d48fd97e81f9a59e85f04d92d680a5c16be3a31a4ec2e0e3c3cfcece07aab707

Analysis

max time kernel
5s
max time network
144s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/04/2024, 12:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f378623cbc763412be864561511370ae_JaffaCakes118.exe
Size

1.3MB
MD5

f378623cbc763412be864561511370ae
SHA1

7b5cd8cbd4595da3d21f9b6e2e126dbefa6c6abd
SHA256

d48fd97e81f9a59e85f04d92d680a5c16be3a31a4ec2e0e3c3cfcece07aab707
SHA512

e9634008282c38a9b2980bd595143cafff85f0d636085040d3dd256e3f1aa7a917460827a7b5b93b6551274d514e7115607b4a58e608bf1cd10af7fbace321b3
SSDEEP

24576:8vgbyLg41N5L+s79FIY4ponf0e56xh3liEKKO7AynQedLSEgG:8vgb0gq9FOC0esxh1i/ldQ2GEx

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2552	XP-AB9DB5FA.EXE
2904	XP-AB9DB5FA.EXE
2884	XP-AB9DB5FA.EXE
2156	XP-AB9DB5FA.EXE
1908	XP-AB9DB5FA.EXE
2188	XP-AB9DB5FA.EXE

Loads dropped DLL 40 IoCs

pid	Process
1632	f378623cbc763412be864561511370ae_JaffaCakes118.exe
1632	f378623cbc763412be864561511370ae_JaffaCakes118.exe
1632	f378623cbc763412be864561511370ae_JaffaCakes118.exe
1632	f378623cbc763412be864561511370ae_JaffaCakes118.exe
1632	f378623cbc763412be864561511370ae_JaffaCakes118.exe
1632	f378623cbc763412be864561511370ae_JaffaCakes118.exe
2552	XP-AB9DB5FA.EXE
2552	XP-AB9DB5FA.EXE
2552	XP-AB9DB5FA.EXE
2552	XP-AB9DB5FA.EXE
2552	XP-AB9DB5FA.EXE
2552	XP-AB9DB5FA.EXE
2904	XP-AB9DB5FA.EXE
2904	XP-AB9DB5FA.EXE
2904	XP-AB9DB5FA.EXE
2904	XP-AB9DB5FA.EXE
2904	XP-AB9DB5FA.EXE
2904	XP-AB9DB5FA.EXE
2884	XP-AB9DB5FA.EXE
2884	XP-AB9DB5FA.EXE
2884	XP-AB9DB5FA.EXE
2884	XP-AB9DB5FA.EXE
2884	XP-AB9DB5FA.EXE
2884	XP-AB9DB5FA.EXE
2156	XP-AB9DB5FA.EXE
2156	XP-AB9DB5FA.EXE
2156	XP-AB9DB5FA.EXE
2156	XP-AB9DB5FA.EXE
2156	XP-AB9DB5FA.EXE
2156	XP-AB9DB5FA.EXE
1908	XP-AB9DB5FA.EXE
1908	XP-AB9DB5FA.EXE
1908	XP-AB9DB5FA.EXE
1908	XP-AB9DB5FA.EXE
1908	XP-AB9DB5FA.EXE
1908	XP-AB9DB5FA.EXE
2188	XP-AB9DB5FA.EXE
2188	XP-AB9DB5FA.EXE
2188	XP-AB9DB5FA.EXE
2188	XP-AB9DB5FA.EXE

Writes to the Master Boot Record (MBR) 1 TTPs 7 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	XP-AB9DB5FA.EXE
File opened for modification	\??\PhysicalDrive0	XP-AB9DB5FA.EXE
File opened for modification	\??\PhysicalDrive0	XP-AB9DB5FA.EXE
File opened for modification	\??\PhysicalDrive0	XP-AB9DB5FA.EXE
File opened for modification	\??\PhysicalDrive0	XP-AB9DB5FA.EXE
File opened for modification	\??\PhysicalDrive0	XP-AB9DB5FA.EXE
File opened for modification	\??\PhysicalDrive0	f378623cbc763412be864561511370ae_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\XP-AB9DB5FA.EXE	f378623cbc763412be864561511370ae_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\XP-AB9DB5FA.EXE	f378623cbc763412be864561511370ae_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 8 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe

Modifies registry class 47 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 200000001a00eebbfe2300001000d09ad3fd8f23af46adb46c85480369c700000000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings	explorer.exe

Suspicious use of SetWindowsHookEx 42 IoCs

pid	Process
1632	f378623cbc763412be864561511370ae_JaffaCakes118.exe
1632	f378623cbc763412be864561511370ae_JaffaCakes118.exe
1632	f378623cbc763412be864561511370ae_JaffaCakes118.exe
1632	f378623cbc763412be864561511370ae_JaffaCakes118.exe
1632	f378623cbc763412be864561511370ae_JaffaCakes118.exe
1632	f378623cbc763412be864561511370ae_JaffaCakes118.exe
2552	XP-AB9DB5FA.EXE
2552	XP-AB9DB5FA.EXE
2552	XP-AB9DB5FA.EXE
2552	XP-AB9DB5FA.EXE
2552	XP-AB9DB5FA.EXE
2552	XP-AB9DB5FA.EXE
2904	XP-AB9DB5FA.EXE
2904	XP-AB9DB5FA.EXE
2904	XP-AB9DB5FA.EXE
2904	XP-AB9DB5FA.EXE
2904	XP-AB9DB5FA.EXE
2904	XP-AB9DB5FA.EXE
2884	XP-AB9DB5FA.EXE
2884	XP-AB9DB5FA.EXE
2884	XP-AB9DB5FA.EXE
2884	XP-AB9DB5FA.EXE
2884	XP-AB9DB5FA.EXE
2884	XP-AB9DB5FA.EXE
2156	XP-AB9DB5FA.EXE
2156	XP-AB9DB5FA.EXE
2156	XP-AB9DB5FA.EXE
2156	XP-AB9DB5FA.EXE
2156	XP-AB9DB5FA.EXE
2156	XP-AB9DB5FA.EXE
1908	XP-AB9DB5FA.EXE
1908	XP-AB9DB5FA.EXE
1908	XP-AB9DB5FA.EXE
1908	XP-AB9DB5FA.EXE
1908	XP-AB9DB5FA.EXE
1908	XP-AB9DB5FA.EXE
2188	XP-AB9DB5FA.EXE
2188	XP-AB9DB5FA.EXE
2188	XP-AB9DB5FA.EXE
2188	XP-AB9DB5FA.EXE
2188	XP-AB9DB5FA.EXE
2188	XP-AB9DB5FA.EXE

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 2612	1632	f378623cbc763412be864561511370ae_JaffaCakes118.exe	28
PID 1632 wrote to memory of 2612	1632	f378623cbc763412be864561511370ae_JaffaCakes118.exe	28
PID 1632 wrote to memory of 2612	1632	f378623cbc763412be864561511370ae_JaffaCakes118.exe	28
PID 1632 wrote to memory of 2612	1632	f378623cbc763412be864561511370ae_JaffaCakes118.exe	28
PID 1632 wrote to memory of 2552	1632	f378623cbc763412be864561511370ae_JaffaCakes118.exe	30
PID 1632 wrote to memory of 2552	1632	f378623cbc763412be864561511370ae_JaffaCakes118.exe	30
PID 1632 wrote to memory of 2552	1632	f378623cbc763412be864561511370ae_JaffaCakes118.exe	30
PID 1632 wrote to memory of 2552	1632	f378623cbc763412be864561511370ae_JaffaCakes118.exe	30
PID 2552 wrote to memory of 2440	2552	XP-AB9DB5FA.EXE	31
PID 2552 wrote to memory of 2440	2552	XP-AB9DB5FA.EXE	31
PID 2552 wrote to memory of 2440	2552	XP-AB9DB5FA.EXE	31
PID 2552 wrote to memory of 2440	2552	XP-AB9DB5FA.EXE	31
PID 2552 wrote to memory of 2904	2552	XP-AB9DB5FA.EXE	32
PID 2552 wrote to memory of 2904	2552	XP-AB9DB5FA.EXE	32
PID 2552 wrote to memory of 2904	2552	XP-AB9DB5FA.EXE	32
PID 2552 wrote to memory of 2904	2552	XP-AB9DB5FA.EXE	32
PID 2904 wrote to memory of 2692	2904	XP-AB9DB5FA.EXE	34
PID 2904 wrote to memory of 2692	2904	XP-AB9DB5FA.EXE	34
PID 2904 wrote to memory of 2692	2904	XP-AB9DB5FA.EXE	34
PID 2904 wrote to memory of 2692	2904	XP-AB9DB5FA.EXE	34
PID 2904 wrote to memory of 2884	2904	XP-AB9DB5FA.EXE	35
PID 2904 wrote to memory of 2884	2904	XP-AB9DB5FA.EXE	35
PID 2904 wrote to memory of 2884	2904	XP-AB9DB5FA.EXE	35
PID 2904 wrote to memory of 2884	2904	XP-AB9DB5FA.EXE	35
PID 2884 wrote to memory of 2344	2884	XP-AB9DB5FA.EXE	37
PID 2884 wrote to memory of 2344	2884	XP-AB9DB5FA.EXE	37
PID 2884 wrote to memory of 2344	2884	XP-AB9DB5FA.EXE	37
PID 2884 wrote to memory of 2344	2884	XP-AB9DB5FA.EXE	37
PID 2884 wrote to memory of 2156	2884	XP-AB9DB5FA.EXE	38
PID 2884 wrote to memory of 2156	2884	XP-AB9DB5FA.EXE	38
PID 2884 wrote to memory of 2156	2884	XP-AB9DB5FA.EXE	38
PID 2884 wrote to memory of 2156	2884	XP-AB9DB5FA.EXE	38
PID 2156 wrote to memory of 2932	2156	XP-AB9DB5FA.EXE	40
PID 2156 wrote to memory of 2932	2156	XP-AB9DB5FA.EXE	40
PID 2156 wrote to memory of 2932	2156	XP-AB9DB5FA.EXE	40
PID 2156 wrote to memory of 2932	2156	XP-AB9DB5FA.EXE	40
PID 2156 wrote to memory of 1908	2156	XP-AB9DB5FA.EXE	41
PID 2156 wrote to memory of 1908	2156	XP-AB9DB5FA.EXE	41
PID 2156 wrote to memory of 1908	2156	XP-AB9DB5FA.EXE	41
PID 2156 wrote to memory of 1908	2156	XP-AB9DB5FA.EXE	41
PID 1908 wrote to memory of 592	1908	XP-AB9DB5FA.EXE	43
PID 1908 wrote to memory of 592	1908	XP-AB9DB5FA.EXE	43
PID 1908 wrote to memory of 592	1908	XP-AB9DB5FA.EXE	43
PID 1908 wrote to memory of 592	1908	XP-AB9DB5FA.EXE	43
PID 1908 wrote to memory of 2188	1908	XP-AB9DB5FA.EXE	44
PID 1908 wrote to memory of 2188	1908	XP-AB9DB5FA.EXE	44
PID 1908 wrote to memory of 2188	1908	XP-AB9DB5FA.EXE	44
PID 1908 wrote to memory of 2188	1908	XP-AB9DB5FA.EXE	44
PID 2188 wrote to memory of 2276	2188	XP-AB9DB5FA.EXE	46
PID 2188 wrote to memory of 2276	2188	XP-AB9DB5FA.EXE	46
PID 2188 wrote to memory of 2276	2188	XP-AB9DB5FA.EXE	46
PID 2188 wrote to memory of 2276	2188	XP-AB9DB5FA.EXE	46

C:\Users\Admin\AppData\Local\Temp\f378623cbc763412be864561511370ae_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f378623cbc763412be864561511370ae_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\SysWOW64\explorer.exe
  explorer C:\Users\Admin\AppData\Local\Temp\f378623cbc763412be864561511370ae_JaffaCakes118
  2⤵
  PID:2612
- C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
  C:\Windows\system32\XP-AB9DB5FA.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\SysWOW64\explorer.exe
    explorer C:\Windows\SysWOW64\XP-AB9DB5FA
    3⤵
    PID:2440
- - C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
    C:\Windows\system32\XP-AB9DB5FA.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Windows\SysWOW64\explorer.exe
      explorer C:\Windows\SysWOW64\XP-AB9DB5FA
      4⤵
      PID:2692
  - - C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
      C:\Windows\system32\XP-AB9DB5FA.EXE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2884
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        5⤵
        
        PID:2344
    - - C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2156
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        6⤵
        
        PID:2932
      - C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        7⤵
        
        PID:592
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        8⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        8⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        9⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        9⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        10⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        10⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        11⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        11⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        12⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        12⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        13⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        13⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        14⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        14⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        15⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        15⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        16⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        16⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        17⤵
        
        PID:784
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        17⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        18⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        18⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        19⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        19⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        20⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        20⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        21⤵
        
        PID:688
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        21⤵
        
        PID:996
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        22⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        22⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        23⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        23⤵
        
        PID:884
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        24⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        24⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        25⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        25⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        26⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        26⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        27⤵
        
        PID:640
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        27⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        28⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        28⤵
        
        PID:996
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        29⤵
        
        PID:924
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        29⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        30⤵
        
        PID:688
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        30⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        31⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        31⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        32⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        32⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        33⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        33⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        34⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        34⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        35⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        35⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        36⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        36⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        37⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        37⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        38⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        38⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        39⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        39⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        40⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        40⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        41⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        41⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        42⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        42⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        43⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        43⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        44⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        44⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        45⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        45⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        46⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        46⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        47⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        47⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        48⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        48⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        49⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        49⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        50⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        50⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        51⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        51⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        52⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        52⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        53⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        53⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-AB9DB5FA
        54⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\XP-AB9DB5FA.EXE
        
        C:\Windows\system32\XP-AB9DB5FA.EXE
        54⤵
        
        PID:4608

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3020

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1336

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2032

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1036

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:540

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:816

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1348

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1052

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2840

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2628

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2624

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1104

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1784

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1028

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2132

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2016

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3016

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2544

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2696

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1100

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2568

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1440

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2340

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2948

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2060

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1340

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3088

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3204

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3444

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3684

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3936

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4036

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3156

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3440

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3564

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4012

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3588

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3900

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4048

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3772

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3956

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3276

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3080

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1564

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4144

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4372

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4628

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4748

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4948

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4112

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4432

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4416

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E_4\RegEx.fnr

Filesize
212KB

MD5
a67daddcb30335163cf7d99f282f5ae0

SHA1
c033169006bef68bebfa77405c4a35688ab41a99

SHA256
8027e7512cf17388b14c3e2bbf9c3700f875c26d942a4dd27d1dcf8203a192f8

SHA512
16cb5cffdf935d10bb06b86b874a63e9594e4854359885890fe4641f0e4329fd047daa5f0ddd5a02d241974834b67666b2ad65ef791e110d29637434057808c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\eAPI.fne

Filesize
316KB

MD5
25b794b18bd8d03dc9530111cbce4173

SHA1
a6774d62bd1e9497fdfe6c61c495011fc6c274c6

SHA256
81757b48f2caecd6fd4f6699906e9320704c10b5c5dadc6c796b9809f0359ee4

SHA512
5892dc3c681571b2130695c4e8f598e732462746b9f5b8e7689108e393fb6d4edc32c97ef1f39f0c0abc901a590677f92c1abd1b809e5a875d025f4131d831ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\internet.fne

Filesize
180KB

MD5
56e9e121d68b5631a360d56b2ef4777f

SHA1
e9d11a2baf46769c90ee1671cd17072efd8cfb52

SHA256
c247997b04fc5535bb07ab43c3628326c6365aa6a0bd82a6f380b8ab66a09d2f

SHA512
1ef52e0283d286a308fa1c927ff12aa43975a49d94d9386ee4a02b7e4f47de2e239a340a4427534c73c0039ea2c249e91b68f2dce1dfebf13c9879c4ea60b97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\spec.fne

Filesize
68KB

MD5
1518651c682109e9b9c304c9c109d777

SHA1
6c440810bf11907fc16dbca17a9494377c0bdcf1

SHA256
0496ea1f78bf11204491388bc9c1dfbb49bebdaeffe32717bffdf688b148bfaa

SHA512
e6e03475b37f8463ac47dd559b31b81e254b07280e083200e21cc66f022c8730d45924776684d96e6bc1ce2d5cf9350a13ca37cda966de1c430eeec602e00535

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\com.run

Filesize
260KB

MD5
ce2f773275d3fe8b78f4cf067d5e6a0f

SHA1
b7135e34d46eb4303147492d5cee5e1ef7b392ab

SHA256
eb8099c0ad2d82d9d80530443e2909f3b34be0844d445e844f1c994476c86d2d

SHA512
d733dc01c047be56680629a385abdd2aa1598a2b5459269028446da9097b6f6c1e7ade5b74e3ac3809dd8a3f8d1cbbe7fd669f2762be61f9c38fd4a2cca9e063

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\dp1.fne

Filesize
112KB

MD5
6d4b2e73f6f8ecff02f19f7e8ef9a8c7

SHA1
09c32ca167136a17fd69df8c525ea5ffeca6c534

SHA256
fe5783e64aa70fac10c2e42d460732d9770534357329d8bc78576557c165f040

SHA512
2fd7a95cb632e9c4ac6b34e5b6b875aae94e73cd4b1f213e78f46dadab4846227a030776461bca08f9d75a1d61a0d45427f7b0c8b71406b7debc14db04b2ce04

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
1.0MB

MD5
1081d7eb7a17faedfa588b93fc85365e

SHA1
884e264fa37bfb9e71d24f3f5c7554fdf94a8b9f

SHA256
0351d055cf1e194302ab125cc93208a8c733efb45dc301ca6e7e2a4051f411e0

SHA512
1ff9e7c495b9e005c8d3b56219794c31d804fe1944429e3d4fe013fd8fcb3f51c02b588748c7d9d869fdb115851932e8db4e6792aecd9c83f28237702582ba81

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\shell.fne

Filesize
40KB

MD5
d54753e7fc3ea03aec0181447969c0e8

SHA1
824e7007b6569ae36f174c146ae1b7242f98f734

SHA256
192608ff371400c1529aa05f1adba0fe4fdd769fcbf35ee5f8b4f78a838a7ec9

SHA512
c25ed4cb38d5d5e95a267979f0f3f9398c04a1bf5822dceb03d6f6d9b4832dfb227f1e6868327e52a0303f45c36b9ba806e75b16bd7419a7c5203c2ecbae838f

Download Submit
\Windows\SysWOW64\XP-AB9DB5FA.EXE

Filesize
1.3MB

MD5
f378623cbc763412be864561511370ae

SHA1
7b5cd8cbd4595da3d21f9b6e2e126dbefa6c6abd

SHA256
d48fd97e81f9a59e85f04d92d680a5c16be3a31a4ec2e0e3c3cfcece07aab707

SHA512
e9634008282c38a9b2980bd595143cafff85f0d636085040d3dd256e3f1aa7a917460827a7b5b93b6551274d514e7115607b4a58e608bf1cd10af7fbace321b3

Download Submit
memory/540-224-0x0000000003B80000-0x0000000003B81000-memory.dmp

Filesize
4KB

Download
memory/540-171-0x0000000003B80000-0x0000000003B81000-memory.dmp

Filesize
4KB

Download
memory/816-223-0x0000000003A80000-0x0000000003A81000-memory.dmp

Filesize
4KB

Download
memory/816-169-0x0000000003A80000-0x0000000003A81000-memory.dmp

Filesize
4KB

Download
memory/1028-276-0x0000000003B00000-0x0000000003B01000-memory.dmp

Filesize
4KB

Download
memory/1036-200-0x0000000003A80000-0x0000000003A81000-memory.dmp

Filesize
4KB

Download
memory/1036-143-0x0000000003A80000-0x0000000003A81000-memory.dmp

Filesize
4KB

Download
memory/1052-198-0x0000000003B00000-0x0000000003B01000-memory.dmp

Filesize
4KB

Download
memory/1052-253-0x0000000003B00000-0x0000000003B01000-memory.dmp

Filesize
4KB

Download
memory/1056-275-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1104-262-0x0000000003A80000-0x0000000003A81000-memory.dmp

Filesize
4KB

Download
memory/1256-234-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1256-207-0x0000000002230000-0x0000000002268000-memory.dmp

Filesize
224KB

Download
memory/1256-206-0x0000000002230000-0x0000000002268000-memory.dmp

Filesize
224KB

Download
memory/1256-197-0x0000000000570000-0x000000000058E000-memory.dmp

Filesize
120KB

Download
memory/1256-194-0x0000000001FC0000-0x000000000200A000-memory.dmp

Filesize
296KB

Download
memory/1336-165-0x0000000002C50000-0x0000000002C51000-memory.dmp

Filesize
4KB

Download
memory/1336-98-0x0000000002C50000-0x0000000002C51000-memory.dmp

Filesize
4KB

Download
memory/1348-185-0x00000000035E0000-0x00000000035E1000-memory.dmp

Filesize
4KB

Download
memory/1348-237-0x00000000035E0000-0x00000000035E1000-memory.dmp

Filesize
4KB

Download
memory/1632-30-0x0000000000480000-0x00000000004B8000-memory.dmp

Filesize
224KB

Download
memory/1632-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1632-16-0x0000000000440000-0x000000000045E000-memory.dmp

Filesize
120KB

Download
memory/1632-19-0x0000000000460000-0x0000000000471000-memory.dmp

Filesize
68KB

Download
memory/1632-77-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1632-25-0x0000000000480000-0x00000000004B8000-memory.dmp

Filesize
224KB

Download
memory/1632-12-0x0000000000220000-0x000000000026A000-memory.dmp

Filesize
296KB

Download
memory/1784-261-0x0000000003A80000-0x0000000003A81000-memory.dmp

Filesize
4KB

Download
memory/1908-139-0x00000000003A0000-0x00000000003EA000-memory.dmp

Filesize
296KB

Download
memory/1908-174-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1908-128-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1968-274-0x0000000001E00000-0x0000000001E38000-memory.dmp

Filesize
224KB

Download
memory/1968-269-0x0000000001E00000-0x0000000001E38000-memory.dmp

Filesize
224KB

Download
memory/2032-124-0x0000000003A80000-0x0000000003A81000-memory.dmp

Filesize
4KB

Download
memory/2032-187-0x0000000003A80000-0x0000000003A81000-memory.dmp

Filesize
4KB

Download
memory/2140-209-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2140-167-0x0000000000390000-0x00000000003DA000-memory.dmp

Filesize
296KB

Download
memory/2140-175-0x0000000000490000-0x00000000004C8000-memory.dmp

Filesize
224KB

Download
memory/2140-162-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2156-122-0x0000000001EA0000-0x0000000001EB1000-memory.dmp

Filesize
68KB

Download
memory/2156-116-0x00000000005D0000-0x000000000061A000-memory.dmp

Filesize
296KB

Download
memory/2156-120-0x0000000000740000-0x000000000075E000-memory.dmp

Filesize
120KB

Download
memory/2156-163-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2156-105-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2188-153-0x0000000000520000-0x000000000056A000-memory.dmp

Filesize
296KB

Download
memory/2188-156-0x0000000000590000-0x00000000005A1000-memory.dmp

Filesize
68KB

Download
memory/2188-157-0x0000000002180000-0x00000000021B8000-memory.dmp

Filesize
224KB

Download
memory/2188-155-0x00000000004E0000-0x00000000004FE000-memory.dmp

Filesize
120KB

Download
memory/2188-170-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2220-180-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2220-183-0x0000000000300000-0x000000000031E000-memory.dmp

Filesize
120KB

Download
memory/2220-184-0x0000000000540000-0x0000000000551000-memory.dmp

Filesize
68KB

Download
memory/2220-220-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2220-188-0x0000000000560000-0x0000000000598000-memory.dmp

Filesize
224KB

Download
memory/2220-189-0x0000000000560000-0x0000000000598000-memory.dmp

Filesize
224KB

Download
memory/2332-247-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2332-248-0x00000000002D0000-0x000000000031A000-memory.dmp

Filesize
296KB

Download
memory/2332-254-0x00000000003C0000-0x00000000003F8000-memory.dmp

Filesize
224KB

Download
memory/2332-255-0x00000000003C0000-0x00000000003F8000-memory.dmp

Filesize
224KB

Download
memory/2432-221-0x0000000001D20000-0x0000000001D3E000-memory.dmp

Filesize
120KB

Download
memory/2432-252-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2432-218-0x0000000001F60000-0x0000000001FAA000-memory.dmp

Filesize
296KB

Download
memory/2432-227-0x0000000001E30000-0x0000000001E68000-memory.dmp

Filesize
224KB

Download
memory/2432-222-0x0000000001D90000-0x0000000001DA1000-memory.dmp

Filesize
68KB

Download
memory/2552-46-0x0000000001EE0000-0x0000000001F2A000-memory.dmp

Filesize
296KB

Download
memory/2552-68-0x0000000001D80000-0x0000000001DB8000-memory.dmp

Filesize
224KB

Download
memory/2552-54-0x0000000001D50000-0x0000000001D61000-memory.dmp

Filesize
68KB

Download
memory/2552-43-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2552-50-0x00000000003D0000-0x00000000003EE000-memory.dmp

Filesize
120KB

Download
memory/2552-118-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2624-236-0x0000000003A90000-0x0000000003A91000-memory.dmp

Filesize
4KB

Download
memory/2628-268-0x0000000003A80000-0x0000000003A81000-memory.dmp

Filesize
4KB

Download
memory/2628-225-0x0000000003A80000-0x0000000003A81000-memory.dmp

Filesize
4KB

Download
memory/2636-213-0x00000000006D0000-0x0000000000708000-memory.dmp

Filesize
224KB

Download
memory/2636-211-0x00000000004C0000-0x00000000004DE000-memory.dmp

Filesize
120KB

Download
memory/2636-212-0x0000000000670000-0x0000000000681000-memory.dmp

Filesize
68KB

Download
memory/2636-205-0x0000000000440000-0x000000000048A000-memory.dmp

Filesize
296KB

Download
memory/2636-210-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2884-100-0x00000000005D0000-0x00000000005E1000-memory.dmp

Filesize
68KB

Download
memory/2884-102-0x0000000001E00000-0x0000000001E38000-memory.dmp

Filesize
224KB

Download
memory/2884-97-0x00000000005B0000-0x00000000005CE000-memory.dmp

Filesize
120KB

Download
memory/2884-148-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2884-91-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2884-93-0x00000000003B0000-0x00000000003FA000-memory.dmp

Filesize
296KB

Download
memory/2904-76-0x0000000001F30000-0x0000000001F41000-memory.dmp

Filesize
68KB

Download
memory/2904-73-0x0000000001CD0000-0x0000000001CEE000-memory.dmp

Filesize
120KB

Download
memory/2904-74-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2904-80-0x0000000001F50000-0x0000000001F88000-memory.dmp

Filesize
224KB

Download
memory/3004-246-0x0000000000540000-0x0000000000578000-memory.dmp

Filesize
224KB

Download
memory/3004-245-0x0000000000540000-0x0000000000578000-memory.dmp

Filesize
224KB

Download
memory/3004-239-0x00000000002B0000-0x00000000002CE000-memory.dmp

Filesize
120KB

Download
memory/3004-240-0x00000000002E0000-0x00000000002F1000-memory.dmp

Filesize
68KB

Download
memory/3004-232-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3004-278-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3020-55-0x0000000003D00000-0x0000000003D01000-memory.dmp

Filesize
4KB

Download
memory/3020-51-0x0000000003D10000-0x0000000003D20000-memory.dmp

Filesize
64KB

Download
memory/3020-140-0x0000000003D00000-0x0000000003D01000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads