9ff55a68b721f190f86b156bf4726eaf0b06316d8645fcda82f5ed0e036e07ed

Analysis

max time kernel
35s
max time network
151s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
28/03/2025, 17:30 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8adf768201ecbc080e52ab55c3bca594.exe
Size

1.3MB
MD5

8adf768201ecbc080e52ab55c3bca594
SHA1

cf4f72aea83920b08f095650d1bcfd0f369fa78f
SHA256

9ff55a68b721f190f86b156bf4726eaf0b06316d8645fcda82f5ed0e036e07ed
SHA512

55771078f8ace7cfb8c9d1e6bbde94b14296b9a3a5fa87afce95e4144019ab8bbccb51ea54d698f4856928bbbb562e9984579ba73cbbfc7f344ce26320a9b576
SSDEEP

24576:N0VMiM3gR5LhihDZ/Kq6sAVZSW0E4JkjV4WU0ZYIo2zYPkc1BHoUq9uH0upu:N6MVgR5LqZKq6sAVd0BJkBHWtPjTI9ek

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Executes dropped EXE 47 IoCs

pid	Process
780	DECB07.EXE
2788	DECB07.EXE
2324	DECB07.EXE
1808	DECB07.EXE
2488	DECB07.EXE
2116	DECB07.EXE
920	DECB07.EXE
2348	DECB07.EXE
1552	DECB07.EXE
1948	DECB07.EXE
2844	DECB07.EXE
1720	DECB07.EXE
1892	DECB07.EXE
3048	DECB07.EXE
1844	DECB07.EXE
1160	DECB07.EXE
936	DECB07.EXE
1600	DECB07.EXE
2700	DECB07.EXE
2236	DECB07.EXE
1208	DECB07.EXE
3068	DECB07.EXE
2228	DECB07.EXE
2304	DECB07.EXE
2532	DECB07.EXE
2600	DECB07.EXE
3064	DECB07.EXE
3084	DECB07.EXE
3216	DECB07.EXE
3344	DECB07.EXE
3472	DECB07.EXE
3612	DECB07.EXE
3740	DECB07.EXE
3876	DECB07.EXE
4024	DECB07.EXE
3180	DECB07.EXE
3412	DECB07.EXE
3648	DECB07.EXE
3708	DECB07.EXE
4056	DECB07.EXE
3352	DECB07.EXE
4028	DECB07.EXE
3092	DECB07.EXE
3332	DECB07.EXE
3420	DECB07.EXE
3748	DECB07.EXE
3152	DECB07.EXE

Loads dropped DLL 64 IoCs

pid	Process
2480	JaffaCakes118_8adf768201ecbc080e52ab55c3bca594.exe
2480	JaffaCakes118_8adf768201ecbc080e52ab55c3bca594.exe
2480	JaffaCakes118_8adf768201ecbc080e52ab55c3bca594.exe
2480	JaffaCakes118_8adf768201ecbc080e52ab55c3bca594.exe
2480	JaffaCakes118_8adf768201ecbc080e52ab55c3bca594.exe
2480	JaffaCakes118_8adf768201ecbc080e52ab55c3bca594.exe
780	DECB07.EXE
780	DECB07.EXE
780	DECB07.EXE
780	DECB07.EXE
780	DECB07.EXE
780	DECB07.EXE
2788	DECB07.EXE
2788	DECB07.EXE
2788	DECB07.EXE
2788	DECB07.EXE
2788	DECB07.EXE
2788	DECB07.EXE
2324	DECB07.EXE
2324	DECB07.EXE
2324	DECB07.EXE
2324	DECB07.EXE
2324	DECB07.EXE
2324	DECB07.EXE
1808	DECB07.EXE
1808	DECB07.EXE
1808	DECB07.EXE
1808	DECB07.EXE
1808	DECB07.EXE
1808	DECB07.EXE
2488	DECB07.EXE
2488	DECB07.EXE
2488	DECB07.EXE
2488	DECB07.EXE
2488	DECB07.EXE
2488	DECB07.EXE
2116	DECB07.EXE
2116	DECB07.EXE
2116	DECB07.EXE
2116	DECB07.EXE
2116	DECB07.EXE
2116	DECB07.EXE
920	DECB07.EXE
920	DECB07.EXE
920	DECB07.EXE
920	DECB07.EXE
920	DECB07.EXE
920	DECB07.EXE
2348	DECB07.EXE
2348	DECB07.EXE
2348	DECB07.EXE
2348	DECB07.EXE
2348	DECB07.EXE
2348	DECB07.EXE
1552	DECB07.EXE
1552	DECB07.EXE
1552	DECB07.EXE
1552	DECB07.EXE
1552	DECB07.EXE
1552	DECB07.EXE
1948	DECB07.EXE
1948	DECB07.EXE
1948	DECB07.EXE
1948	DECB07.EXE

Writes to the Master Boot Record (MBR) 1 TTPs 47 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	JaffaCakes118_8adf768201ecbc080e52ab55c3bca594.exe
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE
File opened for modification	\??\PhysicalDrive0	DECB07.EXE

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\02A732\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\04764D\	DECB07.EXE
File created	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File created	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\06794E\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\04764D\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\04764D\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\02A732\	DECB07.EXE
File created	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File created	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\06794E\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\04764D\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\02A732\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\06794E\	DECB07.EXE
File created	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\06794E\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\02A732\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\02A732\	JaffaCakes118_8adf768201ecbc080e52ab55c3bca594.exe
File opened for modification	C:\Windows\SysWOW64\B526A5\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\04764D\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\06794E\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\04764D\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\06794E\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\04764D\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\06794E\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\02A732\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\04764D\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\04764D\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\04764D\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\04764D\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\04764D\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\06794E\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\06794E\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\04764D\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File created	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\02A732\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\06794E\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\02A732\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\04764D\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\04764D\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\B526A5\DECB07.EXE	JaffaCakes118_8adf768201ecbc080e52ab55c3bca594.exe
File created	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\02A732\	DECB07.EXE
File created	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File created	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE
File opened for modification	C:\Windows\SysWOW64\06794E\	DECB07.EXE
File created	C:\Windows\SysWOW64\B526A5\DECB07.EXE	DECB07.EXE

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8adf768201ecbc080e52ab55c3bca594.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DECB07.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000f00000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000f00000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2480	JaffaCakes118_8adf768201ecbc080e52ab55c3bca594.exe
2480	JaffaCakes118_8adf768201ecbc080e52ab55c3bca594.exe
2480	JaffaCakes118_8adf768201ecbc080e52ab55c3bca594.exe
2480	JaffaCakes118_8adf768201ecbc080e52ab55c3bca594.exe
2480	JaffaCakes118_8adf768201ecbc080e52ab55c3bca594.exe
2480	JaffaCakes118_8adf768201ecbc080e52ab55c3bca594.exe
780	DECB07.EXE
780	DECB07.EXE
780	DECB07.EXE
780	DECB07.EXE
780	DECB07.EXE
780	DECB07.EXE
2788	DECB07.EXE
2788	DECB07.EXE
2788	DECB07.EXE
2788	DECB07.EXE
2788	DECB07.EXE
2788	DECB07.EXE
2324	DECB07.EXE
2324	DECB07.EXE
2324	DECB07.EXE
2324	DECB07.EXE
2324	DECB07.EXE
2324	DECB07.EXE
1808	DECB07.EXE
1808	DECB07.EXE
1808	DECB07.EXE
1808	DECB07.EXE
1808	DECB07.EXE
1808	DECB07.EXE
2488	DECB07.EXE
2488	DECB07.EXE
2488	DECB07.EXE
2488	DECB07.EXE
2488	DECB07.EXE
2488	DECB07.EXE
2116	DECB07.EXE
2116	DECB07.EXE
2116	DECB07.EXE
2116	DECB07.EXE
2116	DECB07.EXE
2116	DECB07.EXE
920	DECB07.EXE
920	DECB07.EXE
920	DECB07.EXE
920	DECB07.EXE
920	DECB07.EXE
920	DECB07.EXE
2348	DECB07.EXE
2348	DECB07.EXE
2348	DECB07.EXE
2348	DECB07.EXE
2348	DECB07.EXE
2348	DECB07.EXE
1552	DECB07.EXE
1552	DECB07.EXE
1552	DECB07.EXE
1552	DECB07.EXE
1552	DECB07.EXE
1552	DECB07.EXE
1948	DECB07.EXE
1948	DECB07.EXE
1948	DECB07.EXE
1948	DECB07.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 2556	2480	JaffaCakes118_8adf768201ecbc080e52ab55c3bca594.exe	30
PID 2480 wrote to memory of 2556	2480	JaffaCakes118_8adf768201ecbc080e52ab55c3bca594.exe	30
PID 2480 wrote to memory of 2556	2480	JaffaCakes118_8adf768201ecbc080e52ab55c3bca594.exe	30
PID 2480 wrote to memory of 2556	2480	JaffaCakes118_8adf768201ecbc080e52ab55c3bca594.exe	30
PID 2480 wrote to memory of 780	2480	JaffaCakes118_8adf768201ecbc080e52ab55c3bca594.exe	32
PID 2480 wrote to memory of 780	2480	JaffaCakes118_8adf768201ecbc080e52ab55c3bca594.exe	32
PID 2480 wrote to memory of 780	2480	JaffaCakes118_8adf768201ecbc080e52ab55c3bca594.exe	32
PID 2480 wrote to memory of 780	2480	JaffaCakes118_8adf768201ecbc080e52ab55c3bca594.exe	32
PID 780 wrote to memory of 2248	780	DECB07.EXE	33
PID 780 wrote to memory of 2248	780	DECB07.EXE	33
PID 780 wrote to memory of 2248	780	DECB07.EXE	33
PID 780 wrote to memory of 2248	780	DECB07.EXE	33
PID 780 wrote to memory of 2788	780	DECB07.EXE	34
PID 780 wrote to memory of 2788	780	DECB07.EXE	34
PID 780 wrote to memory of 2788	780	DECB07.EXE	34
PID 780 wrote to memory of 2788	780	DECB07.EXE	34
PID 2788 wrote to memory of 2328	2788	DECB07.EXE	36
PID 2788 wrote to memory of 2328	2788	DECB07.EXE	36
PID 2788 wrote to memory of 2328	2788	DECB07.EXE	36
PID 2788 wrote to memory of 2328	2788	DECB07.EXE	36
PID 2788 wrote to memory of 2324	2788	DECB07.EXE	37
PID 2788 wrote to memory of 2324	2788	DECB07.EXE	37
PID 2788 wrote to memory of 2324	2788	DECB07.EXE	37
PID 2788 wrote to memory of 2324	2788	DECB07.EXE	37
PID 2324 wrote to memory of 2020	2324	DECB07.EXE	70
PID 2324 wrote to memory of 2020	2324	DECB07.EXE	70
PID 2324 wrote to memory of 2020	2324	DECB07.EXE	70
PID 2324 wrote to memory of 2020	2324	DECB07.EXE	70
PID 2324 wrote to memory of 1808	2324	DECB07.EXE	40
PID 2324 wrote to memory of 1808	2324	DECB07.EXE	40
PID 2324 wrote to memory of 1808	2324	DECB07.EXE	40
PID 2324 wrote to memory of 1808	2324	DECB07.EXE	40
PID 1808 wrote to memory of 2772	1808	DECB07.EXE	42
PID 1808 wrote to memory of 2772	1808	DECB07.EXE	42
PID 1808 wrote to memory of 2772	1808	DECB07.EXE	42
PID 1808 wrote to memory of 2772	1808	DECB07.EXE	42
PID 1808 wrote to memory of 2488	1808	DECB07.EXE	44
PID 1808 wrote to memory of 2488	1808	DECB07.EXE	44
PID 1808 wrote to memory of 2488	1808	DECB07.EXE	44
PID 1808 wrote to memory of 2488	1808	DECB07.EXE	44
PID 2488 wrote to memory of 1856	2488	DECB07.EXE	76
PID 2488 wrote to memory of 1856	2488	DECB07.EXE	76
PID 2488 wrote to memory of 1856	2488	DECB07.EXE	76
PID 2488 wrote to memory of 1856	2488	DECB07.EXE	76
PID 2488 wrote to memory of 2116	2488	DECB07.EXE	47
PID 2488 wrote to memory of 2116	2488	DECB07.EXE	47
PID 2488 wrote to memory of 2116	2488	DECB07.EXE	47
PID 2488 wrote to memory of 2116	2488	DECB07.EXE	47
PID 2116 wrote to memory of 1700	2116	DECB07.EXE	48
PID 2116 wrote to memory of 1700	2116	DECB07.EXE	48
PID 2116 wrote to memory of 1700	2116	DECB07.EXE	48
PID 2116 wrote to memory of 1700	2116	DECB07.EXE	48
PID 2116 wrote to memory of 920	2116	DECB07.EXE	50
PID 2116 wrote to memory of 920	2116	DECB07.EXE	50
PID 2116 wrote to memory of 920	2116	DECB07.EXE	50
PID 2116 wrote to memory of 920	2116	DECB07.EXE	50
PID 920 wrote to memory of 2516	920	DECB07.EXE	51
PID 920 wrote to memory of 2516	920	DECB07.EXE	51
PID 920 wrote to memory of 2516	920	DECB07.EXE	51
PID 920 wrote to memory of 2516	920	DECB07.EXE	51
PID 920 wrote to memory of 2348	920	DECB07.EXE	52
PID 920 wrote to memory of 2348	920	DECB07.EXE	52
PID 920 wrote to memory of 2348	920	DECB07.EXE	52
PID 920 wrote to memory of 2348	920	DECB07.EXE	52

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8adf768201ecbc080e52ab55c3bca594.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8adf768201ecbc080e52ab55c3bca594.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Windows\SysWOW64\explorer.exe
  explorer C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8adf768201ecbc080e52ab55c3bca594
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2556
- C:\Windows\SysWOW64\B526A5\DECB07.EXE
  C:\Windows\system32\B526A5\DECB07.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:780
- - C:\Windows\SysWOW64\explorer.exe
    explorer C:\Windows\SysWOW64\B526A5\DECB07
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2248
- - C:\Windows\SysWOW64\B526A5\DECB07.EXE
    C:\Windows\system32\B526A5\DECB07.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\SysWOW64\explorer.exe
      explorer C:\Windows\SysWOW64\B526A5\DECB07
      4⤵
      System Location Discovery: System Language Discovery
      PID:2328
  - - C:\Windows\SysWOW64\B526A5\DECB07.EXE
      C:\Windows\system32\B526A5\DECB07.EXE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2324
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        5⤵
        
        PID:2020
    - - C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1808
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2772
      - C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2488
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1856
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        8⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2516
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2348
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        10⤵
        
        PID:792
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1552
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1948
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        12⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2576
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        13⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:1720
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        14⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:1892
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        15⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        15⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        16⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        16⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:1856
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        17⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:1160
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        18⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        18⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:936
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        19⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2732
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        20⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:2700
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:1552
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        21⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:844
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        22⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:1208
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        23⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        23⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3068
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        24⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        24⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        25⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        26⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:2532
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        27⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:2600
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        28⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:3064
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:1208
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        29⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:3084
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:3172
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        30⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3216
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:3304
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        31⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:3344
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:3440
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        32⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3472
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:3568
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        33⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3612
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:3704
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        34⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:3740
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        35⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        35⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:3876
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:3980
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        36⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:4024
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:3104
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        37⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3180
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:3312
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        38⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:3412
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:3456
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        39⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:3648
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        40⤵
        
        PID:3760
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        40⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:3708
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        41⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        41⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4056
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:3740
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        42⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3352
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:3316
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        43⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4028
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        44⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        44⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:3092
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        45⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        45⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        
        PID:3332
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:4012
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        46⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:3420
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:3152
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        47⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3748
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:4084
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3152
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        49⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        49⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        50⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        50⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        51⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        51⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        52⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        52⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        53⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        53⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        54⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        54⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        55⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        55⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        56⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        56⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        57⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        57⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        58⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        58⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        59⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        59⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        60⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        60⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        61⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        61⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        62⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        62⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        63⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        63⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        64⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        64⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        65⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        65⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        66⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        66⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        67⤵
        
        PID:5180
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        67⤵
        
        PID:5220
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        68⤵
        
        PID:5276
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        68⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        69⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        69⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        70⤵
        
        PID:5488
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        70⤵
        
        PID:5528
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        71⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        71⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        72⤵
        
        PID:5720
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        72⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        73⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        73⤵
        
        PID:5904
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        74⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        74⤵
        
        PID:6020
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        75⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        75⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        76⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        76⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        77⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        77⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        78⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        78⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        79⤵
        
        PID:6108
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        79⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        80⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        80⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        81⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        81⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        82⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        82⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        83⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        83⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        84⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        84⤵
        
        PID:5280
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        85⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        85⤵
        
        PID:6272
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        86⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        86⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        87⤵
        
        PID:6476
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        87⤵
        
        PID:6520
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        88⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        88⤵
        
        PID:6640
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        89⤵
        
        PID:6716
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        89⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        90⤵
        
        PID:6828
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        90⤵
        
        PID:6864
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        91⤵
        
        PID:6948
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        91⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        92⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        92⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        93⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        93⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        94⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        94⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        95⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        95⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        96⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        96⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        97⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        97⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        98⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        98⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        99⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        99⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        100⤵
        
        PID:7200
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        100⤵
        
        PID:7236
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        101⤵
        
        PID:7308
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        101⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        102⤵
        
        PID:7432
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        102⤵
        
        PID:7464
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        103⤵
        
        PID:7556
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        103⤵
        
        PID:7604
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        104⤵
        
        PID:7684
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        104⤵
        
        PID:7708
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        105⤵
        
        PID:7788
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        105⤵
        
        PID:7828
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        106⤵
        
        PID:7908
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        106⤵
        
        PID:7952
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        107⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        107⤵
        
        PID:8084
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        108⤵
        
        PID:8164
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        108⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        109⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        109⤵
        
        PID:7328
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        110⤵
        
        PID:7432
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        110⤵
        
        PID:7560
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        111⤵
        
        PID:7840
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        111⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        112⤵
        
        PID:8108
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        112⤵
        
        PID:7832
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        113⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        113⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        114⤵
        
        PID:7432
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        114⤵
        
        PID:8092
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        115⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        115⤵
        
        PID:6760
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        116⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        116⤵
        
        PID:7344
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        117⤵
        
        PID:8268
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        117⤵
        
        PID:8304
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        118⤵
        
        PID:8372
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        118⤵
        
        PID:8452
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        119⤵
        
        PID:8504
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        119⤵
        
        PID:8544
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        120⤵
        
        PID:8616
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        120⤵
        
        PID:8664
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        121⤵
        
        PID:8740
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        121⤵
        
        PID:8788
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        122⤵
        
        PID:8892
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        122⤵
        
        PID:8928
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        123⤵
        
        PID:9020
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        123⤵
        
        PID:9060
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        124⤵
        
        PID:9136
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        124⤵
        
        PID:9184
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        125⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        125⤵
        
        PID:8324
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        126⤵
        
        PID:680
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        126⤵
        
        PID:8460
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        127⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        127⤵
        
        PID:8560
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\B526A5\DECB07
        128⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\B526A5\DECB07.EXE
        
        C:\Windows\system32\B526A5\DECB07.EXE
        128⤵
        
        PID:8652

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:744

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2708

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1276

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1736

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2768

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1596

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1776

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1652

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2232

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2104

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2320

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:376

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1084

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3036

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2040

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1612

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2436

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:1864

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:620

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2152

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1672

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2256

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1844

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2840

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2856

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1604

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2940

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2128

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3208

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3336

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:3464

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:3604

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3732

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3868

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4016

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2880

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3308

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3636

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3716

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4048

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3108

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3676

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3616

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3648

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3064

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3172

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3828

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4208

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4348

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4500

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4600

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4704

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4804

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4932

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5048

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3332

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4192

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4476

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4700

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4972

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4188

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4588

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5104

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4528

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5108

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5212

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5304

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5412

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5520

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5648

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5752

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5896

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6012

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4524

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5284

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5624

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5912

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5908

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5644

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5920

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5508

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5860

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5672

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6264

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6392

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6508

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6632

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6744

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6856

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6984

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7108

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6280

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6532

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6776

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6828

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6996

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6836

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7004

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7224

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7336

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7456

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7596

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7716

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7820

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7944

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8076

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7192

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7320

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7584

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7800

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8040

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8084

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7328

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7332

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7788

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8296

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8408

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8536

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8656

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8780

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8920

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9052

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9176

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8316

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8376

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8552

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E_N4\cnvpe.fne

Filesize
60KB

MD5
5369ae42bc95522097f3a24e5cb32870

SHA1
310b107bfdec880e64b9604a5a65732b2e5e34ee

SHA256
35dbc4e58eebe9b1521d5d7b60e8f626fe7a8b6b2b1e2b4bf3314b4c3af1f84a

SHA512
740f944f0a66e7c39f63918418d3dac017670ede06e249a1a45ac0b2ec300454b5cb60258e7d5d06031308c67a1db28015e943e54fd41a89fadbb756406f97ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\eAPI.fne

Filesize
316KB

MD5
f295d8436cf3489078307d3df09c92f3

SHA1
8771afdb55ce0e0e55a5ecca6d2c8dd09b159305

SHA256
20cbbd25094529e9da14056dee56772a3ece3ad6d7b4a376a808e790faa7dd12

SHA512
ac76c6e5055e98fe2e7ca763bab2640e131f747ccba87fe91068b880217758e2d17434d7764dc98fa0099a2a8952c98d4b9b97d31452ae711a903a08c92fcb7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\internet.fne

Filesize
180KB

MD5
c36a16c914ca9f0810a0ba8ce84c01b3

SHA1
6f9f831f59e2ddd40b0d33f653c3712d0db32927

SHA256
6e946848cd82885492119cc2bb5ed34ed0f6026ef4c09421c0f2fd83c287a955

SHA512
8a38105efbd9093d578c0af02e82fe510f6aa674707231b690c3d6607e3d9a6225c45e6786f9b92d2b63f42d1c1c8d1f146d66d62158dd68321a1580ab4299fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_N4\spec.fne

Filesize
72KB

MD5
c35c2a58afe90168d3477321327088d3

SHA1
099067c0e66acc4449140e4fc27b9c4053a81467

SHA256
234bd19dc70982b5ad0dee3c8b072d71527ddfeafc4e5243691c5538dfe1f167

SHA512
a84d14564b0024d0afbfdbf259884547f0bc25bf2bb922eadf0ec3cb4e513428fad587b8369a65c641df870325316e91df79f175d6cbe6c412961b765bb9967a

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\HtmlView.fne

Filesize
212KB

MD5
b209400e6af522bd384d4e2eb0f1ecaa

SHA1
e640fe6e6d0040b1aa79fa36655d94888414f5d5

SHA256
f1adcd494a8534544329612e20784b46a008042c791b6556f6105b7a4d248817

SHA512
8a165a5ccf52cc0b35bdf28c302640933f0d5fb4a1136ba2b7b2598fcb84a5409178b2153d0555d2bb8247fd409539fa679229b5b1b808a6cc07a63cfd73c602

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\dp1.fne

Filesize
112KB

MD5
473d8df06f2e081fccc8808bdf06e6e0

SHA1
1603e2bcb2627e95701fd9fa810787e0a1b230fc

SHA256
2666ad63cbf95a1b5e14e6f726d3c2312da03e2a14a6ea589898fffbd4fbb33a

SHA512
b6215c0b2f1c658159a25da597409c83ed6e4b932e39c6aeb3010c1ac1436c9b8221730eecb04cde2a0891b49d98245d2f6823959cf4344838bf643ff8e1af5c

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\krnln.fnr

Filesize
1.1MB

MD5
ef9e0d912950be39301387484e90e746

SHA1
00e6b445646b983a7126f5199a7ae15f58aae48a

SHA256
5ef7a11ae5f58a1fae22d5e29bd79f635b236bb064b66ae21200cd5e4ea47577

SHA512
eabececa2bc41897d18e4a35950b5200c4a6f5c4e829aa8ee1a93fb1c49cd84d281b481475d0c2680813d4228ae277697a72b1042ce00550cc417ae7f8d1cfb0

Download Submit
\Users\Admin\AppData\Local\Temp\E_N4\shell.fne

Filesize
40KB

MD5
0d416f555b98f048a005819952cc3f00

SHA1
dbef52af181d65e245a372a1de52b1ac056e7e88

SHA256
f98a620f68e6241ca69962bdd66d129fbb2b13debceb8e8edec741d42600c10a

SHA512
018d0f1660640a347f6951a135b7f7c07b10df3d131189bfde959b7edf3c6168acc63116d7d88c23e2e162b1e72397315b688da996cc09a6bac3c4ee9c5ed738

Download Submit
\Windows\SysWOW64\B526A5\DECB07.EXE

Filesize
1.3MB

MD5
8adf768201ecbc080e52ab55c3bca594

SHA1
cf4f72aea83920b08f095650d1bcfd0f369fa78f

SHA256
9ff55a68b721f190f86b156bf4726eaf0b06316d8645fcda82f5ed0e036e07ed

SHA512
55771078f8ace7cfb8c9d1e6bbde94b14296b9a3a5fa87afce95e4144019ab8bbccb51ea54d698f4856928bbbb562e9984579ba73cbbfc7f344ce26320a9b576

Download Submit
memory/744-60-0x0000000003A90000-0x0000000003AA0000-memory.dmp

Filesize
64KB

Download
memory/780-53-0x0000000000560000-0x000000000057E000-memory.dmp

Filesize
120KB

Download
memory/780-33-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/780-145-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/780-58-0x0000000000810000-0x0000000000841000-memory.dmp

Filesize
196KB

Download
memory/780-47-0x0000000000220000-0x0000000000258000-memory.dmp

Filesize
224KB

Download
memory/780-44-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/780-57-0x0000000000810000-0x0000000000841000-memory.dmp

Filesize
196KB

Download
memory/780-52-0x0000000000540000-0x0000000000551000-memory.dmp

Filesize
68KB

Download
memory/780-144-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/920-169-0x0000000002310000-0x0000000002341000-memory.dmp

Filesize
196KB

Download
memory/920-161-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/920-166-0x0000000001CD0000-0x0000000001D08000-memory.dmp

Filesize
224KB

Download
memory/920-211-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/920-170-0x0000000002310000-0x0000000002341000-memory.dmp

Filesize
196KB

Download
memory/920-168-0x0000000001D40000-0x0000000001D5E000-memory.dmp

Filesize
120KB

Download
memory/920-167-0x0000000001D10000-0x0000000001D21000-memory.dmp

Filesize
68KB

Download
memory/920-212-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/1552-191-0x0000000002000000-0x0000000002031000-memory.dmp

Filesize
196KB

Download
memory/1552-192-0x0000000002000000-0x0000000002031000-memory.dmp

Filesize
196KB

Download
memory/1552-234-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/1552-233-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1552-188-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/1552-190-0x0000000001D70000-0x0000000001D8E000-memory.dmp

Filesize
120KB

Download
memory/1552-189-0x0000000001D50000-0x0000000001D61000-memory.dmp

Filesize
68KB

Download
memory/1720-223-0x0000000001F70000-0x0000000001F81000-memory.dmp

Filesize
68KB

Download
memory/1720-225-0x0000000001FB0000-0x0000000001FE1000-memory.dmp

Filesize
196KB

Download
memory/1720-226-0x0000000001FB0000-0x0000000001FE1000-memory.dmp

Filesize
196KB

Download
memory/1720-224-0x0000000001F90000-0x0000000001FAE000-memory.dmp

Filesize
120KB

Download
memory/1808-181-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/1808-112-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1808-121-0x0000000001EE0000-0x0000000001F11000-memory.dmp

Filesize
196KB

Download
memory/1808-113-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/1808-122-0x0000000001EE0000-0x0000000001F11000-memory.dmp

Filesize
196KB

Download
memory/1808-117-0x0000000001EC0000-0x0000000001EDE000-memory.dmp

Filesize
120KB

Download
memory/1808-114-0x0000000000220000-0x0000000000258000-memory.dmp

Filesize
224KB

Download
memory/1808-115-0x00000000004E0000-0x00000000004F1000-memory.dmp

Filesize
68KB

Download
memory/1892-231-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/1892-232-0x00000000002A0000-0x00000000002D8000-memory.dmp

Filesize
224KB

Download
memory/1892-235-0x0000000000440000-0x0000000000451000-memory.dmp

Filesize
68KB

Download
memory/1892-236-0x0000000000460000-0x000000000047E000-memory.dmp

Filesize
120KB

Download
memory/1892-237-0x0000000001F00000-0x0000000001F31000-memory.dmp

Filesize
196KB

Download
memory/1948-197-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/1948-205-0x0000000001FB0000-0x0000000001FE1000-memory.dmp

Filesize
196KB

Download
memory/1948-203-0x00000000003D0000-0x00000000003E1000-memory.dmp

Filesize
68KB

Download
memory/1948-204-0x0000000001EA0000-0x0000000001EBE000-memory.dmp

Filesize
120KB

Download
memory/2116-155-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2116-158-0x0000000000300000-0x000000000031E000-memory.dmp

Filesize
120KB

Download
memory/2116-156-0x0000000000290000-0x00000000002C8000-memory.dmp

Filesize
224KB

Download
memory/2116-202-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2116-201-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2116-149-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2116-160-0x0000000001F10000-0x0000000001F41000-memory.dmp

Filesize
196KB

Download
memory/2116-157-0x00000000002D0000-0x00000000002E1000-memory.dmp

Filesize
68KB

Download
memory/2324-111-0x0000000001FC0000-0x0000000001FF1000-memory.dmp

Filesize
196KB

Download
memory/2324-95-0x0000000000700000-0x0000000000711000-memory.dmp

Filesize
68KB

Download
memory/2324-94-0x0000000000220000-0x0000000000258000-memory.dmp

Filesize
224KB

Download
memory/2324-92-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2324-93-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2324-96-0x0000000001F50000-0x0000000001F6E000-memory.dmp

Filesize
120KB

Download
memory/2324-143-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2348-178-0x00000000003D0000-0x00000000003E1000-memory.dmp

Filesize
68KB

Download
memory/2348-183-0x0000000000460000-0x0000000000491000-memory.dmp

Filesize
196KB

Download
memory/2348-182-0x0000000000460000-0x0000000000491000-memory.dmp

Filesize
196KB

Download
memory/2348-221-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2348-179-0x0000000000440000-0x000000000045E000-memory.dmp

Filesize
120KB

Download
memory/2348-177-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2348-222-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2480-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2480-17-0x00000000007C0000-0x00000000007D1000-memory.dmp

Filesize
68KB

Download
memory/2480-29-0x0000000000820000-0x0000000000851000-memory.dmp

Filesize
196KB

Download
memory/2480-137-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2480-11-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2480-14-0x00000000003C0000-0x00000000003F8000-memory.dmp

Filesize
224KB

Download
memory/2480-30-0x0000000000820000-0x0000000000851000-memory.dmp

Filesize
196KB

Download
memory/2480-20-0x00000000007E0000-0x00000000007FE000-memory.dmp

Filesize
120KB

Download
memory/2480-138-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2488-142-0x00000000004B0000-0x00000000004CE000-memory.dmp

Filesize
120KB

Download
memory/2488-136-0x0000000000440000-0x0000000000478000-memory.dmp

Filesize
224KB

Download
memory/2488-134-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2488-124-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2488-199-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2488-200-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2488-148-0x0000000000780000-0x00000000007B1000-memory.dmp

Filesize
196KB

Download
memory/2488-140-0x0000000000490000-0x00000000004A1000-memory.dmp

Filesize
68KB

Download
memory/2788-59-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2788-146-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2788-75-0x00000000004C0000-0x00000000004D1000-memory.dmp

Filesize
68KB

Download
memory/2788-76-0x0000000000620000-0x000000000063E000-memory.dmp

Filesize
120KB

Download
memory/2788-147-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2788-70-0x0000000010000000-0x000000001011D000-memory.dmp

Filesize
1.1MB

Download
memory/2788-72-0x00000000005E0000-0x0000000000618000-memory.dmp

Filesize
224KB

Download
memory/2844-215-0x0000000000700000-0x0000000000731000-memory.dmp

Filesize
196KB

Download
memory/2844-216-0x0000000000700000-0x0000000000731000-memory.dmp

Filesize
196KB

Download
memory/2844-213-0x0000000000480000-0x0000000000491000-memory.dmp

Filesize
68KB

Download
memory/2844-214-0x0000000000640000-0x000000000065E000-memory.dmp

Filesize
120KB

Download
memory/2844-210-0x00000000003B0000-0x00000000003E8000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.