f55c064aa77c0955914a5c79e8392af0dcea96024af64b8d156ed6a5592083e3

Analysis

max time kernel
23s
max time network
119s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
29-11-2024 12:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f55c064aa77c0955914a5c79e8392af0dcea96024af64b8d156ed6a5592083e3N.exe
Size

2.9MB
MD5

2a83c7edac1f4e31de9cda102f47dfc0
SHA1

d4202f3450b1db3a2c588110864cb1d2773233e5
SHA256

f55c064aa77c0955914a5c79e8392af0dcea96024af64b8d156ed6a5592083e3
SHA512

18bfc2388b43c56b170e6d5d74f682bbb4079428b682f0c6063c8cc9805017c3ea1a239cb622a3290104d7ac8ba48d94d28a392d3a57df66db6af56db66f345c
SSDEEP

49152:5v4TlAzB2CWOdtmzYXB1UHO/vAZeB/hbTChxKCnFnQXBbrtgb/iQvu0UHOYw:8yyYz/YZeBh6hxvWbrtUTrUHOYw

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Executes dropped EXE 41 IoCs

Processes:

@AEC1C9.tmp.exef55c064aa77c0955914a5c79e8392af0dcea96024af64b8d156ed6a5592083e3N.exeXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEWdExt.exeXP-0EE37CC5.EXEXP-0EE37CC5.EXElaunch.exeXP-0EE37CC5.EXEwtmps.exeXP-0EE37CC5.EXEmscaps.exeXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXE

pid	Process
2080	@AEC1C9.tmp.exe
2340	f55c064aa77c0955914a5c79e8392af0dcea96024af64b8d156ed6a5592083e3N.exe
2284	XP-0EE37CC5.EXE
828	XP-0EE37CC5.EXE
2396	XP-0EE37CC5.EXE
2936	WdExt.exe
2728	XP-0EE37CC5.EXE
2272	XP-0EE37CC5.EXE
2452	launch.exe
2292	XP-0EE37CC5.EXE
2976	wtmps.exe
1556	XP-0EE37CC5.EXE
900	mscaps.exe
2388	XP-0EE37CC5.EXE
2968	XP-0EE37CC5.EXE
1940	XP-0EE37CC5.EXE
1992	XP-0EE37CC5.EXE
1780	XP-0EE37CC5.EXE
1736	XP-0EE37CC5.EXE
2472	XP-0EE37CC5.EXE
1540	XP-0EE37CC5.EXE
2384	XP-0EE37CC5.EXE
908	XP-0EE37CC5.EXE
1916	XP-0EE37CC5.EXE
2968	XP-0EE37CC5.EXE
1692	XP-0EE37CC5.EXE
1904	XP-0EE37CC5.EXE
2556	XP-0EE37CC5.EXE
3064	XP-0EE37CC5.EXE
1328	XP-0EE37CC5.EXE
2372	XP-0EE37CC5.EXE
852	XP-0EE37CC5.EXE
2500	XP-0EE37CC5.EXE
3228	XP-0EE37CC5.EXE
3356	XP-0EE37CC5.EXE
3484	XP-0EE37CC5.EXE
3620	XP-0EE37CC5.EXE
3756	XP-0EE37CC5.EXE
3872	XP-0EE37CC5.EXE
4004	XP-0EE37CC5.EXE
2028	XP-0EE37CC5.EXE

Loads dropped DLL 64 IoCs

Processes:

explorer.exe@AEC1C9.tmp.exef55c064aa77c0955914a5c79e8392af0dcea96024af64b8d156ed6a5592083e3N.exeXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEcmd.exeWdExt.exeXP-0EE37CC5.EXEcmd.exeXP-0EE37CC5.EXEcmd.exeXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXE

pid	Process
2336	explorer.exe
2336	explorer.exe
2336	explorer.exe
2336	explorer.exe
2080	@AEC1C9.tmp.exe
2340	f55c064aa77c0955914a5c79e8392af0dcea96024af64b8d156ed6a5592083e3N.exe
2340	f55c064aa77c0955914a5c79e8392af0dcea96024af64b8d156ed6a5592083e3N.exe
2340	f55c064aa77c0955914a5c79e8392af0dcea96024af64b8d156ed6a5592083e3N.exe
2340	f55c064aa77c0955914a5c79e8392af0dcea96024af64b8d156ed6a5592083e3N.exe
2340	f55c064aa77c0955914a5c79e8392af0dcea96024af64b8d156ed6a5592083e3N.exe
2340	f55c064aa77c0955914a5c79e8392af0dcea96024af64b8d156ed6a5592083e3N.exe
2284	XP-0EE37CC5.EXE
2284	XP-0EE37CC5.EXE
2284	XP-0EE37CC5.EXE
2284	XP-0EE37CC5.EXE
2284	XP-0EE37CC5.EXE
2284	XP-0EE37CC5.EXE
828	XP-0EE37CC5.EXE
828	XP-0EE37CC5.EXE
828	XP-0EE37CC5.EXE
828	XP-0EE37CC5.EXE
828	XP-0EE37CC5.EXE
828	XP-0EE37CC5.EXE
2396	XP-0EE37CC5.EXE
2396	XP-0EE37CC5.EXE
2396	XP-0EE37CC5.EXE
2396	XP-0EE37CC5.EXE
2312	cmd.exe
2312	cmd.exe
2396	XP-0EE37CC5.EXE
2396	XP-0EE37CC5.EXE
2936	WdExt.exe
2728	XP-0EE37CC5.EXE
2728	XP-0EE37CC5.EXE
2728	XP-0EE37CC5.EXE
2728	XP-0EE37CC5.EXE
2912	cmd.exe
2728	XP-0EE37CC5.EXE
2728	XP-0EE37CC5.EXE
2272	XP-0EE37CC5.EXE
2912	cmd.exe
2272	XP-0EE37CC5.EXE
2272	XP-0EE37CC5.EXE
2272	XP-0EE37CC5.EXE
2272	XP-0EE37CC5.EXE
2272	XP-0EE37CC5.EXE
1624	cmd.exe
1624	cmd.exe
2292	XP-0EE37CC5.EXE
2292	XP-0EE37CC5.EXE
2292	XP-0EE37CC5.EXE
2292	XP-0EE37CC5.EXE
2292	XP-0EE37CC5.EXE
2292	XP-0EE37CC5.EXE
1556	XP-0EE37CC5.EXE
1556	XP-0EE37CC5.EXE
1556	XP-0EE37CC5.EXE
1556	XP-0EE37CC5.EXE
1556	XP-0EE37CC5.EXE
1556	XP-0EE37CC5.EXE
2388	XP-0EE37CC5.EXE
2388	XP-0EE37CC5.EXE
2388	XP-0EE37CC5.EXE
2388	XP-0EE37CC5.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

launch.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender Extension = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Defender\\launch.exe\""	launch.exe

Writes to the Master Boot Record (MBR) 1 TTPs 36 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

XP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEf55c064aa77c0955914a5c79e8392af0dcea96024af64b8d156ed6a5592083e3N.exeXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXE

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	f55c064aa77c0955914a5c79e8392af0dcea96024af64b8d156ed6a5592083e3N.exe
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE

Drops file in System32 directory 4 IoCs

Processes:

f55c064aa77c0955914a5c79e8392af0dcea96024af64b8d156ed6a5592083e3N.exewtmps.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\XP-0EE37CC5.EXE	f55c064aa77c0955914a5c79e8392af0dcea96024af64b8d156ed6a5592083e3N.exe
File opened for modification	C:\Windows\SysWOW64\XP-0EE37CC5.EXE	f55c064aa77c0955914a5c79e8392af0dcea96024af64b8d156ed6a5592083e3N.exe
File created	C:\Windows\SysWOW64\mscaps.exe	wtmps.exe
File opened for modification	C:\Windows\SysWOW64\mscaps.exe	wtmps.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

XP-0EE37CC5.EXEexplorer.exemscaps.exeXP-0EE37CC5.EXEexplorer.exeXP-0EE37CC5.EXEXP-0EE37CC5.EXEexplorer.exeXP-0EE37CC5.EXEf55c064aa77c0955914a5c79e8392af0dcea96024af64b8d156ed6a5592083e3N.exeXP-0EE37CC5.EXEexplorer.exeXP-0EE37CC5.EXEexplorer.exeXP-0EE37CC5.EXElaunch.exewtmps.exeexplorer.exeXP-0EE37CC5.EXEexplorer.exeexplorer.exeexplorer.execmd.exeexplorer.exeexplorer.exeexplorer.exef55c064aa77c0955914a5c79e8392af0dcea96024af64b8d156ed6a5592083e3N.exeXP-0EE37CC5.EXEXP-0EE37CC5.EXE@AEC1C9.tmp.exeXP-0EE37CC5.EXEexplorer.exeXP-0EE37CC5.EXEexplorer.exeexplorer.exeXP-0EE37CC5.EXEXP-0EE37CC5.EXEcmd.exeexplorer.exeXP-0EE37CC5.EXEexplorer.exeexplorer.exeexplorer.exeexplorer.exeXP-0EE37CC5.EXEexplorer.exeXP-0EE37CC5.EXEexplorer.exeXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEexplorer.exeXP-0EE37CC5.EXEexplorer.exeXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEexplorer.exeexplorer.exeexplorer.exeexplorer.exeXP-0EE37CC5.EXEexplorer.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscaps.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f55c064aa77c0955914a5c79e8392af0dcea96024af64b8d156ed6a5592083e3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	launch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wtmps.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f55c064aa77c0955914a5c79e8392af0dcea96024af64b8d156ed6a5592083e3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@AEC1C9.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe

Modifies registry class 64 IoCs

Processes:

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000f00000000000000000000000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 200000001a00eebbfe2300001000d09ad3fd8f23af46adb46c85480369c700000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000f00000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

@AEC1C9.tmp.exeWdExt.exelaunch.exe

pid	Process
2080	@AEC1C9.tmp.exe
2936	WdExt.exe
2452	launch.exe
2452	launch.exe
2452	launch.exe
2452	launch.exe
2452	launch.exe
2452	launch.exe
2452	launch.exe
2452	launch.exe
2452	launch.exe
2452	launch.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

f55c064aa77c0955914a5c79e8392af0dcea96024af64b8d156ed6a5592083e3N.exeXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXEXP-0EE37CC5.EXE

pid	Process
2340	f55c064aa77c0955914a5c79e8392af0dcea96024af64b8d156ed6a5592083e3N.exe
2340	f55c064aa77c0955914a5c79e8392af0dcea96024af64b8d156ed6a5592083e3N.exe
2340	f55c064aa77c0955914a5c79e8392af0dcea96024af64b8d156ed6a5592083e3N.exe
2340	f55c064aa77c0955914a5c79e8392af0dcea96024af64b8d156ed6a5592083e3N.exe
2340	f55c064aa77c0955914a5c79e8392af0dcea96024af64b8d156ed6a5592083e3N.exe
2340	f55c064aa77c0955914a5c79e8392af0dcea96024af64b8d156ed6a5592083e3N.exe
2284	XP-0EE37CC5.EXE
2284	XP-0EE37CC5.EXE
2284	XP-0EE37CC5.EXE
2284	XP-0EE37CC5.EXE
2284	XP-0EE37CC5.EXE
2284	XP-0EE37CC5.EXE
828	XP-0EE37CC5.EXE
828	XP-0EE37CC5.EXE
828	XP-0EE37CC5.EXE
828	XP-0EE37CC5.EXE
828	XP-0EE37CC5.EXE
828	XP-0EE37CC5.EXE
2396	XP-0EE37CC5.EXE
2396	XP-0EE37CC5.EXE
2396	XP-0EE37CC5.EXE
2396	XP-0EE37CC5.EXE
2396	XP-0EE37CC5.EXE
2396	XP-0EE37CC5.EXE
2728	XP-0EE37CC5.EXE
2728	XP-0EE37CC5.EXE
2728	XP-0EE37CC5.EXE
2728	XP-0EE37CC5.EXE
2728	XP-0EE37CC5.EXE
2728	XP-0EE37CC5.EXE
2272	XP-0EE37CC5.EXE
2272	XP-0EE37CC5.EXE
2272	XP-0EE37CC5.EXE
2272	XP-0EE37CC5.EXE
2272	XP-0EE37CC5.EXE
2272	XP-0EE37CC5.EXE
2292	XP-0EE37CC5.EXE
2292	XP-0EE37CC5.EXE
2292	XP-0EE37CC5.EXE
2292	XP-0EE37CC5.EXE
2292	XP-0EE37CC5.EXE
2292	XP-0EE37CC5.EXE
1556	XP-0EE37CC5.EXE
1556	XP-0EE37CC5.EXE
1556	XP-0EE37CC5.EXE
1556	XP-0EE37CC5.EXE
1556	XP-0EE37CC5.EXE
1556	XP-0EE37CC5.EXE
2388	XP-0EE37CC5.EXE
2388	XP-0EE37CC5.EXE
2388	XP-0EE37CC5.EXE
2388	XP-0EE37CC5.EXE
2388	XP-0EE37CC5.EXE
2388	XP-0EE37CC5.EXE
2968	XP-0EE37CC5.EXE
2968	XP-0EE37CC5.EXE
2968	XP-0EE37CC5.EXE
2968	XP-0EE37CC5.EXE
2968	XP-0EE37CC5.EXE
2968	XP-0EE37CC5.EXE
1940	XP-0EE37CC5.EXE
1940	XP-0EE37CC5.EXE
1940	XP-0EE37CC5.EXE
1940	XP-0EE37CC5.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f55c064aa77c0955914a5c79e8392af0dcea96024af64b8d156ed6a5592083e3N.exeexplorer.exef55c064aa77c0955914a5c79e8392af0dcea96024af64b8d156ed6a5592083e3N.exeXP-0EE37CC5.EXEXP-0EE37CC5.EXE@AEC1C9.tmp.exeXP-0EE37CC5.EXEcmd.exeWdExt.exeXP-0EE37CC5.EXE

description	pid	Process	procid_target
PID 2312 wrote to memory of 2336	2312	f55c064aa77c0955914a5c79e8392af0dcea96024af64b8d156ed6a5592083e3N.exe	30
PID 2312 wrote to memory of 2336	2312	f55c064aa77c0955914a5c79e8392af0dcea96024af64b8d156ed6a5592083e3N.exe	30
PID 2312 wrote to memory of 2336	2312	f55c064aa77c0955914a5c79e8392af0dcea96024af64b8d156ed6a5592083e3N.exe	30
PID 2312 wrote to memory of 2336	2312	f55c064aa77c0955914a5c79e8392af0dcea96024af64b8d156ed6a5592083e3N.exe	30
PID 2312 wrote to memory of 2336	2312	f55c064aa77c0955914a5c79e8392af0dcea96024af64b8d156ed6a5592083e3N.exe	30
PID 2312 wrote to memory of 2336	2312	f55c064aa77c0955914a5c79e8392af0dcea96024af64b8d156ed6a5592083e3N.exe	30
PID 2336 wrote to memory of 2080	2336	explorer.exe	31
PID 2336 wrote to memory of 2080	2336	explorer.exe	31
PID 2336 wrote to memory of 2080	2336	explorer.exe	31
PID 2336 wrote to memory of 2080	2336	explorer.exe	31
PID 2336 wrote to memory of 2340	2336	explorer.exe	32
PID 2336 wrote to memory of 2340	2336	explorer.exe	32
PID 2336 wrote to memory of 2340	2336	explorer.exe	32
PID 2336 wrote to memory of 2340	2336	explorer.exe	32
PID 2340 wrote to memory of 3012	2340	f55c064aa77c0955914a5c79e8392af0dcea96024af64b8d156ed6a5592083e3N.exe	57
PID 2340 wrote to memory of 3012	2340	f55c064aa77c0955914a5c79e8392af0dcea96024af64b8d156ed6a5592083e3N.exe	57
PID 2340 wrote to memory of 3012	2340	f55c064aa77c0955914a5c79e8392af0dcea96024af64b8d156ed6a5592083e3N.exe	57
PID 2340 wrote to memory of 3012	2340	f55c064aa77c0955914a5c79e8392af0dcea96024af64b8d156ed6a5592083e3N.exe	57
PID 2340 wrote to memory of 2284	2340	f55c064aa77c0955914a5c79e8392af0dcea96024af64b8d156ed6a5592083e3N.exe	35
PID 2340 wrote to memory of 2284	2340	f55c064aa77c0955914a5c79e8392af0dcea96024af64b8d156ed6a5592083e3N.exe	35
PID 2340 wrote to memory of 2284	2340	f55c064aa77c0955914a5c79e8392af0dcea96024af64b8d156ed6a5592083e3N.exe	35
PID 2340 wrote to memory of 2284	2340	f55c064aa77c0955914a5c79e8392af0dcea96024af64b8d156ed6a5592083e3N.exe	35
PID 2284 wrote to memory of 408	2284	XP-0EE37CC5.EXE	36
PID 2284 wrote to memory of 408	2284	XP-0EE37CC5.EXE	36
PID 2284 wrote to memory of 408	2284	XP-0EE37CC5.EXE	36
PID 2284 wrote to memory of 408	2284	XP-0EE37CC5.EXE	36
PID 2284 wrote to memory of 828	2284	XP-0EE37CC5.EXE	38
PID 2284 wrote to memory of 828	2284	XP-0EE37CC5.EXE	38
PID 2284 wrote to memory of 828	2284	XP-0EE37CC5.EXE	38
PID 2284 wrote to memory of 828	2284	XP-0EE37CC5.EXE	38
PID 828 wrote to memory of 1540	828	XP-0EE37CC5.EXE	89
PID 828 wrote to memory of 1540	828	XP-0EE37CC5.EXE	89
PID 828 wrote to memory of 1540	828	XP-0EE37CC5.EXE	89
PID 828 wrote to memory of 1540	828	XP-0EE37CC5.EXE	89
PID 828 wrote to memory of 2396	828	XP-0EE37CC5.EXE	40
PID 828 wrote to memory of 2396	828	XP-0EE37CC5.EXE	40
PID 828 wrote to memory of 2396	828	XP-0EE37CC5.EXE	40
PID 828 wrote to memory of 2396	828	XP-0EE37CC5.EXE	40
PID 2080 wrote to memory of 2312	2080	@AEC1C9.tmp.exe	42
PID 2080 wrote to memory of 2312	2080	@AEC1C9.tmp.exe	42
PID 2080 wrote to memory of 2312	2080	@AEC1C9.tmp.exe	42
PID 2080 wrote to memory of 2312	2080	@AEC1C9.tmp.exe	42
PID 2080 wrote to memory of 3048	2080	@AEC1C9.tmp.exe	119
PID 2080 wrote to memory of 3048	2080	@AEC1C9.tmp.exe	119
PID 2080 wrote to memory of 3048	2080	@AEC1C9.tmp.exe	119
PID 2080 wrote to memory of 3048	2080	@AEC1C9.tmp.exe	119
PID 2396 wrote to memory of 2536	2396	XP-0EE37CC5.EXE	45
PID 2396 wrote to memory of 2536	2396	XP-0EE37CC5.EXE	45
PID 2396 wrote to memory of 2536	2396	XP-0EE37CC5.EXE	45
PID 2396 wrote to memory of 2536	2396	XP-0EE37CC5.EXE	45
PID 2312 wrote to memory of 2936	2312	cmd.exe	97
PID 2312 wrote to memory of 2936	2312	cmd.exe	97
PID 2312 wrote to memory of 2936	2312	cmd.exe	97
PID 2312 wrote to memory of 2936	2312	cmd.exe	97
PID 2396 wrote to memory of 2728	2396	XP-0EE37CC5.EXE	49
PID 2396 wrote to memory of 2728	2396	XP-0EE37CC5.EXE	49
PID 2396 wrote to memory of 2728	2396	XP-0EE37CC5.EXE	49
PID 2396 wrote to memory of 2728	2396	XP-0EE37CC5.EXE	49
PID 2936 wrote to memory of 2912	2936	WdExt.exe	51
PID 2936 wrote to memory of 2912	2936	WdExt.exe	51
PID 2936 wrote to memory of 2912	2936	WdExt.exe	51
PID 2936 wrote to memory of 2912	2936	WdExt.exe	51
PID 2728 wrote to memory of 2980	2728	XP-0EE37CC5.EXE	52
PID 2728 wrote to memory of 2980	2728	XP-0EE37CC5.EXE	52

C:\Users\Admin\AppData\Local\Temp\f55c064aa77c0955914a5c79e8392af0dcea96024af64b8d156ed6a5592083e3N.exe
"C:\Users\Admin\AppData\Local\Temp\f55c064aa77c0955914a5c79e8392af0dcea96024af64b8d156ed6a5592083e3N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Users\Admin\AppData\Local\Temp\@AEC1C9.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\@AEC1C9.tmp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2080
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2312
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2936
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat" "
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2912
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe" /i 2936
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
        8⤵
        Loads dropped DLL
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\wtmps.exe
        
        "C:\Users\Admin\AppData\Local\Temp\wtmps.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Windows\SysWOW64\mscaps.exe
        
        "C:\Windows\system32\mscaps.exe" /C:\Users\Admin\AppData\Local\Temp\wtmps.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:900
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
      4⤵
      PID:3048
- - C:\Users\Admin\AppData\Local\Temp\f55c064aa77c0955914a5c79e8392af0dcea96024af64b8d156ed6a5592083e3N.exe
    "C:\Users\Admin\AppData\Local\Temp\f55c064aa77c0955914a5c79e8392af0dcea96024af64b8d156ed6a5592083e3N.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Windows\SysWOW64\explorer.exe
      explorer C:\Users\Admin\AppData\Local\Temp\f55c064aa77c0955914a5c79e8392af0dcea96024af64b8d156ed6a5592083e3N
      4⤵
      System Location Discovery: System Language Discovery
      PID:3012
  - - C:\Windows\SysWOW64\XP-0EE37CC5.EXE
      C:\Windows\system32\XP-0EE37CC5.EXE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2284
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        5⤵
        
        PID:408
    - - C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:828
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1540
      - C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2536
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        8⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetWindowsHookEx
        
        PID:2272
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        9⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2292
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1556
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2388
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        12⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2968
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        13⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1940
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        14⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:296
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        15⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:1780
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        16⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:1736
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        17⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:2472
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        18⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        19⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:1800
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        20⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:908
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        21⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:1884
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        22⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:2968
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        23⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        24⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        24⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:1904
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:1216
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        25⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:2556
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        26⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:3064
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:1912
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        27⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:1328
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        28⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        28⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:2372
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        29⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:852
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        30⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        30⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:2500
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:3192
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        31⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:3228
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        32⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        32⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:3356
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:3448
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        33⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:3484
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:3584
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        34⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:3620
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:3720
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        35⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:3756
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        36⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        36⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:3872
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:3972
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        37⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:4004
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:1328
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        38⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:3216
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        39⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        40⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        40⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        41⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        41⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        42⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        42⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        43⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        43⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        44⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        44⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        45⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        45⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        46⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        46⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        47⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        47⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        48⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        48⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        49⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        49⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        50⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        50⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        51⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        51⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        52⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        52⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        53⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        53⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        54⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        54⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        55⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        55⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        56⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        56⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        57⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        57⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        58⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        58⤵
        
        PID:4292
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        59⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        59⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        60⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        60⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        61⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        61⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        62⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        62⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        63⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        63⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        64⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        64⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        65⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        65⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        66⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        66⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        67⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        67⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        68⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        68⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        69⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        69⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        70⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        70⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        71⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        71⤵
        
        PID:5684
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        72⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        72⤵
        
        PID:5864
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        73⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        73⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        74⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        74⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        75⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        75⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        76⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        76⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        77⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        77⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        78⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        78⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        79⤵
        
        PID:5284
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        79⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        80⤵
        
        PID:5668
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        80⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        81⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        81⤵
        
        PID:580
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        82⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        82⤵
        
        PID:6084
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        83⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        83⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        84⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        84⤵
        
        PID:6160
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        85⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        85⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        86⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        86⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        87⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        87⤵
        
        PID:6592
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        88⤵
        
        PID:6712
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        88⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        89⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        89⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        90⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        90⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        91⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        91⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        92⤵
        
        PID:6468
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        92⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        93⤵
        
        PID:6704
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        93⤵
        
        PID:6456
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        94⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        94⤵
        
        PID:7036
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        95⤵
        
        PID:6912
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        95⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        96⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        96⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        97⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        97⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        98⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        98⤵
        
        PID:6740

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2844

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2068

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2144

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2928

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1564

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2224

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1588

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:676

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2908

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2436

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:620

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1920

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:448

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2072

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2408

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:912

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2056

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:296

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1144

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2448

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1776

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2320

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2416

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2964

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3048

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2188

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2748

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3220

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3348

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3492

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3612

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3748

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3864

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3996

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3120

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3316

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3560

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3788

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3940

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3212

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3632

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3484

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1792

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3892

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3424

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1924

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4108

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4252

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4388

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4536

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4660

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4800

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4952

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5076

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4284

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4468

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4396

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4988

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4808

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4608

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4976

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4364

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4196

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4104

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5220

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5352

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5516

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5676

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5856

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6016

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4192

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5324

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5604

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5812

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6008

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1044

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5816

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5388

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4356

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5436

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6148

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6292

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6440

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6584

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6752

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6896

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7064

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5876

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6160

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6688

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7020

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6216

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5512

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6884

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D9FA.tmp

Filesize
406B

MD5
37512bcc96b2c0c0cf0ad1ed8cfae5cd

SHA1
edf7f17ce28e1c4c82207cab8ca77f2056ea545c

SHA256
27e678bf5dc82219d6edd744f0b82567a26e40f8a9dcd6487205e13058e3ed1f

SHA512
6d4252ab5aa441a76ce2127224fefcb221259ab4d39f06437b269bd6bfdaae009c8f34e9603ec734159553bc9f1359bdd70316cd426d73b171a9f17c41077641

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\RegEx.fnr

Filesize
212KB

MD5
a67daddcb30335163cf7d99f282f5ae0

SHA1
c033169006bef68bebfa77405c4a35688ab41a99

SHA256
8027e7512cf17388b14c3e2bbf9c3700f875c26d942a4dd27d1dcf8203a192f8

SHA512
16cb5cffdf935d10bb06b86b874a63e9594e4854359885890fe4641f0e4329fd047daa5f0ddd5a02d241974834b67666b2ad65ef791e110d29637434057808c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\eAPI.fne

Filesize
316KB

MD5
25b794b18bd8d03dc9530111cbce4173

SHA1
a6774d62bd1e9497fdfe6c61c495011fc6c274c6

SHA256
81757b48f2caecd6fd4f6699906e9320704c10b5c5dadc6c796b9809f0359ee4

SHA512
5892dc3c681571b2130695c4e8f598e732462746b9f5b8e7689108e393fb6d4edc32c97ef1f39f0c0abc901a590677f92c1abd1b809e5a875d025f4131d831ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\internet.fne

Filesize
180KB

MD5
56e9e121d68b5631a360d56b2ef4777f

SHA1
e9d11a2baf46769c90ee1671cd17072efd8cfb52

SHA256
c247997b04fc5535bb07ab43c3628326c6365aa6a0bd82a6f380b8ab66a09d2f

SHA512
1ef52e0283d286a308fa1c927ff12aa43975a49d94d9386ee4a02b7e4f47de2e239a340a4427534c73c0039ea2c249e91b68f2dce1dfebf13c9879c4ea60b97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\spec.fne

Filesize
68KB

MD5
1518651c682109e9b9c304c9c109d777

SHA1
6c440810bf11907fc16dbca17a9494377c0bdcf1

SHA256
0496ea1f78bf11204491388bc9c1dfbb49bebdaeffe32717bffdf688b148bfaa

SHA512
e6e03475b37f8463ac47dd559b31b81e254b07280e083200e21cc66f022c8730d45924776684d96e6bc1ce2d5cf9350a13ca37cda966de1c430eeec602e00535

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCD00.tmp

Filesize
229KB

MD5
6f90e1169d19dfde14d6f753f06c862b

SHA1
e9bca93c68d7df73d000f4a6e6eb73a343682ac5

SHA256
70a392389aecd0f58251e72c3fd7e9159f481061d14209ff8708a0fd9ff584dc

SHA512
f0c898222e9578c01ebe1befac27a3fb68d8fb6e76c7d1dec7a8572c1aa3201bacf1e69aa63859e95606790cf09962bcf7dc33b770a6846bed5bd7ded957b0b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe

Filesize
1.7MB

MD5
7297d71f32784b7d133ee9ce4d97ac5a

SHA1
04729ce3c06d8421c92d2c60ea22d0504d7731ce

SHA256
7bc20382be7dd55ffcd839d2315a00d9dfba7576267aefb60627b2a2b299b67f

SHA512
2e459d9c4c7a652131c1e23a9a40b71e1cdc8bfb0e350570fd2f27c7d2a596ddb1d69f403d5f9b495cc73589df90ad89f3e76ca25efe9d0380fc75e08bb33e8f

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat

Filesize
129B

MD5
d1073c9b34d1bbd570928734aacff6a5

SHA1
78714e24e88d50e0da8da9d303bec65b2ee6d903

SHA256
b3c704b1a728004fc5e25899d72930a7466d7628dd6ddd795b3000897dfa4020

SHA512
4f2b9330e30fcc55245dc5d12311e105b2b2b9d607fbfc4a203c69a740006f0af58d6a01e2da284575a897528da71a2e61a7321034755b78feb646c8dd12347f

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

Filesize
196B

MD5
aae01b3a3f40254f4ac51739f44bbf7f

SHA1
dddf0c88cec93759a3e2a8b314a3a321ea3e4339

SHA256
7118a4fad34544f7ad67bde13441f2abb82f9b053749151fd291620276769513

SHA512
a994e74cc6b96df87afeb58e87eb4a2939b3292140ca0afd9c251c5f20affbb98bff66661db10b69b52998ed8a9b0a0703a0f3ea309d707bff05babcc7f9f30e

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

Filesize
102B

MD5
aca8fb2d8abe1a36a06584a491e51af1

SHA1
fd989834258db1e2637365f1dd47bd0e1aa0194f

SHA256
00e5f00b8ea8adfa2ebc74110fa32c920b25ce8d447dc65f367f5eae12458942

SHA512
717f665916a1347a7b2671afd8b328539d70d15d5c0bb6a788fa20d65dfa000f2ed00a40b791d4b3d9960071b98f47fb79cb8f0e0d16eda610666d3de12bc090

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat

Filesize
126B

MD5
879ddcc300f3d67137ece64d07d81588

SHA1
3360d5bff13d9a40cb3ce33f43edaf10b67ce0d6

SHA256
fbf3936ece1235301a8488120fd9225a6d5a11c1c3a11f8615e9760a10af4762

SHA512
62c4cd122c47d82fb3a24dd893f183e15b795f3fa9cbfe68bff330e574a03ee727a28afdc2c59abaccbdb8e47ab17d55e8dbc6399fc6504754cf7e32ce60226d

Download Submit
C:\Windows\SysWOW64\mscaps.exe

Filesize
200KB

MD5
78d3c8705f8baf7d34e6a6737d1cfa18

SHA1
9f09e248a29311dbeefae9d85937b13da042a010

SHA256
2c4c9ec8e9291ba5c73f641af2e0c3e1bbd257ac40d9fb9d3faab7cebc978905

SHA512
9a3c3175276da58f1bc8d1138e63238c8d8ccfbfa1a8a1338e88525eca47f8d745158bb34396b7c3f25e4296be5f45a71781da33ad0bbdf7ad88a9c305b85609

Download Submit
\Users\Admin\AppData\Local\Temp\@AEC1C9.tmp.exe

Filesize
1.7MB

MD5
3cfa40fd45c44a9a53bdcc8ae947994e

SHA1
9c9b8d996f0ed64c21585a63016ed83315e28dbb

SHA256
dbc49d26615381166fa4d514777fce25c8b89e4db7f55b3f93a3d65ad1c3021c

SHA512
980c16e1ca6b40103bca50ade00014fdc7f90d65630a4c1aeb954def9cce047191af9864ede01da58fa51d60dd2ea9e1778855f6f19a0fcca57a7ebf13f570bb

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\com.run

Filesize
260KB

MD5
ce2f773275d3fe8b78f4cf067d5e6a0f

SHA1
b7135e34d46eb4303147492d5cee5e1ef7b392ab

SHA256
eb8099c0ad2d82d9d80530443e2909f3b34be0844d445e844f1c994476c86d2d

SHA512
d733dc01c047be56680629a385abdd2aa1598a2b5459269028446da9097b6f6c1e7ade5b74e3ac3809dd8a3f8d1cbbe7fd669f2762be61f9c38fd4a2cca9e063

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\dp1.fne

Filesize
112KB

MD5
6d4b2e73f6f8ecff02f19f7e8ef9a8c7

SHA1
09c32ca167136a17fd69df8c525ea5ffeca6c534

SHA256
fe5783e64aa70fac10c2e42d460732d9770534357329d8bc78576557c165f040

SHA512
2fd7a95cb632e9c4ac6b34e5b6b875aae94e73cd4b1f213e78f46dadab4846227a030776461bca08f9d75a1d61a0d45427f7b0c8b71406b7debc14db04b2ce04

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
1.0MB

MD5
1081d7eb7a17faedfa588b93fc85365e

SHA1
884e264fa37bfb9e71d24f3f5c7554fdf94a8b9f

SHA256
0351d055cf1e194302ab125cc93208a8c733efb45dc301ca6e7e2a4051f411e0

SHA512
1ff9e7c495b9e005c8d3b56219794c31d804fe1944429e3d4fe013fd8fcb3f51c02b588748c7d9d869fdb115851932e8db4e6792aecd9c83f28237702582ba81

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\shell.fne

Filesize
40KB

MD5
d54753e7fc3ea03aec0181447969c0e8

SHA1
824e7007b6569ae36f174c146ae1b7242f98f734

SHA256
192608ff371400c1529aa05f1adba0fe4fdd769fcbf35ee5f8b4f78a838a7ec9

SHA512
c25ed4cb38d5d5e95a267979f0f3f9398c04a1bf5822dceb03d6f6d9b4832dfb227f1e6868327e52a0303f45c36b9ba806e75b16bd7419a7c5203c2ecbae838f

Download Submit
\Users\Admin\AppData\Local\Temp\f55c064aa77c0955914a5c79e8392af0dcea96024af64b8d156ed6a5592083e3N.exe

Filesize
1.2MB

MD5
c4fe3d8edfed021b6bbc5ad6cdb0f5e4

SHA1
2cd1d0a687effdb1d07aaba33f77b12b5e07495e

SHA256
b7174f39daca66574d7f2807e88fe61f32ef5d3d656d8ab6f65a0c6ee8f1ba59

SHA512
015b4d9b099499855893373dd2cdc7f3568ab08005ee08d6b0d2ece00c0b93ef23b254fcaf1fec493197eb632ca3fc6528083ca715c679d7c326418e5ded0ac3

Download Submit
\Users\Admin\AppData\Roaming\Temp\mydll.dll

Filesize
202KB

MD5
7ff15a4f092cd4a96055ba69f903e3e9

SHA1
a3d338a38c2b92f95129814973f59446668402a8

SHA256
1b594e6d057c632abb3a8cf838157369024bd6b9f515ca8e774b22fe71a11627

SHA512
4b015d011c14c7e10568c09bf81894681535efb7d76c3ef9071fffb3837f62b36e695187b2d32581a30f07e79971054e231a2ca4e8ad7f0f83d5876f8c086dae

Download Submit
memory/828-244-0x00000000005C0000-0x000000000060A000-memory.dmp

Filesize
296KB

Download
memory/828-251-0x0000000001F70000-0x0000000001F9A000-memory.dmp

Filesize
168KB

Download
memory/828-249-0x0000000000870000-0x0000000000881000-memory.dmp

Filesize
68KB

Download
memory/828-253-0x0000000001F70000-0x0000000001F9A000-memory.dmp

Filesize
168KB

Download
memory/828-247-0x0000000000840000-0x000000000085E000-memory.dmp

Filesize
120KB

Download
memory/828-394-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/852-675-0x0000000001D80000-0x0000000001DAA000-memory.dmp

Filesize
168KB

Download
memory/852-702-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/852-676-0x0000000001D80000-0x0000000001DAA000-memory.dmp

Filesize
168KB

Download
memory/908-609-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1328-682-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1540-589-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1556-455-0x0000000000230000-0x000000000027A000-memory.dmp

Filesize
296KB

Download
memory/1556-457-0x0000000000550000-0x000000000056E000-memory.dmp

Filesize
120KB

Download
memory/1556-492-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1692-640-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1736-569-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1780-559-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1780-528-0x0000000001FC0000-0x0000000001FEA000-memory.dmp

Filesize
168KB

Download
memory/1904-650-0x0000000001FC0000-0x0000000001FEA000-memory.dmp

Filesize
168KB

Download
memory/1904-651-0x0000000001FC0000-0x0000000001FEA000-memory.dmp

Filesize
168KB

Download
memory/1904-619-0x0000000001FC0000-0x0000000001FEA000-memory.dmp

Filesize
168KB

Download
memory/1904-649-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1904-620-0x0000000001FC0000-0x0000000001FEA000-memory.dmp

Filesize
168KB

Download
memory/1916-622-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1924-875-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1940-493-0x00000000022C0000-0x00000000022EA000-memory.dmp

Filesize
168KB

Download
memory/1940-482-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1940-540-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1992-518-0x0000000000490000-0x00000000004BA000-memory.dmp

Filesize
168KB

Download
memory/1992-550-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2028-797-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2068-229-0x0000000003A90000-0x0000000003AA0000-memory.dmp

Filesize
64KB

Download
memory/2072-444-0x0000000000C20000-0x0000000000CA0000-memory.dmp

Filesize
512KB

Download
memory/2072-443-0x00000000777E0000-0x00000000778DA000-memory.dmp

Filesize
1000KB

Download
memory/2072-445-0x0000000000D00000-0x0000000000D80000-memory.dmp

Filesize
512KB

Download
memory/2072-442-0x00000000776C0000-0x00000000777DF000-memory.dmp

Filesize
1.1MB

Download
memory/2080-13-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2272-471-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2272-422-0x0000000001E80000-0x0000000001E9E000-memory.dmp

Filesize
120KB

Download
memory/2272-420-0x0000000000820000-0x000000000086A000-memory.dmp

Filesize
296KB

Download
memory/2284-225-0x0000000001D50000-0x0000000001D6E000-memory.dmp

Filesize
120KB

Download
memory/2284-228-0x0000000001D70000-0x0000000001D81000-memory.dmp

Filesize
68KB

Download
memory/2284-322-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2284-221-0x00000000003B0000-0x00000000003FA000-memory.dmp

Filesize
296KB

Download
memory/2292-481-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2292-440-0x00000000006A0000-0x00000000006BE000-memory.dmp

Filesize
120KB

Download
memory/2292-441-0x00000000006D0000-0x00000000006E1000-memory.dmp

Filesize
68KB

Download
memory/2336-0-0x0000000000191000-0x0000000000192000-memory.dmp

Filesize
4KB

Download
memory/2336-23-0x0000000002760000-0x000000000278A000-memory.dmp

Filesize
168KB

Download
memory/2336-22-0x0000000002760000-0x000000000278A000-memory.dmp

Filesize
168KB

Download
memory/2340-25-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2340-190-0x0000000000390000-0x00000000003DA000-memory.dmp

Filesize
296KB

Download
memory/2340-310-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2340-194-0x0000000000430000-0x000000000044E000-memory.dmp

Filesize
120KB

Download
memory/2340-197-0x0000000000450000-0x0000000000461000-memory.dmp

Filesize
68KB

Download
memory/2372-665-0x0000000001DC0000-0x0000000001DEA000-memory.dmp

Filesize
168KB

Download
memory/2372-664-0x0000000001DC0000-0x0000000001DEA000-memory.dmp

Filesize
168KB

Download
memory/2372-688-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2384-599-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2388-468-0x0000000000520000-0x000000000053E000-memory.dmp

Filesize
120KB

Download
memory/2388-519-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2388-469-0x0000000000540000-0x0000000000551000-memory.dmp

Filesize
68KB

Download
memory/2388-466-0x00000000004B0000-0x00000000004FA000-memory.dmp

Filesize
296KB

Download
memory/2396-268-0x00000000005E0000-0x00000000005FE000-memory.dmp

Filesize
120KB

Download
memory/2396-265-0x0000000001D10000-0x0000000001D5A000-memory.dmp

Filesize
296KB

Download
memory/2396-432-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2452-416-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/2472-579-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2500-791-0x0000000002010000-0x000000000203A000-memory.dmp

Filesize
168KB

Download
memory/2500-708-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2500-815-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2500-792-0x0000000002010000-0x000000000203A000-memory.dmp

Filesize
168KB

Download
memory/2556-621-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2556-652-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2728-460-0x0000000001EC0000-0x0000000001EEA000-memory.dmp

Filesize
168KB

Download
memory/2728-411-0x0000000001EC0000-0x0000000001EEA000-memory.dmp

Filesize
168KB

Download
memory/2728-408-0x0000000001CD0000-0x0000000001CEE000-memory.dmp

Filesize
120KB

Download
memory/2728-409-0x0000000001EA0000-0x0000000001EB1000-memory.dmp

Filesize
68KB

Download
memory/2728-459-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2968-529-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2968-479-0x0000000000560000-0x0000000000571000-memory.dmp

Filesize
68KB

Download
memory/2968-530-0x0000000000580000-0x00000000005AA000-memory.dmp

Filesize
168KB

Download
memory/2968-631-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2968-476-0x0000000000430000-0x000000000047A000-memory.dmp

Filesize
296KB

Download
memory/3064-672-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3112-845-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3112-825-0x0000000001E40000-0x0000000001E6A000-memory.dmp

Filesize
168KB

Download
memory/3112-826-0x0000000001E40000-0x0000000001E6A000-memory.dmp

Filesize
168KB

Download
memory/3228-724-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3228-697-0x0000000001F70000-0x0000000001F9A000-memory.dmp

Filesize
168KB

Download
memory/3356-734-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3372-780-0x0000000000550000-0x000000000057A000-memory.dmp

Filesize
168KB

Download
memory/3372-809-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3484-744-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3620-750-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3620-728-0x00000000003D0000-0x00000000003FA000-memory.dmp

Filesize
168KB

Download
memory/3620-729-0x00000000003D0000-0x00000000003FA000-memory.dmp

Filesize
168KB

Download
memory/3640-838-0x0000000001F20000-0x0000000001F4A000-memory.dmp

Filesize
168KB

Download
memory/3640-859-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3668-898-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3692-887-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3692-870-0x0000000001D70000-0x0000000001D9A000-memory.dmp

Filesize
168KB

Download
memory/3744-803-0x0000000000530000-0x000000000055A000-memory.dmp

Filesize
168KB

Download
memory/3744-831-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3744-804-0x0000000000530000-0x000000000055A000-memory.dmp

Filesize
168KB

Download
memory/3756-739-0x0000000001F40000-0x0000000001F6A000-memory.dmp

Filesize
168KB

Download
memory/3756-757-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3764-849-0x0000000001F90000-0x0000000001FBA000-memory.dmp

Filesize
168KB

Download
memory/3764-866-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3872-769-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3956-836-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3968-890-0x0000000000560000-0x000000000058A000-memory.dmp

Filesize
168KB

Download
memory/3968-908-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4004-760-0x0000000001EA0000-0x0000000001ECA000-memory.dmp

Filesize
168KB

Download
memory/4004-781-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4116-917-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4260-911-0x00000000005C0000-0x00000000005EA000-memory.dmp

Filesize
168KB

Download
memory/4260-929-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4396-937-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4544-950-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4668-943-0x00000000020E0000-0x000000000210A000-memory.dmp

Filesize
168KB

Download
memory/4668-960-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4808-970-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4960-979-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5084-974-0x00000000003D0000-0x00000000003FA000-memory.dmp

Filesize
168KB

Download
memory/5084-991-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download