 You know in this document I want to show you the malice used document with the handsetor that Does process replacement via shellcode. So I have the document here, and I have a process explorer running So let's open a document Okay, and here we see that emet detects the EIF export Address filtering and so it kills the word process As you can see here, so let's close this and let's Disable this security feature in the emet here so for winward here EF we disable this and Let's do this again now No, we don't want to start in safe mode Okay, and now If we go into winward here in a process explorer, sorry we see that Winward as a child process explorer.exe And if we look at the properties Here you can see it's Windows Explorer here. It's a 32-bit machine and If we look at the strings in memory We can actually see that This comes from Explorer but in reality the code has been replaced by The malicious embedded executable which is running now