03c2820bef5a47808ea77008988e18e113d27f05eb22bb60ec51cd7fc730e0d6

Analysis

max time kernel
4s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
15/01/2024, 03:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c047d72336cd60473948a1c6470aab8.exe
Size

1.4MB
MD5

5c047d72336cd60473948a1c6470aab8
SHA1

4a2126daad2ff7e0a2672699765e415c2c537684
SHA256

03c2820bef5a47808ea77008988e18e113d27f05eb22bb60ec51cd7fc730e0d6
SHA512

0a97bb44086e4d5cca0772c87c1fa1578ad01e82c02f71fe13d0b5ec8cbbf849d98aeea332929b3fb7b995bd198553bcca19afa6b14401c006e9698e44376467
SSDEEP

24576:7UKkfJ71jmXD9Zxe5ZKFL+8nzVsPin5ICH/o+/1POEov9ZTpDGzlVep/dJOdPKl:7UxsCZKFlVsPinJhORvrFGzlV69

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2788	explorer.exe
2600	explorer.exe
1256	XP-AB9DB5FA.EXE
1064	XP-AB9DB5FA.EXE

Loads dropped DLL 28 IoCs

pid	Process
2084	5c047d72336cd60473948a1c6470aab8.exe
2084	5c047d72336cd60473948a1c6470aab8.exe
2084	5c047d72336cd60473948a1c6470aab8.exe
2084	5c047d72336cd60473948a1c6470aab8.exe
2084	5c047d72336cd60473948a1c6470aab8.exe
2084	5c047d72336cd60473948a1c6470aab8.exe
2788	explorer.exe
2788	explorer.exe
2788	explorer.exe
2788	explorer.exe
2788	explorer.exe
2788	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
1256	XP-AB9DB5FA.EXE
1256	XP-AB9DB5FA.EXE
1256	XP-AB9DB5FA.EXE
1256	XP-AB9DB5FA.EXE
1256	XP-AB9DB5FA.EXE
1256	XP-AB9DB5FA.EXE
1064	XP-AB9DB5FA.EXE
1064	XP-AB9DB5FA.EXE
1064	XP-AB9DB5FA.EXE
1064	XP-AB9DB5FA.EXE

Writes to the Master Boot Record (MBR) 1 TTPs 5 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	explorer.exe
File opened for modification	\??\PhysicalDrive0	XP-AB9DB5FA.EXE
File opened for modification	\??\PhysicalDrive0	XP-AB9DB5FA.EXE
File opened for modification	\??\PhysicalDrive0	5c047d72336cd60473948a1c6470aab8.exe
File opened for modification	\??\PhysicalDrive0	explorer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\XP-AB9DB5FA.EXE	5c047d72336cd60473948a1c6470aab8.exe
File opened for modification	C:\Windows\SysWOW64\XP-AB9DB5FA.EXE	5c047d72336cd60473948a1c6470aab8.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 200000001a00eebbfe2300001000d09ad3fd8f23af46adb46c85480369c700000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe

Suspicious use of SetWindowsHookEx 30 IoCs

pid	Process
2084	5c047d72336cd60473948a1c6470aab8.exe
2084	5c047d72336cd60473948a1c6470aab8.exe
2084	5c047d72336cd60473948a1c6470aab8.exe
2084	5c047d72336cd60473948a1c6470aab8.exe
2084	5c047d72336cd60473948a1c6470aab8.exe
2084	5c047d72336cd60473948a1c6470aab8.exe
2788	explorer.exe
2788	explorer.exe
2788	explorer.exe
2788	explorer.exe
2788	explorer.exe
2788	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
2600	explorer.exe
1256	XP-AB9DB5FA.EXE
1256	XP-AB9DB5FA.EXE
1256	XP-AB9DB5FA.EXE
1256	XP-AB9DB5FA.EXE
1256	XP-AB9DB5FA.EXE
1256	XP-AB9DB5FA.EXE
1064	XP-AB9DB5FA.EXE
1064	XP-AB9DB5FA.EXE
1064	XP-AB9DB5FA.EXE
1064	XP-AB9DB5FA.EXE
1064	XP-AB9DB5FA.EXE
1064	XP-AB9DB5FA.EXE

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2676	2084	5c047d72336cd60473948a1c6470aab8.exe	28
PID 2084 wrote to memory of 2676	2084	5c047d72336cd60473948a1c6470aab8.exe	28
PID 2084 wrote to memory of 2676	2084	5c047d72336cd60473948a1c6470aab8.exe	28
PID 2084 wrote to memory of 2676	2084	5c047d72336cd60473948a1c6470aab8.exe	28
PID 2084 wrote to memory of 2788	2084	5c047d72336cd60473948a1c6470aab8.exe	63
PID 2084 wrote to memory of 2788	2084	5c047d72336cd60473948a1c6470aab8.exe	63
PID 2084 wrote to memory of 2788	2084	5c047d72336cd60473948a1c6470aab8.exe	63
PID 2084 wrote to memory of 2788	2084	5c047d72336cd60473948a1c6470aab8.exe	63
PID 2788 wrote to memory of 3044	2788	explorer.exe	37
PID 2788 wrote to memory of 3044	2788	explorer.exe	37
PID 2788 wrote to memory of 3044	2788	explorer.exe	37
PID 2788 wrote to memory of 3044	2788	explorer.exe	37
PID 2788 wrote to memory of 2600	2788	explorer.exe	89
PID 2788 wrote to memory of 2600	2788	explorer.exe	89
PID 2788 wrote to memory of 2600	2788	explorer.exe	89
PID 2788 wrote to memory of 2600	2788	explorer.exe	89
PID 2600 wrote to memory of 2620	2600	explorer.exe	32
PID 2600 wrote to memory of 2620	2600	explorer.exe	32
PID 2600 wrote to memory of 2620	2600	explorer.exe	32
PID 2600 wrote to memory of 2620	2600	explorer.exe	32
PID 2600 wrote to memory of 1256	2600	explorer.exe	36
PID 2600 wrote to memory of 1256	2600	explorer.exe	36
PID 2600 wrote to memory of 1256	2600	explorer.exe	36
PID 2600 wrote to memory of 1256	2600	explorer.exe	36
PID 1256 wrote to memory of 2172	1256	XP-AB9DB5FA.EXE	35
PID 1256 wrote to memory of 2172	1256	XP-AB9DB5FA.EXE	35
PID 1256 wrote to memory of 2172	1256	XP-AB9DB5FA.EXE	35
PID 1256 wrote to memory of 2172	1256	XP-AB9DB5FA.EXE	35
PID 1256 wrote to memory of 1064	1256	XP-AB9DB5FA.EXE	71
PID 1256 wrote to memory of 1064	1256	XP-AB9DB5FA.EXE	71
PID 1256 wrote to memory of 1064	1256	XP-AB9DB5FA.EXE	71
PID 1256 wrote to memory of 1064	1256	XP-AB9DB5FA.EXE	71
PID 1064 wrote to memory of 1512	1064	XP-AB9DB5FA.EXE	95
PID 1064 wrote to memory of 1512	1064	XP-AB9DB5FA.EXE	95
PID 1064 wrote to memory of 1512	1064	XP-AB9DB5FA.EXE	95
PID 1064 wrote to memory of 1512	1064	XP-AB9DB5FA.EXE	95

C:\Users\Admin\AppData\Local\Temp\5c047d72336cd60473948a1c6470aab8.exe
"C:\Users\Admin\AppData\Local\Temp\5c047d72336cd60473948a1c6470aab8.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\SysWOW64\explorer.exe
  explorer C:\Users\Admin\AppData\Local\Temp\5c047d72336cd60473948a1c6470aab8
  2⤵
  PID:2676
- C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
  C:\Windows\system32\XP-AB9DB5FA.EXE
  2⤵
  PID:2788
- - C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
    C:\Windows\system32\XP-AB9DB5FA.EXE
    3⤵
    PID:2600
  - - C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
      C:\Windows\system32\XP-AB9DB5FA.EXE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1256
    - - C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1064
- - C:\Windows\SysWOW64\explorer.exe
    explorer C:\Windows\SysWOW64\XP-AB9DB5FA
    3⤵
    PID:3044

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2768

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:2640

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-AB9DB5FA
1⤵
PID:2620

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1336

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-AB9DB5FA
1⤵
PID:2172

C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
C:\Windows\system32\XP-AB9DB5FA.EXE
1⤵
PID:2464
- C:\Windows\SysWOW64\explorer.exe
  explorer C:\Windows\SysWOW64\XP-AB9DB5FA
  2⤵
  PID:2228
- C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
  C:\Windows\system32\XP-AB9DB5FA.EXE
  2⤵
  PID:852

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1088

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-AB9DB5FA
1⤵
PID:1648

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:940

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-AB9DB5FA
1⤵
PID:2088

C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
C:\Windows\system32\XP-AB9DB5FA.EXE
1⤵
PID:600
- C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
  C:\Windows\system32\XP-AB9DB5FA.EXE
  2⤵
  PID:2896
- - C:\Windows\SysWOW64\explorer.exe
    explorer C:\Windows\SysWOW64\XP-AB9DB5FA
    3⤵
    PID:2540
- - C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
    C:\Windows\system32\XP-AB9DB5FA.EXE
    3⤵
    PID:1704
  - - C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
      C:\Windows\system32\XP-AB9DB5FA.EXE
      4⤵
      PID:2796
    - - C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        5⤵
        
        PID:1572
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        6⤵
        
        PID:2164
      - C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        6⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        7⤵
        
        PID:692
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        8⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        8⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        9⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        9⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        10⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        10⤵
        
        PID:892
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        11⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        11⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        12⤵
        
        PID:852
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        12⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        13⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        13⤵
        
        PID:792
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        14⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        14⤵
        
        PID:520
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        15⤵
        
        PID:1332
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        16⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        16⤵
        
        PID:512
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        17⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        17⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        18⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        18⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        19⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        19⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        20⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        20⤵
        
        PID:520
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        21⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        21⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        22⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        22⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        23⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        23⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        24⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        24⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        25⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        25⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        26⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        26⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        27⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        27⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        28⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        28⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        29⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        29⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        30⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        30⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        31⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        31⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        32⤵
        
        PID:520
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        32⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        33⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        33⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        34⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        34⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        35⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        35⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        36⤵
        
        PID:600
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        37⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        37⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        38⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        38⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        39⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        39⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        40⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        40⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        41⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        41⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        42⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        42⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        43⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        43⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        44⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        44⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        45⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        45⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        46⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        46⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        47⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        47⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        48⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        49⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        49⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        50⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        50⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        51⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        51⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        52⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        52⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        53⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        53⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        54⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        54⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        55⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        55⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        56⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        56⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        57⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        57⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        58⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        58⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        59⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        59⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        60⤵
        
        PID:5204
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        60⤵
        
        PID:5264
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        61⤵
        
        PID:5352
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        61⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        62⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        62⤵
        
        PID:5816
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        63⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        63⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        64⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        64⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        65⤵
        
        PID:5924
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        65⤵
        
        PID:4868

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2124

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-AB9DB5FA
1⤵
PID:1596

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3040

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-AB9DB5FA
1⤵
PID:2700

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2276

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-AB9DB5FA
1⤵
PID:2224

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3036

C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
C:\Windows\system32\XP-AB9DB5FA.EXE
1⤵
PID:2360

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-AB9DB5FA
1⤵
PID:1512

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2580

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2200

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1516

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1104

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1044

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1616

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:332

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1036

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2808

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2708

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2960

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1780

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1816

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1896

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2220

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2884

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2280

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3132

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3236

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3336

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3488

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3592

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3724

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3836

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3936

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1844

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3284

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3496

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3396

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-AB9DB5FA
1⤵
PID:3460

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4060

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1348

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3960

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1408

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3700

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4132

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4256

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4372

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4484

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4644

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-AB9DB5FA
1⤵
PID:4800

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4808

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4912

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5080

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4308

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4432

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3932

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4108

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4216

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3140

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5104

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3452

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4896

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4076

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3292

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4408

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5180

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5312

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5440

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5544

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5836

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6084

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5268

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E_4\RegEx.fnr

Filesize
212KB

MD5
de4374d6912aa9a37db5c9c0c41609e9

SHA1
dfb02bd3db018ad6619bed58541595bac45e46c1

SHA256
45c9359d820ded199215895c3d12af6c10cb648d60dadd08fb2ae12a531ba6dc

SHA512
592eafab6fdaad75e29aafbce0d74408f11dcb2bcb7688af90bd35d69d5c4261030f0980cf5d4621aeb779e1518b7d30f322de4905c14e42ff02b389285b04ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\eAPI.fne

Filesize
316KB

MD5
88890fa24f93b245a41d29abb80b1df4

SHA1
7ee95f6853612be1a460aa6211f09730d7aebd8c

SHA256
2d47c02d5f636da8e25aadb9a6e7360628c6d500f7c997da62490c1ab02f418b

SHA512
0ae2228ec40ecd33c3ceeeeed4d630fb79cca15981f13431bc5db78f3e5c4dd49161d14d8ee97aeae8466486d70dbbc47c9ae8c9523bcd5b7d00be7a4ddeddcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\eAPI.fne

Filesize
275KB

MD5
27f70b1219bf41eaa0372d93c96d07f1

SHA1
a18ceb8569d6c1749b300b4bfe407299154a4a9f

SHA256
2c77af2e689cad6ed5dc770c75e59fcfe852335fa258ab1c5e28e6980fe3fa8b

SHA512
dfae7d02680420ed3871b5b466d6bf9ea3a6f65ad76e47ca81ba69b927ab6419bece5fa154d014b9a88c08c1d6ae8e315a4a05e33bb8cc7af4b2420001b3705d

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\internet.fne

Filesize
180KB

MD5
5e517b1ea1c64321ea8cc96a7ea1c7fb

SHA1
d5835e2f4dd0bb9b7312f63a0c7a8270db41b042

SHA256
ff08e84f2fb55bf56c525eebab6657bc090b803bc35fb619c56c94a279245580

SHA512
45504afaf7769ef9f20ff7a3395537e1387e2932c8efc1ceccf2e24a2f00ccde324d1fe05ba65d4bf8c5a38e462797907bd2508f01869956935b83f918c31cf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\internet.fne

Filesize
128KB

MD5
82c992f7795485f2999762129e4272d3

SHA1
d167d07aa60a26fee65c8703871315b7846ec72b

SHA256
5c975450b0e51d8a5d409f6e62dcc84cd325112913a2643491e36a84b0229652

SHA512
c2b748d9b25c6948ad0c9a98a87edb0bc0ab71f94a7374ca90a2b892ab97fb435f3a4ed528665d3c599a229862419a97f1fe05d4713161757da8a82366817bd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\spec.fne

Filesize
72KB

MD5
22a235d3cdf2a4895f708f3eb3a211eb

SHA1
44325f3de8331b2d5490cb77a5e2affd8ac68c3a

SHA256
64fc2784b4c6afc1d6369cab345b500938caa06355784e949cab4d6f49bf6fb1

SHA512
7eb53bb374c82f68713f163582e22f5f82369322bc2f9f73629516117095507a8d50d2c30ac84bf98d44632b6f20cffcd9affdaaa0ba9ff0f567b32f342e544f

Download Submit
C:\Windows\SysWOW64\XP-AB9DB5FA.EXE

Filesize
10KB

MD5
2aa3d265656d62a2f2d724ed8523c482

SHA1
02290c597de49a2f2ade3429c43cbad01fcf20e6

SHA256
a032d62423e3548e6990fd74f5a9f6dedf1384d1ba5510f213a5a9ef5064629d

SHA512
5f88e292ba0af61a5c68d441e6a148653fada33317bbcbd2432a6eede7d12c279926c2fb9e3e668523a4b81629b9cb669e07adedcddbdf80aabbc652b57d46d6

Download Submit
C:\Windows\SysWOW64\XP-AB9DB5FA.EXE

Filesize
1.4MB

MD5
40a2e6f5435a8ce5e753a8cfd2593fed

SHA1
235254f7f579c9dc7820876a602d106f3daef07b

SHA256
3c3e056cb38b20f3f14dae67a53c58b9dc3c69eeec6ab0d49e10260a1c0bee3a

SHA512
a4e11e3bc641e48312836ce056c27a32f1286c2e8ad0905923281c64983eda103ab70c716478ec5428cb51226a674c3e70d92efbcf0b32e864b4c85256fbf1ef

Download Submit
C:\Windows\SysWOW64\XP-AB9DB5FA.EXE

Filesize
1.3MB

MD5
ee65964414d57184db77cc473bdab8d2

SHA1
cfe9ebd58f1952ba7295351a7523512acfdcd548

SHA256
314a9e8fa1c2710eaaad067a25c584056c6765e739f9ce2ff61bfe535a9b0d2c

SHA512
798b2ced8b5b868c79b3f7a70c65636cb6f4dc5cf678b6df428bb83c6add394beecb1fc946e17cb6ee90fcbbcb986281d4ee5a59c34f668877d58bb854cb21a4

Download Submit
C:\Windows\SysWOW64\XP-AB9DB5FA.EXE

Filesize
434KB

MD5
36823583734e483692ed073e57e13e73

SHA1
cd1ce1b9d13a8ecba1a927df67a6c3d304aaa578

SHA256
abdcef7ca241384654fc9967db8870eb862b9bbdee88da3b261a31e6c8f9cec7

SHA512
01da3da869a1584196eec2cc2c712fe58af77545f24431bd04b57814ffdc6f02b131427d17cb73c882896e74fcedebb0ff9190ea2bc8eb4a2b507ecc3fc885cb

Download Submit
C:\Windows\SysWOW64\XP-AB9DB5FA.EXE

Filesize
351KB

MD5
fb41a392770b3e937eaafaa12088c79d

SHA1
9dba64e09cbde7426e303992437ea9d956f0f0e2

SHA256
ca8c6e7e70a6138612c9c87bbc47e7fcec8758ef903e8c78cd7e45e0af3017bc

SHA512
e4c61d7baf13512c083bb4fe68ffe64360d463775a2507c725ba6974228911e7eac517960853744b7edd086722d7f37549f4bff97815d0aad5ec37167459f3ca

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\com.run

Filesize
264KB

MD5
57f1f3e68be9f643b40efa43bda261a3

SHA1
2b7d1b8a8caf1ffa3e1bf30fd93a2dfd319055a8

SHA256
b3942aa50db9c8ed0c7353c75d1aa52c8c253d61503026aa793f75e7ccbac5d3

SHA512
3641ef8a2c1e82e482bfebc9876e58a64af87fdde0a48d2112036a038330d5d43c9807de2c7005ea31e3e6a7e8c7853e94b457e6727361c045f94108735844f4

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\com.run

Filesize
239KB

MD5
4d4980fc7ecf91acb281726a4377a561

SHA1
f44c81777ee98a0191296e08e4f9a8d743aefdff

SHA256
e4fee4028f4d01805c668cafe708324d6b27eee09017a70c7f448f89bd0f1c4a

SHA512
c5fb3d1ca348029199d5e18104619498072a85dc0fb912b47358cdf360f4c3a4dfefa9af636bda24ffb42f87154881e0e7efe00b2dcae0abb2a90c45f9d07fdc

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\dp1.fne

Filesize
37KB

MD5
290849039069b8d875c24786379e660d

SHA1
7bebcd9e397f7d4dc2dba2cfd62da70fef480688

SHA256
b8b7404d37240e471d235612d196dab619940feb56f475d2af392e4cfb1f9793

SHA512
735f64d1f1691ad774d645baa5538b553af54eca840bbdb9898329a065be51192b72a80a315fca68f4610faae595d1fed1b581288bb6008673efe3cd4c79c823

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\dp1.fne

Filesize
112KB

MD5
051d51ef3bc46ab5a090e3bec2dbffe5

SHA1
d5199749b263840bb9214033d6fbbf1b886d0a34

SHA256
99c7206a18a91d2f01299bfcd64b0ae9abee9a564b0af68e643c2eb5cc70fe23

SHA512
9dbaa9200eb09689a1e9c2dfad8c55349363309e9427a0de978088d95eb5f9398776262576f0a543d278b094281dbac43a1cfc9bdd3352fe472dcad5e4187638

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
54KB

MD5
fcf04a12ffd650833b34551b86d7ef89

SHA1
853aad8ca74cec3716b5231741d78e77b6720bb0

SHA256
bf6e321cd28f19e1e2a055ab21d442af5c9319c3eda3a923412053c5ea8dd217

SHA512
5f2d561c9f89d4a0a07c96608bf39c7a8ba3a57c7ce8324fd4d602549cb26623a6384c12325b57d758078a4b91ab25522cdd8aa17593c0087585c1c279a1d66e

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
528KB

MD5
c5ee5ae463f0c28152ab0dbf9498c255

SHA1
53662010e21a53b4937999e25179fedb88af67f2

SHA256
2a43d6bbc7962ce4906b92965a5d94a8728523aa525e5c2604ccc16864266482

SHA512
097e2ba161db9a212486bf4722dc35d6b595c140222cea0ed9ed458ecbcbcd9b1e12ca2b9e81fcca99d694bf90cad9cd5aad085fb67839dfc65909508ad134e1

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
445KB

MD5
335b16598c0f58e1ff402a716b152191

SHA1
7402a5a7ea74ceed12ba2483f326ba210ff3665a

SHA256
1018aa5c5885ede235c79a0d44c885064f8a3573afbca393550730b5400c1b28

SHA512
b20a8cb4ac18c1e0101f003a1f95866356101dd3fae118ba3a1553bd994044d0aa1c322dec29ca62518fdfd5b47c1f819627db69d9e83399c7013c59ab1b0a6a

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
1.0MB

MD5
5c794859ffac4b19ee012a2986f53cff

SHA1
2f97fe128108be7145633ea8697a5132fbf71146

SHA256
dd799e01c8ba36258795ec4fc896ead1ffb5ea87e765fa298cef64fd7ebfc1fd

SHA512
22e91f9d5a62938674d19c4e6cbfd78098a76921888c910d8aead89765709e5947e06ccba398461eb1903e4651e2d738fdb463a5deda893a08d0eb69fd0cdbd4

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
289KB

MD5
62119fb1da632e98644dd9ac2d4f018e

SHA1
ebd099a19343e1f02936702fa1766943c627b845

SHA256
221f0882742f05d878693276c01a0da67b3bb4f976d89762795e05cb4f400995

SHA512
c2fe2e19d5353324672798cbeef5d1bba3f8f45bcbde28f20b33500999a85626057b2abf15b3bac4cba3b7f0439ab52b08d0b951576024531baa0446ba862018

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\shell.fne

Filesize
23KB

MD5
8a4d942ad76efffe770ac6328324be82

SHA1
a553c37f76495617d27d46baeb2708654628cc0c

SHA256
6e10f25831a57ecf14ce013649efa5a4b926e7532c1d8f063a6128dd32d6d12f

SHA512
37d479245e9352fdc7b962996f8e67747ce485741d0ae050971495a74744f96c3dc6e348bafbb59c51ad38dec8215601dfd06716bca243c42294248f1808f7e7

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\shell.fne

Filesize
40KB

MD5
9900631cd16e385556a02cad93591982

SHA1
48daa5ac65d32607564024fad038b5388e8e1d16

SHA256
b37aeaea327e7679c828a15f00a5fe823ede2ddb020449878a412124f7dd007c

SHA512
e10fbba11819baf323c0eb5452109f8ad91eae7170e4cf76c7fb6fd01351a53f372320ffd6816abbef993501d55530e006cee609db0697b40660e29a4e49a051

Download Submit
\Windows\SysWOW64\XP-AB9DB5FA.EXE

Filesize
1.4MB

MD5
5c047d72336cd60473948a1c6470aab8

SHA1
4a2126daad2ff7e0a2672699765e415c2c537684

SHA256
03c2820bef5a47808ea77008988e18e113d27f05eb22bb60ec51cd7fc730e0d6

SHA512
0a97bb44086e4d5cca0772c87c1fa1578ad01e82c02f71fe13d0b5ec8cbbf849d98aeea332929b3fb7b995bd198553bcca19afa6b14401c006e9698e44376467

Download Submit
\Windows\SysWOW64\XP-AB9DB5FA.EXE

Filesize
640KB

MD5
931f3be165c1bab8dd18de7972b81037

SHA1
7b6159dea106fe80dabc13e54a13ed57dddd2f23

SHA256
4ab4d917be6492764e85c4548a9c2fa2e739aa3ad92d20ece23f8a88696e0b1d

SHA512
928517e7dcc2d9e01ec772e605c80a1d3b41f439a5a54e764f7a5a824cfa0708949234289215dd5716b7e40b4d3a45f0b58e5c292249a65b29f3a864f730391a

Download Submit
\Windows\SysWOW64\XP-AB9DB5FA.EXE

Filesize
1.3MB

MD5
b16e60da659593f3da8b9aa3f7e59d79

SHA1
79c28aaa7ae7fe891f88088e0d20960759f38e35

SHA256
e000eb17fc3fe9b8c97dd4e206f3044dd5c29785cf6a774bd5786c8a09f0fc48

SHA512
1db6f28573dd826d1f763fb346de69a4cd68aea959e639f79942c94d8640cb6a3e377a3dc0f2f119600d88aeb38756f06848144c74840ebb22ffa536beff3cef

Download Submit
\Windows\SysWOW64\XP-AB9DB5FA.EXE

Filesize
666KB

MD5
283d2c1c867a7062dda269075cb32d9b

SHA1
b52d5046f25c8366454fb69a5d6f5a22135ce74a

SHA256
908650bb7c9d83f593cff5bd5c5b6323d9bc231037dfb191ad2d4d4e2d95c834

SHA512
8d88f9cff85f84a03d1c7aca3751d4d9664dc6baa63f77e0b53f08df5d55daf94afa8fbe0b51260adc83a0805c3ba6e4e4cd61e942b8501815b1e7700a6ab5c0

Download Submit
\Windows\SysWOW64\XP-AB9DB5FA.EXE

Filesize
589KB

MD5
9d1cc0966c2ed8404cde45b329dd6242

SHA1
9bb44d5673bb6d2d05d95074ae2550047014a1dd

SHA256
f4b8aae7e8c7100a1816625fccebedfa3057994a5d460e8c00f1130438b8f855

SHA512
130702bad3b72e79bcac46099a2aa287a42b67df33fdc0c5d98bbaaddd0302a81cb8882ef789e7a8a773cdf75ff5fbb79255e05d6f36df28d9c7bd944585beaf

Download Submit
\Windows\SysWOW64\XP-AB9DB5FA.EXE

Filesize
333KB

MD5
f00a8b2f35afbf29eb9fba87a89106f2

SHA1
dd1d3ad6e6a65f68c1707a111eb2252b27878fc2

SHA256
9f5286890b784d093a100b5022d02c79395dabfbc516c5d18cb91ca90b932e6c

SHA512
06538aa1895c9b3e55a41a9ffb5363b4888522655cef539833488408d1b027cc9ce1883cd14e44203eb1d76656225f84d0d176b688dd39c8417fbe7882194475

Download Submit
\Windows\SysWOW64\XP-AB9DB5FA.EXE

Filesize
236KB

MD5
ce5e93b3358b9e85ee56a01528e709a0

SHA1
bdec98840f55a9336c8cf88cf88928813bcf308a

SHA256
5dc7234038c07add400a8c0df108e35ec12c88006e1fec43cdded69b20a1d5f1

SHA512
42ce75f929d1dbb8c77096735ae1818ae7a287e0b9d67bfe435cc6f91d95acd984ce248cebf02205122c0754c63dce4cb9610800ddc0dc25d460ca8e123f14b6

Download Submit
memory/852-175-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/852-177-0x0000000000270000-0x00000000002BB000-memory.dmp

Filesize
300KB

Download
memory/852-174-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/852-178-0x00000000003B0000-0x00000000003CE000-memory.dmp

Filesize
120KB

Download
memory/852-176-0x00000000003E0000-0x00000000003F1000-memory.dmp

Filesize
68KB

Download
memory/1064-122-0x00000000004B0000-0x00000000004FB000-memory.dmp

Filesize
300KB

Download
memory/1064-129-0x0000000000570000-0x000000000059C000-memory.dmp

Filesize
176KB

Download
memory/1064-123-0x0000000000530000-0x000000000054E000-memory.dmp

Filesize
120KB

Download
memory/1064-121-0x0000000000550000-0x0000000000561000-memory.dmp

Filesize
68KB

Download
memory/1064-118-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/1064-147-0x0000000000570000-0x000000000059C000-memory.dmp

Filesize
176KB

Download
memory/1064-116-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1104-159-0x00000000037B0000-0x00000000037B1000-memory.dmp

Filesize
4KB

Download
memory/1256-166-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/1256-104-0x0000000001E30000-0x0000000001E5C000-memory.dmp

Filesize
176KB

Download
memory/1256-97-0x00000000003D0000-0x00000000003EE000-memory.dmp

Filesize
120KB

Download
memory/1256-106-0x0000000001E30000-0x0000000001E5C000-memory.dmp

Filesize
176KB

Download
memory/1256-100-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/1256-82-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1256-99-0x00000000004A0000-0x00000000004B1000-memory.dmp

Filesize
68KB

Download
memory/1256-96-0x0000000000430000-0x000000000047B000-memory.dmp

Filesize
300KB

Download
memory/1256-165-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1336-125-0x00000000039B0000-0x00000000039B1000-memory.dmp

Filesize
4KB

Download
memory/2084-98-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/2084-11-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/2084-14-0x00000000001B0000-0x00000000001FB000-memory.dmp

Filesize
300KB

Download
memory/2084-19-0x0000000000530000-0x000000000054E000-memory.dmp

Filesize
120KB

Download
memory/2084-20-0x0000000000550000-0x0000000000561000-memory.dmp

Filesize
68KB

Download
memory/2084-29-0x0000000001FB0000-0x0000000001FDC000-memory.dmp

Filesize
176KB

Download
memory/2084-95-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2084-42-0x0000000001FB0000-0x0000000001FDC000-memory.dmp

Filesize
176KB

Download
memory/2084-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2220-317-0x0000000000390000-0x0000000000410000-memory.dmp

Filesize
512KB

Download
memory/2360-155-0x0000000002230000-0x000000000225C000-memory.dmp

Filesize
176KB

Download
memory/2360-149-0x0000000001FB0000-0x0000000001FCE000-memory.dmp

Filesize
120KB

Download
memory/2360-148-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/2360-143-0x0000000001C60000-0x0000000001CAB000-memory.dmp

Filesize
300KB

Download
memory/2360-145-0x0000000002210000-0x0000000002221000-memory.dmp

Filesize
68KB

Download
memory/2360-162-0x0000000002230000-0x000000000225C000-memory.dmp

Filesize
176KB

Download
memory/2360-142-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2464-164-0x0000000000220000-0x000000000026B000-memory.dmp

Filesize
300KB

Download
memory/2464-160-0x0000000000430000-0x000000000044E000-memory.dmp

Filesize
120KB

Download
memory/2464-156-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2464-161-0x0000000000450000-0x0000000000461000-memory.dmp

Filesize
68KB

Download
memory/2464-173-0x00000000004E0000-0x000000000050C000-memory.dmp

Filesize
176KB

Download
memory/2464-158-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/2600-144-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2600-146-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/2600-73-0x0000000000470000-0x0000000000481000-memory.dmp

Filesize
68KB

Download
memory/2600-72-0x0000000000450000-0x000000000046E000-memory.dmp

Filesize
120KB

Download
memory/2600-74-0x00000000003A0000-0x00000000003EB000-memory.dmp

Filesize
300KB

Download
memory/2600-68-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/2600-58-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2640-163-0x0000000003730000-0x0000000003731000-memory.dmp

Filesize
4KB

Download
memory/2640-78-0x0000000003730000-0x0000000003731000-memory.dmp

Filesize
4KB

Download
memory/2768-76-0x0000000003730000-0x0000000003731000-memory.dmp

Filesize
4KB

Download
memory/2768-75-0x0000000003A10000-0x0000000003A20000-memory.dmp

Filesize
64KB

Download
memory/2768-150-0x0000000003730000-0x0000000003731000-memory.dmp

Filesize
4KB

Download
memory/2788-51-0x0000000000430000-0x0000000000441000-memory.dmp

Filesize
68KB

Download
memory/2788-53-0x00000000002E0000-0x000000000032B000-memory.dmp

Filesize
300KB

Download
memory/2788-52-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2788-56-0x0000000000450000-0x000000000047C000-memory.dmp

Filesize
176KB

Download
memory/2788-50-0x00000000003E0000-0x00000000003FE000-memory.dmp

Filesize
120KB

Download
memory/2788-49-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/2788-101-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/3036-167-0x0000000003620000-0x0000000003621000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads