526A5\DECB07
      4⤵
      PID:2084
  - - C:\Windows\SysWOW64\B526A5\DECB07.EXE
      C:\Windows\system32\B526A5\DECB07.EXE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      Drops file in System32 directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:572
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1716
    - - C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1656
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        6⤵
        
        PID:2144
      - C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        7⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        8⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:392
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2104
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:884
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:776
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2244
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2628
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2612
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        12⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2968
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        13⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        13⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        14⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        15⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:844
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:1284
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        16⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:2072
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        17⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1580
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        18⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        18⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        19⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2512
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        20⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        20⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:952
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        21⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1284
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        22⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2612
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        23⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        24⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        24⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:1616
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        25⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        25⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:2160
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        26⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        26⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:1352
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        27⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        27⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:1624
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:2612
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        28⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:2072
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        29⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3100
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        30⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        30⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3232
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        31⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        31⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3372
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:3460
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        32⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:3520
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        33⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        33⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:3652
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        34⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        34⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3788
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        35⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        35⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3920
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:4012
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        36⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:4060
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        37⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:3268
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        38⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        38⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:3444
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:3464
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        39⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3712
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:3772
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        40⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3932
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:4072
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        41⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4040
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        42⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        42⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:3476
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:3660
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        43⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3752
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        44⤵
        System Location Discovery: System Language Discovery
        
        PID:4080
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        44⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3656
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        45⤵
        System Location Discovery: System Language Discovery
        
        PID:3728
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        45⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3944
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        46⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        46⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:3088
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        47⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:3824
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        48⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        48⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:4112
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:4208
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        49⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4252
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:4316
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        50⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4356
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        51⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        51⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4468
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        52⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        52⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:4584
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:4668
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        53⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:4704
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        54⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        54⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:4812
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:4880
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        55⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:4920
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:5016
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        56⤵
        Executes dropped EXE
        
        PID:5060
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        57⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        57⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        58⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        58⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        59⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        59⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        60⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        60⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        61⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        61⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        62⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        62⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        63⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        63⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        64⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        64⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        65⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        65⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        66⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        66⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        67⤵
        
        PID:5192
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        67⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        68⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        68⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        69⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        69⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        70⤵
        
        PID:5548
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        70⤵
        
        PID:5580
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        71⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        71⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        72⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        72⤵
        
        PID:5820
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        73⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        73⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        74⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        74⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        75⤵
        
        PID:5156
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        75⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        76⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        76⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        77⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        77⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        78⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        78⤵
        
        PID:5900
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        79⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        79⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        80⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        80⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        81⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        81⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        82⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        82⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        83⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        83⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        84⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        84⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        85⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        85⤵
        
        PID:6324
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        86⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        86⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        87⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        87⤵
        
        PID:6580
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        88⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        88⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        89⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        89⤵
        
        PID:6844
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        90⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        90⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        91⤵
        
        PID:7064
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        91⤵
        
        PID:7096
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        92⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        92⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        93⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        93⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        94⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        94⤵
        
        PID:6612
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        95⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        95⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        96⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        96⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        97⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        97⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        98⤵
        
        PID:6952
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        98⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        99⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        99⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        100⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        100⤵
        
        PID:7244
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        101⤵
        
        PID:7308
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        101⤵
        
        PID:7348
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        102⤵
        
        PID:7424
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        102⤵
        
        PID:7464
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        103⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        103⤵
        
        PID:7604
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        104⤵
        
        PID:7676
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        104⤵
        
        PID:7712
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        105⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        105⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        106⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        106⤵
        
        PID:7952
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        107⤵
        
        PID:8040
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        107⤵
        
        PID:8076
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        108⤵
        
        PID:8164
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        108⤵
        
        PID:6384
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        109⤵
        
        PID:7360
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        109⤵
        
        PID:7312
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        110⤵
        
        PID:7620
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        110⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        111⤵
        
        PID:7736
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        111⤵
        
        PID:7604
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        112⤵
        
        PID:8096
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        112⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        113⤵
        
        PID:7480
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        113⤵
        
        PID:7360
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        114⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        114⤵
        
        PID:7312
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        115⤵
        
        PID:7336
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        115⤵
        
        PID:8044
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        116⤵
        
        PID:7808
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        116⤵
        
        PID:8224
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        117⤵
        
        PID:8320
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        117⤵
        
        PID:8356
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        118⤵
        
        PID:8452
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        118⤵
        
        PID:8492
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        119⤵
        
        PID:8560
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        119⤵
        
        PID:8596
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        120⤵
        
        PID:8676
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        120⤵
        
        PID:8724
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        121⤵
        
        PID:8808
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        121⤵
        
        PID:8848
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        122⤵
        
        PID:8936
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        122⤵
        
        PID:8980
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        123⤵
        
        PID:9060
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        123⤵
        
        PID:9096
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        124⤵
        
        PID:9180
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        124⤵
        
        PID:8240
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        125⤵
        
        PID:8368
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        125⤵
        
        PID:8320
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        126⤵
        
        PID:8616
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        126⤵
        
        PID:8732
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        127⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        127⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        128⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        128⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        129⤵
        
        PID:8960
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        129⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        130⤵
        
        PID:9084
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        130⤵
        
        PID:9064
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        131⤵
        
        PID:9200
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        131⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        132⤵
        
        PID:8328
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        132⤵
        
        PID:3000

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1968

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:488

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
PID:1032

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:1984

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
PID:644

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
PID:1548

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:2304

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:2572

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1972

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1684

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:2408

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2424

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2584

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1560

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1732

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:772

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:876

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2368

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:920

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:776

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:600

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2732

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1288

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:3032

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2960

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2928

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2084

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
PID:3092

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3248

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
PID:3364

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3508

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:3644

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3780

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3912

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4052

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3260

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2820

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3676

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:3884

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1576

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3468

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3816

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3384

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3856

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3772

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3376

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4104

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4244

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4348

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4460

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4576

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4696

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:4804

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:4912

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5052

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4100

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4364

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4436

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4824

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4708

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4412

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4452

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4908

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4340

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4732

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5224

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5332

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5448

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5572

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5684

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5812

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5932

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6068

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5240

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5476

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5736

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5920

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5156

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5904

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:624

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1788

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5756

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6196

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6316

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6436

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6572

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6700

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6836

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6956

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7088

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6216

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6464

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:932

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6984

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6192

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7100

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6824

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6728

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7236

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7340

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7456

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7596

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7704

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7832

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7944

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8068

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7180

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7324

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2716

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7828

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8040

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7408

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7736

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8152

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8216

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8348

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8484

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8588

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8716

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8840

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8968

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9088

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9212

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8336

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8356

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8868

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2788

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:564

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9076

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1620

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E_N4\cnvpe.fne

Filesize
60KB

MD5
858fda5ca7c751b2c52e70779373cce8

SHA1
a3cd282a31560627f1d0f0ea506f25db79b1d779

SHA256
b7f1660a0ce7dedaa249da7c77a217dea8c2cd294ce77a2b2cb11ad8b44b48dd

SHA512
ddc1e65803439d2de48a8277f96cb346ca133926e4c3f7a179c8c0e8a3e9c32ab40fc148a8a5954135e5238d38f20d8ae4a72e0f89cda78445eb127de469fe20

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\eAPI.fne

Filesize
316KB

MD5
58fe55f79fcc6460ad209038494f38fc

SHA1
aa660053b82a5f6ff927cd242c5ef132bbe5e669

SHA256
6fa2114a3ab42aa038ba162773d5ad7b0d6a4fde87deb7b39130d9b62f974927

SHA512
43888728512b34c3b0b3ccb5c88c9432a250d88e81df8dd25d68dc583057134bbd4826cc1affa822781340cfd0e53a3a78a81d4d14325f857f145fb6590c287f

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\internet.fne

Filesize
180KB

MD5
aeb01a5b046e776c6fe9ed69f0dd6980

SHA1
878d05fb3beb9452c40e872c17e0bf75a1d2b336

SHA256
695b2c70e68490ee0d249a5e745669904663abbd1eb3e0469cecc916b92fd553

SHA512
58c095042244430620170779519a350e08b26ef186b23af77c142ecd36a533794121cbf5bd53f294e509bcddafc234b48e19e7cf65b22b66a30d5f206368d3e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\spec.fne

Filesize
72KB

MD5
b60e122b276fbc1d7a743c46c059d732

SHA1
a5206bf60bf6783317b50233851d55c0634a8101

SHA256
26dedb1f7e57fa91c0496605802caf49664b67ff3e49d419450c3f3cb1f2e512

SHA512
e6308b7dfa24a94c60084819edc33b808fba0ac7adf427743f373b8fb7c26c663137b49a4c1ab3e1ead8a23f754f9781bfc15f195e8fddff15720d6550b72d9f

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\HtmlView.fne

Filesize
212KB

MD5
42e0868c182a032e2791d8120e6d3d47

SHA1
b4a0e566570e79916d14be6fd802460671a950dd

SHA256
b1efb4f995c24fb43478bfce8ac8d008fab42e49e44026dd93eff64970f3807b

SHA512
303f59f83a1b7e1072083b2e9de81d91c8aa4674d187d3169918296f5f3a6622d4eabac585b0ef95d12a3536166175e0bd5a4ded7f43f238e4b9e34df5936aa1

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\dp1.fne

Filesize
112KB

MD5
c9bbe206cdd55d0326b3531bb01ce3e7

SHA1
9b36d4a38ff570aa9d4a17d5625ddd8f4b426200

SHA256
8c7b9ef2eb3e4dc112d76ca9815c57bc07556b248110aeb5b4ed3f26bb5b774e

SHA512
2987fe5ea434232c4d86a91003dc067ab189f9bcee07eb12999f630fd98cce4360f442c80eebf0a2671eaa4ff1dd1d313515d643dcfec557a27336610e25ac17

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

Filesize
1.1MB

MD5
9ffb0eb90bae23fba51fa8e263f615ae

SHA1
287ec96cae8666f981581336a75dcb302046877b

SHA256
a66f3678886b36042108b19ee369f41dcf689e3c0b2211bd6594dbe0999e0cfc

SHA512
dbdc2404edf92499aa44dc071ff39963e161200dd74a5cf34155bfc9948e0c02b39f60294df3ea25dc04918ebb59530bd8dc9304240b6b7b9863838c1ebb9512

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\shell.fne

Filesize
40KB

MD5
cc7a7c61cd0df0e546494bed06ceca8d

SHA1
1b4b28740a56b7be58b675c99033f7ab39af8ce1

SHA256
ce51fffeb63083b11b3e31d7776105295bc5970248d8df6d4132128bace4e1aa

SHA512
0e6e104629f64e5f2879d776f94b05bcc42ad74b23189576913c617e91b650825e0564b6d87a3f1d7c6ae782e65eba20ec5b36f30ed5fc8e6c1209b55605aa76

Download Submit
\Windows\SysWOW64\B526A5\DECB07.EXE

Filesize
1.4MB

MD5
015669113f4cd43538b6ebae14aed713

SHA1
d9229da5e1d349bbdea0f59338f3aa51b6ed4c9c

SHA256
12d7c3950d7cc14a258aa625f547cb911037ff1f1108859f3dc81bd9952f9624

SHA512
e71f75d96fc41838e7ff33f97c5f2e27bfd45e5fe4abda5f600ea07f0bee9ed48b8d7639f1d43d769d931ad502ec1a4e064d86beb512335e9c74eb20c31c8306

Download Submit
memory/316-67-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/316-72-0x0000000001DB0000-0x0000000001DE8000-memory.dmp

Filesize
224KB

Download
memory/316-142-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/316-143-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/316-73-0x0000000000460000-0x0000000000471000-memory.dmp

Filesize
68KB

Download
memory/316-74-0x00000000004E0000-0x00000000004FE000-memory.dmp

Filesize
120KB

Download
memory/316-68-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/392-170-0x0000000001D40000-0x0000000001D51000-memory.dmp

Filesize
68KB

Download
memory/392-236-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/392-172-0x0000000001EF0000-0x0000000001F32000-memory.dmp

Filesize
264KB

Download
memory/392-168-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/392-171-0x0000000001D80000-0x0000000001D9E000-memory.dmp

Filesize
120KB

Download
memory/392-169-0x00000000004D0000-0x0000000000508000-memory.dmp

Filesize
224KB

Download
memory/488-75-0x0000000003D10000-0x0000000003D20000-memory.dmp

Filesize
64KB

Download
memory/572-89-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/572-90-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/572-94-0x0000000001D00000-0x0000000001D38000-memory.dmp

Filesize
224KB

Download
memory/572-112-0x0000000001FE0000-0x0000000002022000-memory.dmp

Filesize
264KB

Download
memory/572-111-0x0000000001FE0000-0x0000000002022000-memory.dmp

Filesize
264KB

Download
memory/572-95-0x0000000001D40000-0x0000000001D51000-memory.dmp

Filesize
68KB

Download
memory/572-96-0x0000000001D60000-0x0000000001D7E000-memory.dmp

Filesize
120KB

Download
memory/572-146-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/572-147-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/776-191-0x00000000002D0000-0x00000000002E1000-memory.dmp

Filesize
68KB

Download
memory/776-189-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/776-195-0x00000000003B0000-0x00000000003F2000-memory.dmp

Filesize
264KB

Download
memory/776-192-0x00000000002F0000-0x000000000030E000-memory.dmp

Filesize
120KB

Download
memory/776-196-0x00000000003B0000-0x00000000003F2000-memory.dmp

Filesize
264KB

Download
memory/776-190-0x0000000000220000-0x0000000000258000-memory.dmp

Filesize
224KB

Download
memory/884-178-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/884-179-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/884-184-0x0000000001EA0000-0x0000000001EE2000-memory.dmp

Filesize
264KB

Download
memory/884-183-0x0000000001EA0000-0x0000000001EE2000-memory.dmp

Filesize
264KB

Download
memory/884-239-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/884-238-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/884-180-0x0000000000490000-0x00000000004A1000-memory.dmp

Filesize
68KB

Download
memory/884-181-0x0000000001E10000-0x0000000001E2E000-memory.dmp

Filesize
120KB

Download
memory/1328-158-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/1328-159-0x0000000000320000-0x0000000000358000-memory.dmp

Filesize
224KB

Download
memory/1328-163-0x00000000005A0000-0x00000000005E2000-memory.dmp

Filesize
264KB

Download
memory/1328-162-0x00000000005A0000-0x00000000005E2000-memory.dmp

Filesize
264KB

Download
memory/1328-228-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/1328-160-0x0000000000480000-0x0000000000491000-memory.dmp

Filesize
68KB

Download
memory/1328-227-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1328-161-0x00000000004D0000-0x00000000004EE000-memory.dmp

Filesize
120KB

Download
memory/1328-157-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1656-182-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/1656-121-0x00000000004D0000-0x0000000000512000-memory.dmp

Filesize
264KB

Download
memory/1656-123-0x00000000004D0000-0x0000000000512000-memory.dmp

Filesize
264KB

Download
memory/1656-113-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1656-116-0x0000000000330000-0x0000000000341000-memory.dmp

Filesize
68KB

Download
memory/1656-115-0x0000000000220000-0x0000000000258000-memory.dmp

Filesize
224KB

Download
memory/1656-114-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/1656-118-0x0000000000350000-0x000000000036E000-memory.dmp

Filesize
120KB

Download
memory/2004-230-0x0000000002040000-0x0000000002082000-memory.dmp

Filesize
264KB

Download
memory/2004-229-0x0000000002040000-0x0000000002082000-memory.dmp

Filesize
264KB

Download
memory/2004-225-0x00000000003C0000-0x00000000003D1000-memory.dmp

Filesize
68KB

Download
memory/2004-226-0x00000000003E0000-0x00000000003FE000-memory.dmp

Filesize
120KB

Download
memory/2344-44-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2344-53-0x0000000001D70000-0x0000000001D8E000-memory.dmp

Filesize
120KB

Download
memory/2344-66-0x0000000001E60000-0x0000000001EA2000-memory.dmp

Filesize
264KB

Download
memory/2344-50-0x00000000007A0000-0x00000000007B1000-memory.dmp

Filesize
68KB

Download
memory/2344-32-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2344-49-0x0000000000220000-0x0000000000258000-memory.dmp

Filesize
224KB

Download
memory/2344-145-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2344-144-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2456-125-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2456-152-0x0000000001DF0000-0x0000000001E32000-memory.dmp

Filesize
264KB

Download
memory/2456-149-0x0000000001CA0000-0x0000000001CBE000-memory.dmp

Filesize
120KB

Download
memory/2456-135-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2456-148-0x0000000000550000-0x0000000000561000-memory.dmp

Filesize
68KB

Download
memory/2456-137-0x0000000001D80000-0x0000000001DB8000-memory.dmp

Filesize
224KB

Download
memory/2456-218-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2456-219-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2628-210-0x0000000001F00000-0x0000000001F42000-memory.dmp

Filesize
264KB

Download
memory/2628-205-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2628-203-0x0000000000550000-0x0000000000561000-memory.dmp

Filesize
68KB

Download
memory/2628-197-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2628-202-0x0000000000390000-0x00000000003C8000-memory.dmp

Filesize
224KB

Download
memory/2628-204-0x0000000000570000-0x000000000058E000-memory.dmp

Filesize
120KB

Download
memory/2628-211-0x0000000001F00000-0x0000000001F42000-memory.dmp

Filesize
264KB

Download
memory/2968-215-0x0000000001DD0000-0x0000000001DEE000-memory.dmp

Filesize
120KB

Download
memory/2968-214-0x0000000001DB0000-0x0000000001DC1000-memory.dmp

Filesize
68KB

Download
memory/2968-220-0x0000000001EE0000-0x0000000001F22000-memory.dmp

Filesize
264KB

Download
memory/2968-213-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2968-212-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3024-241-0x0000000001EC0000-0x0000000001ED1000-memory.dmp

Filesize
68KB

Download
memory/3024-240-0x00000000003B0000-0x00000000003E8000-memory.dmp

Filesize
224KB

Download
memory/3056-138-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3056-14-0x0000000000230000-0x0000000000268000-memory.dmp

Filesize
224KB

Download
memory/3056-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3056-29-0x0000000002030000-0x0000000002072000-memory.dmp

Filesize
264KB

Download
memory/3056-30-0x0000000002030000-0x0000000002072000-memory.dmp

Filesize
264KB

Download
memory/3056-11-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/3056-139-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/3056-19-0x00000000003D0000-0x00000000003E1000-memory.dmp

Filesize
68KB

Download
memory/3056-20-0x0000000000550000-0x000000000056E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads