70d0731783025bc10709457c350f85118748952bd1332403bbfeeb4a1f2f029f

Analysis

max time kernel
59s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02-08-2024 04:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8313034f113d4ccdcfa5e0e2b4beac38_JaffaCakes118.exe
Size

1.2MB
MD5

8313034f113d4ccdcfa5e0e2b4beac38
SHA1

3a9618b50152569237906ef88f99cd50e38d8ec2
SHA256

70d0731783025bc10709457c350f85118748952bd1332403bbfeeb4a1f2f029f
SHA512

a80be90dfa5d4717ad23515d6e766477cb6b0a467d0cfc1236fd3342d612b8d1663ed9af03540df152fd2f93a005e0092f51cfb37d5bc6b5076ce6fe1b3048c0
SSDEEP

24576:2Tp9gaTW9b2aHLlc5nVK3kSLcOY1MdF5MfSe54pXl88M69DTLx:2Tp9/Tqbtrl4nVK3kS+14F5i54pyN6DB

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2692	XP-FEBFA1C7.EXE
1948	XP-FEBFA1C7.EXE
2708	XP-FEBFA1C7.EXE
1508	XP-FEBFA1C7.EXE
3048	XP-FEBFA1C7.EXE
1804	XP-FEBFA1C7.EXE
2300	XP-FEBFA1C7.EXE
2144	XP-FEBFA1C7.EXE
2076	XP-FEBFA1C7.EXE
2696	XP-FEBFA1C7.EXE
2940	XP-FEBFA1C7.EXE
3036	XP-FEBFA1C7.EXE
3028	XP-FEBFA1C7.EXE
2852	XP-FEBFA1C7.EXE
528	XP-FEBFA1C7.EXE
2764	XP-FEBFA1C7.EXE
2252	XP-FEBFA1C7.EXE
2676	XP-FEBFA1C7.EXE
900	XP-FEBFA1C7.EXE
1756	XP-FEBFA1C7.EXE
2368	XP-FEBFA1C7.EXE
1388	XP-FEBFA1C7.EXE
2212	XP-FEBFA1C7.EXE
2532	XP-FEBFA1C7.EXE
2812	XP-FEBFA1C7.EXE
1140	XP-FEBFA1C7.EXE
2644	XP-FEBFA1C7.EXE
1388	XP-FEBFA1C7.EXE
3196	XP-FEBFA1C7.EXE
3344	XP-FEBFA1C7.EXE
3488	XP-FEBFA1C7.EXE
3632	XP-FEBFA1C7.EXE
3772	XP-FEBFA1C7.EXE
3920	XP-FEBFA1C7.EXE
4052	XP-FEBFA1C7.EXE
3180	XP-FEBFA1C7.EXE
3312	XP-FEBFA1C7.EXE
3656	XP-FEBFA1C7.EXE
3872	XP-FEBFA1C7.EXE
4020	XP-FEBFA1C7.EXE
1564	XP-FEBFA1C7.EXE
3832	XP-FEBFA1C7.EXE
3164	XP-FEBFA1C7.EXE
3944	XP-FEBFA1C7.EXE
3640	XP-FEBFA1C7.EXE
3872	XP-FEBFA1C7.EXE
4100	XP-FEBFA1C7.EXE
4240	XP-FEBFA1C7.EXE
4376	XP-FEBFA1C7.EXE
4528	XP-FEBFA1C7.EXE
4684	XP-FEBFA1C7.EXE
4812	XP-FEBFA1C7.EXE
4956	XP-FEBFA1C7.EXE
5108	XP-FEBFA1C7.EXE
4212	XP-FEBFA1C7.EXE
4512	XP-FEBFA1C7.EXE
4660	XP-FEBFA1C7.EXE
4532	XP-FEBFA1C7.EXE
4200	XP-FEBFA1C7.EXE
4344	XP-FEBFA1C7.EXE
4912	XP-FEBFA1C7.EXE
4616	XP-FEBFA1C7.EXE
928	XP-FEBFA1C7.EXE
5028	XP-FEBFA1C7.EXE

Loads dropped DLL 64 IoCs

pid	Process
2624	8313034f113d4ccdcfa5e0e2b4beac38_JaffaCakes118.exe
2624	8313034f113d4ccdcfa5e0e2b4beac38_JaffaCakes118.exe
2624	8313034f113d4ccdcfa5e0e2b4beac38_JaffaCakes118.exe
2624	8313034f113d4ccdcfa5e0e2b4beac38_JaffaCakes118.exe
2624	8313034f113d4ccdcfa5e0e2b4beac38_JaffaCakes118.exe
2624	8313034f113d4ccdcfa5e0e2b4beac38_JaffaCakes118.exe
2692	XP-FEBFA1C7.EXE
2692	XP-FEBFA1C7.EXE
2692	XP-FEBFA1C7.EXE
2692	XP-FEBFA1C7.EXE
2692	XP-FEBFA1C7.EXE
2692	XP-FEBFA1C7.EXE
1948	XP-FEBFA1C7.EXE
1948	XP-FEBFA1C7.EXE
1948	XP-FEBFA1C7.EXE
1948	XP-FEBFA1C7.EXE
1948	XP-FEBFA1C7.EXE
1948	XP-FEBFA1C7.EXE
2708	XP-FEBFA1C7.EXE
2708	XP-FEBFA1C7.EXE
2708	XP-FEBFA1C7.EXE
2708	XP-FEBFA1C7.EXE
2708	XP-FEBFA1C7.EXE
2708	XP-FEBFA1C7.EXE
1508	XP-FEBFA1C7.EXE
1508	XP-FEBFA1C7.EXE
1508	XP-FEBFA1C7.EXE
1508	XP-FEBFA1C7.EXE
1508	XP-FEBFA1C7.EXE
1508	XP-FEBFA1C7.EXE
3048	XP-FEBFA1C7.EXE
3048	XP-FEBFA1C7.EXE
3048	XP-FEBFA1C7.EXE
3048	XP-FEBFA1C7.EXE
3048	XP-FEBFA1C7.EXE
3048	XP-FEBFA1C7.EXE
1804	XP-FEBFA1C7.EXE
1804	XP-FEBFA1C7.EXE
1804	XP-FEBFA1C7.EXE
1804	XP-FEBFA1C7.EXE
1804	XP-FEBFA1C7.EXE
1804	XP-FEBFA1C7.EXE
2300	XP-FEBFA1C7.EXE
2300	XP-FEBFA1C7.EXE
2300	XP-FEBFA1C7.EXE
2300	XP-FEBFA1C7.EXE
2300	XP-FEBFA1C7.EXE
2300	XP-FEBFA1C7.EXE
2144	XP-FEBFA1C7.EXE
2144	XP-FEBFA1C7.EXE
2144	XP-FEBFA1C7.EXE
2144	XP-FEBFA1C7.EXE
2144	XP-FEBFA1C7.EXE
2144	XP-FEBFA1C7.EXE
2076	XP-FEBFA1C7.EXE
2076	XP-FEBFA1C7.EXE
2076	XP-FEBFA1C7.EXE
2076	XP-FEBFA1C7.EXE
2076	XP-FEBFA1C7.EXE
2076	XP-FEBFA1C7.EXE
2696	XP-FEBFA1C7.EXE
2696	XP-FEBFA1C7.EXE
2696	XP-FEBFA1C7.EXE
2696	XP-FEBFA1C7.EXE

Writes to the Master Boot Record (MBR) 1 TTPs 64 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	8313034f113d4ccdcfa5e0e2b4beac38_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\XP-FEBFA1C7.EXE	8313034f113d4ccdcfa5e0e2b4beac38_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\XP-FEBFA1C7.EXE	8313034f113d4ccdcfa5e0e2b4beac38_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-FEBFA1C7.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-FEBFA1C7.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-FEBFA1C7.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-FEBFA1C7.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-FEBFA1C7.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-FEBFA1C7.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-FEBFA1C7.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-FEBFA1C7.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-FEBFA1C7.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-FEBFA1C7.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-FEBFA1C7.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-FEBFA1C7.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-FEBFA1C7.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-FEBFA1C7.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-FEBFA1C7.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-FEBFA1C7.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-FEBFA1C7.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-FEBFA1C7.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-FEBFA1C7.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-FEBFA1C7.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-FEBFA1C7.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-FEBFA1C7.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-FEBFA1C7.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-FEBFA1C7.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-FEBFA1C7.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-FEBFA1C7.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-FEBFA1C7.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-FEBFA1C7.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-FEBFA1C7.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-FEBFA1C7.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-FEBFA1C7.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-FEBFA1C7.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-FEBFA1C7.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000f00000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000f00000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000f00000000000000000000000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000f00000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2624	8313034f113d4ccdcfa5e0e2b4beac38_JaffaCakes118.exe
2624	8313034f113d4ccdcfa5e0e2b4beac38_JaffaCakes118.exe
2624	8313034f113d4ccdcfa5e0e2b4beac38_JaffaCakes118.exe
2624	8313034f113d4ccdcfa5e0e2b4beac38_JaffaCakes118.exe
2624	8313034f113d4ccdcfa5e0e2b4beac38_JaffaCakes118.exe
2624	8313034f113d4ccdcfa5e0e2b4beac38_JaffaCakes118.exe
2692	XP-FEBFA1C7.EXE
2692	XP-FEBFA1C7.EXE
2692	XP-FEBFA1C7.EXE
2692	XP-FEBFA1C7.EXE
2692	XP-FEBFA1C7.EXE
2692	XP-FEBFA1C7.EXE
1948	XP-FEBFA1C7.EXE
1948	XP-FEBFA1C7.EXE
1948	XP-FEBFA1C7.EXE
1948	XP-FEBFA1C7.EXE
1948	XP-FEBFA1C7.EXE
1948	XP-FEBFA1C7.EXE
2708	XP-FEBFA1C7.EXE
2708	XP-FEBFA1C7.EXE
2708	XP-FEBFA1C7.EXE
2708	XP-FEBFA1C7.EXE
2708	XP-FEBFA1C7.EXE
2708	XP-FEBFA1C7.EXE
1508	XP-FEBFA1C7.EXE
1508	XP-FEBFA1C7.EXE
1508	XP-FEBFA1C7.EXE
1508	XP-FEBFA1C7.EXE
1508	XP-FEBFA1C7.EXE
1508	XP-FEBFA1C7.EXE
3048	XP-FEBFA1C7.EXE
3048	XP-FEBFA1C7.EXE
3048	XP-FEBFA1C7.EXE
3048	XP-FEBFA1C7.EXE
3048	XP-FEBFA1C7.EXE
3048	XP-FEBFA1C7.EXE
1804	XP-FEBFA1C7.EXE
1804	XP-FEBFA1C7.EXE
1804	XP-FEBFA1C7.EXE
1804	XP-FEBFA1C7.EXE
1804	XP-FEBFA1C7.EXE
1804	XP-FEBFA1C7.EXE
2300	XP-FEBFA1C7.EXE
2300	XP-FEBFA1C7.EXE
2300	XP-FEBFA1C7.EXE
2300	XP-FEBFA1C7.EXE
2300	XP-FEBFA1C7.EXE
2300	XP-FEBFA1C7.EXE
2144	XP-FEBFA1C7.EXE
2144	XP-FEBFA1C7.EXE
2144	XP-FEBFA1C7.EXE
2144	XP-FEBFA1C7.EXE
2144	XP-FEBFA1C7.EXE
2144	XP-FEBFA1C7.EXE
2076	XP-FEBFA1C7.EXE
2076	XP-FEBFA1C7.EXE
2076	XP-FEBFA1C7.EXE
2076	XP-FEBFA1C7.EXE
2076	XP-FEBFA1C7.EXE
2076	XP-FEBFA1C7.EXE
2696	XP-FEBFA1C7.EXE
2696	XP-FEBFA1C7.EXE
2696	XP-FEBFA1C7.EXE
2696	XP-FEBFA1C7.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 2688	2624	8313034f113d4ccdcfa5e0e2b4beac38_JaffaCakes118.exe	30
PID 2624 wrote to memory of 2688	2624	8313034f113d4ccdcfa5e0e2b4beac38_JaffaCakes118.exe	30
PID 2624 wrote to memory of 2688	2624	8313034f113d4ccdcfa5e0e2b4beac38_JaffaCakes118.exe	30
PID 2624 wrote to memory of 2688	2624	8313034f113d4ccdcfa5e0e2b4beac38_JaffaCakes118.exe	30
PID 2624 wrote to memory of 2692	2624	8313034f113d4ccdcfa5e0e2b4beac38_JaffaCakes118.exe	32
PID 2624 wrote to memory of 2692	2624	8313034f113d4ccdcfa5e0e2b4beac38_JaffaCakes118.exe	32
PID 2624 wrote to memory of 2692	2624	8313034f113d4ccdcfa5e0e2b4beac38_JaffaCakes118.exe	32
PID 2624 wrote to memory of 2692	2624	8313034f113d4ccdcfa5e0e2b4beac38_JaffaCakes118.exe	32
PID 2692 wrote to memory of 2596	2692	XP-FEBFA1C7.EXE	33
PID 2692 wrote to memory of 2596	2692	XP-FEBFA1C7.EXE	33
PID 2692 wrote to memory of 2596	2692	XP-FEBFA1C7.EXE	33
PID 2692 wrote to memory of 2596	2692	XP-FEBFA1C7.EXE	33
PID 2692 wrote to memory of 1948	2692	XP-FEBFA1C7.EXE	34
PID 2692 wrote to memory of 1948	2692	XP-FEBFA1C7.EXE	34
PID 2692 wrote to memory of 1948	2692	XP-FEBFA1C7.EXE	34
PID 2692 wrote to memory of 1948	2692	XP-FEBFA1C7.EXE	34
PID 1948 wrote to memory of 1576	1948	XP-FEBFA1C7.EXE	36
PID 1948 wrote to memory of 1576	1948	XP-FEBFA1C7.EXE	36
PID 1948 wrote to memory of 1576	1948	XP-FEBFA1C7.EXE	36
PID 1948 wrote to memory of 1576	1948	XP-FEBFA1C7.EXE	36
PID 1948 wrote to memory of 2708	1948	XP-FEBFA1C7.EXE	37
PID 1948 wrote to memory of 2708	1948	XP-FEBFA1C7.EXE	37
PID 1948 wrote to memory of 2708	1948	XP-FEBFA1C7.EXE	37
PID 1948 wrote to memory of 2708	1948	XP-FEBFA1C7.EXE	37
PID 2708 wrote to memory of 292	2708	XP-FEBFA1C7.EXE	39
PID 2708 wrote to memory of 292	2708	XP-FEBFA1C7.EXE	39
PID 2708 wrote to memory of 292	2708	XP-FEBFA1C7.EXE	39
PID 2708 wrote to memory of 292	2708	XP-FEBFA1C7.EXE	39
PID 2708 wrote to memory of 1508	2708	XP-FEBFA1C7.EXE	40
PID 2708 wrote to memory of 1508	2708	XP-FEBFA1C7.EXE	40
PID 2708 wrote to memory of 1508	2708	XP-FEBFA1C7.EXE	40
PID 2708 wrote to memory of 1508	2708	XP-FEBFA1C7.EXE	40
PID 1508 wrote to memory of 2928	1508	XP-FEBFA1C7.EXE	42
PID 1508 wrote to memory of 2928	1508	XP-FEBFA1C7.EXE	42
PID 1508 wrote to memory of 2928	1508	XP-FEBFA1C7.EXE	42
PID 1508 wrote to memory of 2928	1508	XP-FEBFA1C7.EXE	42
PID 1508 wrote to memory of 3048	1508	XP-FEBFA1C7.EXE	96
PID 1508 wrote to memory of 3048	1508	XP-FEBFA1C7.EXE	96
PID 1508 wrote to memory of 3048	1508	XP-FEBFA1C7.EXE	96
PID 1508 wrote to memory of 3048	1508	XP-FEBFA1C7.EXE	96
PID 3048 wrote to memory of 1028	3048	XP-FEBFA1C7.EXE	72
PID 3048 wrote to memory of 1028	3048	XP-FEBFA1C7.EXE	72
PID 3048 wrote to memory of 1028	3048	XP-FEBFA1C7.EXE	72
PID 3048 wrote to memory of 1028	3048	XP-FEBFA1C7.EXE	72
PID 3048 wrote to memory of 1804	3048	XP-FEBFA1C7.EXE	46
PID 3048 wrote to memory of 1804	3048	XP-FEBFA1C7.EXE	46
PID 3048 wrote to memory of 1804	3048	XP-FEBFA1C7.EXE	46
PID 3048 wrote to memory of 1804	3048	XP-FEBFA1C7.EXE	46
PID 1804 wrote to memory of 1640	1804	XP-FEBFA1C7.EXE	48
PID 1804 wrote to memory of 1640	1804	XP-FEBFA1C7.EXE	48
PID 1804 wrote to memory of 1640	1804	XP-FEBFA1C7.EXE	48
PID 1804 wrote to memory of 1640	1804	XP-FEBFA1C7.EXE	48
PID 1804 wrote to memory of 2300	1804	XP-FEBFA1C7.EXE	49
PID 1804 wrote to memory of 2300	1804	XP-FEBFA1C7.EXE	49
PID 1804 wrote to memory of 2300	1804	XP-FEBFA1C7.EXE	49
PID 1804 wrote to memory of 2300	1804	XP-FEBFA1C7.EXE	49
PID 2300 wrote to memory of 740	2300	XP-FEBFA1C7.EXE	51
PID 2300 wrote to memory of 740	2300	XP-FEBFA1C7.EXE	51
PID 2300 wrote to memory of 740	2300	XP-FEBFA1C7.EXE	51
PID 2300 wrote to memory of 740	2300	XP-FEBFA1C7.EXE	51
PID 2300 wrote to memory of 2144	2300	XP-FEBFA1C7.EXE	52
PID 2300 wrote to memory of 2144	2300	XP-FEBFA1C7.EXE	52
PID 2300 wrote to memory of 2144	2300	XP-FEBFA1C7.EXE	52
PID 2300 wrote to memory of 2144	2300	XP-FEBFA1C7.EXE	52

C:\Users\Admin\AppData\Local\Temp\8313034f113d4ccdcfa5e0e2b4beac38_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8313034f113d4ccdcfa5e0e2b4beac38_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Windows\SysWOW64\explorer.exe
  explorer C:\Users\Admin\AppData\Local\Temp\8313034f113d4ccdcfa5e0e2b4beac38_JaffaCakes118
  2⤵
  PID:2688
- C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
  C:\Windows\system32\XP-FEBFA1C7.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\SysWOW64\explorer.exe
    explorer C:\Windows\SysWOW64\XP-FEBFA1C7
    3⤵
    PID:2596
- - C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
    C:\Windows\system32\XP-FEBFA1C7.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1948
  - - C:\Windows\SysWOW64\explorer.exe
      explorer C:\Windows\SysWOW64\XP-FEBFA1C7
      4⤵
      PID:1576
  - - C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
      C:\Windows\system32\XP-FEBFA1C7.EXE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        5⤵
        
        PID:292
    - - C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1508
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        6⤵
        
        PID:2928
      - C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        7⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        8⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        9⤵
        
        PID:740
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetWindowsHookEx
        
        PID:2144
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        10⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetWindowsHookEx
        
        PID:2076
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        11⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2696
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2716
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        12⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        13⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        13⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:3036
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        14⤵
        
        PID:608
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        14⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:3028
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        15⤵
        
        PID:908
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        15⤵
        Executes dropped EXE
        
        PID:2852
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        16⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        16⤵
        Executes dropped EXE
        
        PID:528
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        17⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        17⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:2764
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        18⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:1136
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        19⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        20⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:900
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        21⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:1756
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        22⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        22⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:2368
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:844
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        23⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:1388
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        24⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        25⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:2532
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        26⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2812
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        27⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:1140
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        28⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        28⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:2644
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        29⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        29⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:1388
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        30⤵
        System Location Discovery: System Language Discovery
        
        PID:3156
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        30⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:3196
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:3308
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3344
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:3456
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        32⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:3488
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        33⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        33⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:3632
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:3732
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        34⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:3772
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:3876
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        35⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:3920
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        36⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        36⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:4052
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        37⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        37⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:3180
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:3368
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3312
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        39⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        39⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:3656
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        40⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        40⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:3872
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        41⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        41⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:4020
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:3352
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        42⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        43⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        43⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:3832
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        44⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        44⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:3164
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        45⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        45⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:3944
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:3464
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        46⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:3640
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        47⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        47⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:3872
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        48⤵
        System Location Discovery: System Language Discovery
        
        PID:3832
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        48⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:4100
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        49⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        49⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:4240
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        50⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        50⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:4376
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:4492
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        51⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:4528
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        52⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        52⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:4684
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        53⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        53⤵
        Executes dropped EXE
        
        PID:4812
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:4920
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        54⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:4956
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        55⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        55⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:5108
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:4260
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4212
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        57⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:4512
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        58⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        58⤵
        Executes dropped EXE
        
        PID:4660
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        59⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        59⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:4532
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        60⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        60⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:4200
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        61⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        61⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:4344
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        62⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4912
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        63⤵
        System Location Discovery: System Language Discovery
        
        PID:4460
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        63⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:4616
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        64⤵
        System Location Discovery: System Language Discovery
        
        PID:4932
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        64⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:928
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:5088
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        65⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:5028
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        66⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        66⤵
        Writes to the Master Boot Record (MBR)
        
        PID:5096
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:5128
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        67⤵
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:5164
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        68⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        68⤵
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:5308
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        69⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:5468
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        70⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        70⤵
        Writes to the Master Boot Record (MBR)
        
        PID:5604
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:5704
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        71⤵
        
        PID:5736
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:5852
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        72⤵
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:5892
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:6000
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        73⤵
        Writes to the Master Boot Record (MBR)
        
        PID:6040
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        74⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        74⤵
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:4212
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:5296
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        75⤵
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:5268
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:5560
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        76⤵
        Writes to the Master Boot Record (MBR)
        
        PID:5660
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        77⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        77⤵
        Writes to the Master Boot Record (MBR)
        
        PID:5908
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:6060
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        78⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        79⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        79⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        80⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        80⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        81⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        81⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        82⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        82⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        83⤵
        
        PID:5592
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        83⤵
        
        PID:5724
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        84⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        84⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        85⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        85⤵
        
        PID:6404
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        86⤵
        
        PID:6512
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        86⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        87⤵
        
        PID:6656
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        87⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        88⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        88⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        89⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        89⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        90⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        90⤵
        
        PID:5852
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        91⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        91⤵
        
        PID:6060
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        92⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        92⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        93⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        93⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        94⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        94⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        95⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        95⤵
        
        PID:7160
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        96⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        96⤵
        
        PID:6572
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        97⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        97⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        98⤵
        
        PID:7124
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        98⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        99⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        99⤵
        
        PID:6732
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        100⤵
        
        PID:6556
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        100⤵
        
        PID:6724
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        101⤵
        
        PID:7152
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        101⤵
        
        PID:7176
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        102⤵
        
        PID:7296
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        102⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        103⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        103⤵
        
        PID:7492
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        104⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        104⤵
        
        PID:7648
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        105⤵
        
        PID:7748
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        105⤵
        
        PID:7788
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        106⤵
        
        PID:7896
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        106⤵
        
        PID:7932
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        107⤵
        
        PID:8048
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        107⤵
        
        PID:8092
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        108⤵
        
        PID:7200
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        108⤵
        
        PID:7264
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        109⤵
        
        PID:7504
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        109⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        110⤵
        
        PID:7612
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        110⤵
        
        PID:7800
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        111⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        111⤵
        
        PID:7912
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        112⤵
        
        PID:7192
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        112⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        113⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        113⤵
        
        PID:7620
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        114⤵
        
        PID:7952
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        114⤵
        
        PID:8012
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        115⤵
        
        PID:7312
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        115⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        116⤵
        
        PID:7412
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        116⤵
        
        PID:8072
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        117⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        117⤵
        
        PID:7624
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        118⤵
        
        PID:8300
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        118⤵
        
        PID:8344
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        119⤵
        
        PID:8472
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        119⤵
        
        PID:8508
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        120⤵
        
        PID:8648
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        120⤵
        
        PID:8684
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        121⤵
        
        PID:8796
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        121⤵
        
        PID:8832
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        122⤵
        
        PID:8948
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        122⤵
        
        PID:8984
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        123⤵
        
        PID:9100
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        123⤵
        
        PID:9144
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        124⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        124⤵
        
        PID:8356
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        125⤵
        
        PID:8576
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        125⤵
        
        PID:8488
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        126⤵
        
        PID:8792
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        126⤵
        
        PID:8508
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        127⤵
        
        PID:9064
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        127⤵
        
        PID:9088
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        128⤵
        
        PID:8368
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        128⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        129⤵
        
        PID:8648
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        129⤵
        
        PID:9000
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        130⤵
        
        PID:8200
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        130⤵
        
        PID:628
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        131⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        131⤵
        
        PID:8368
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        132⤵
        
        PID:8840
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        132⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        133⤵
        
        PID:8820
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        133⤵
        
        PID:8464
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        134⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        134⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        135⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        135⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        136⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        136⤵
        
        PID:8768
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        137⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        137⤵
        
        PID:2516
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        138⤵
        
        PID:8900
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        138⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        139⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        139⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-FEBFA1C7
        140⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
        
        C:\Windows\system32\XP-FEBFA1C7.EXE
        140⤵
        
        PID:6220

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3032

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:948

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2244

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:2372

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2344

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:1536

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:600

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2616

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1712

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2544

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:1684

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3044

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2160

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2384

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2052

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:2776

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:408

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1300

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:1548

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1072

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:988

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1484

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1540

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2872

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:876

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1972

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1592

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1620

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3188

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3336

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3480

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3624

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3764

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3912

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4044

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1028

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:3324

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3652

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3848

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4040

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3448

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3788

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3208

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3896

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3560

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3352

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3164

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4232

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:4368

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4520

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4676

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4804

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4948

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:5100

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:4220

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:4104

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4760

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4980

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:5064

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4364

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:5116

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4436

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4532

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4512

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:4460

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:5156

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:5300

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:5460

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:5596

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:5728

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5884

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:6032

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5184

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5276

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5628

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5848

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6016

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5436

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5972

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5456

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5604

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5468

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6232

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6396

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6544

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6692

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6844

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7004

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7164

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6356

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3052

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:576

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6952

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6152

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6504

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6860

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1160

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6240

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7160

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7108

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7320

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7484

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7640

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7780

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7924

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8084

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7248

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7480

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7804

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8020

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7340

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8092

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7884

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7888

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7492

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7964

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8336

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8500

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8676

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8824

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8976

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9136

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8292

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8592

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8884

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8688

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8280

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8816

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8360

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8644

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2816

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7520

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1612

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:860

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8368

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6064

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3176

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2784

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E_4\RegEx.fne

Filesize
164KB

MD5
a85d63acefa7a6fa639787e364c16892

SHA1
86ec32360c7ec9941b9411009de6aad0c83de46f

SHA256
d0b26b744a94a6dc22eba1b79089c4e1f45db18a68a9b02f58f017b94873dcb8

SHA512
fd12fbeab738358b47836badaf635511ea819fb5a35de4065b68d9b6f7e0f5eb443a7363164f32e8308701e78f2279c9c481038d09a2aa92a4ec184a91a2b9e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\eAPI.fne

Filesize
316KB

MD5
25b794b18bd8d03dc9530111cbce4173

SHA1
a6774d62bd1e9497fdfe6c61c495011fc6c274c6

SHA256
81757b48f2caecd6fd4f6699906e9320704c10b5c5dadc6c796b9809f0359ee4

SHA512
5892dc3c681571b2130695c4e8f598e732462746b9f5b8e7689108e393fb6d4edc32c97ef1f39f0c0abc901a590677f92c1abd1b809e5a875d025f4131d831ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\internet.fne

Filesize
180KB

MD5
56e9e121d68b5631a360d56b2ef4777f

SHA1
e9d11a2baf46769c90ee1671cd17072efd8cfb52

SHA256
c247997b04fc5535bb07ab43c3628326c6365aa6a0bd82a6f380b8ab66a09d2f

SHA512
1ef52e0283d286a308fa1c927ff12aa43975a49d94d9386ee4a02b7e4f47de2e239a340a4427534c73c0039ea2c249e91b68f2dce1dfebf13c9879c4ea60b97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\spec.fne

Filesize
72KB

MD5
c4337f54ceb6765fda33f96b8408c013

SHA1
242e447d71a346366526a721532b0d47d5d62239

SHA256
a3525832c5922696002c33ca8658a53a3bbcdd46a1e172ee1f5e815f037b7c08

SHA512
2bc2d4648b971f94e789815ce946578d412b585158056f10d2be147e194dfa8f4bd211eecb86b76aa78233da72b2544398945ca2850268109c6f3ef7e44a8c9c

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\com.run

Filesize
260KB

MD5
ce2f773275d3fe8b78f4cf067d5e6a0f

SHA1
b7135e34d46eb4303147492d5cee5e1ef7b392ab

SHA256
eb8099c0ad2d82d9d80530443e2909f3b34be0844d445e844f1c994476c86d2d

SHA512
d733dc01c047be56680629a385abdd2aa1598a2b5459269028446da9097b6f6c1e7ade5b74e3ac3809dd8a3f8d1cbbe7fd669f2762be61f9c38fd4a2cca9e063

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\dp1.fne

Filesize
112KB

MD5
6d4b2e73f6f8ecff02f19f7e8ef9a8c7

SHA1
09c32ca167136a17fd69df8c525ea5ffeca6c534

SHA256
fe5783e64aa70fac10c2e42d460732d9770534357329d8bc78576557c165f040

SHA512
2fd7a95cb632e9c4ac6b34e5b6b875aae94e73cd4b1f213e78f46dadab4846227a030776461bca08f9d75a1d61a0d45427f7b0c8b71406b7debc14db04b2ce04

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
1.0MB

MD5
1081d7eb7a17faedfa588b93fc85365e

SHA1
884e264fa37bfb9e71d24f3f5c7554fdf94a8b9f

SHA256
0351d055cf1e194302ab125cc93208a8c733efb45dc301ca6e7e2a4051f411e0

SHA512
1ff9e7c495b9e005c8d3b56219794c31d804fe1944429e3d4fe013fd8fcb3f51c02b588748c7d9d869fdb115851932e8db4e6792aecd9c83f28237702582ba81

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\shell.fne

Filesize
40KB

MD5
d54753e7fc3ea03aec0181447969c0e8

SHA1
824e7007b6569ae36f174c146ae1b7242f98f734

SHA256
192608ff371400c1529aa05f1adba0fe4fdd769fcbf35ee5f8b4f78a838a7ec9

SHA512
c25ed4cb38d5d5e95a267979f0f3f9398c04a1bf5822dceb03d6f6d9b4832dfb227f1e6868327e52a0303f45c36b9ba806e75b16bd7419a7c5203c2ecbae838f

Download Submit
\Windows\SysWOW64\XP-FEBFA1C7.EXE

Filesize
1.2MB

MD5
8313034f113d4ccdcfa5e0e2b4beac38

SHA1
3a9618b50152569237906ef88f99cd50e38d8ec2

SHA256
70d0731783025bc10709457c350f85118748952bd1332403bbfeeb4a1f2f029f

SHA512
a80be90dfa5d4717ad23515d6e766477cb6b0a467d0cfc1236fd3342d612b8d1663ed9af03540df152fd2f93a005e0092f51cfb37d5bc6b5076ce6fe1b3048c0

Download Submit
memory/528-266-0x0000000001C90000-0x0000000001CBA000-memory.dmp

Filesize
168KB

Download
memory/528-256-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/528-312-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/528-265-0x0000000001C90000-0x0000000001CBA000-memory.dmp

Filesize
168KB

Download
memory/900-313-0x0000000001E60000-0x0000000001E8A000-memory.dmp

Filesize
168KB

Download
memory/900-314-0x0000000001E60000-0x0000000001E8A000-memory.dmp

Filesize
168KB

Download
memory/900-307-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/900-356-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1140-435-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1140-398-0x0000000001C80000-0x0000000001CAA000-memory.dmp

Filesize
168KB

Download
memory/1140-397-0x0000000001C80000-0x0000000001CAA000-memory.dmp

Filesize
168KB

Download
memory/1388-392-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1388-351-0x0000000001DF0000-0x0000000001E1A000-memory.dmp

Filesize
168KB

Download
memory/1388-427-0x0000000000480000-0x00000000004AA000-memory.dmp

Filesize
168KB

Download
memory/1388-428-0x0000000000480000-0x00000000004AA000-memory.dmp

Filesize
168KB

Download
memory/1388-350-0x0000000001DF0000-0x0000000001E1A000-memory.dmp

Filesize
168KB

Download
memory/1508-101-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1508-224-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1508-117-0x0000000000360000-0x0000000000371000-memory.dmp

Filesize
68KB

Download
memory/1508-115-0x0000000000340000-0x000000000035E000-memory.dmp

Filesize
120KB

Download
memory/1508-112-0x0000000001DC0000-0x0000000001E0A000-memory.dmp

Filesize
296KB

Download
memory/1756-315-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1756-324-0x0000000001CE0000-0x0000000001D0A000-memory.dmp

Filesize
168KB

Download
memory/1756-325-0x0000000001CE0000-0x0000000001D0A000-memory.dmp

Filesize
168KB

Download
memory/1756-369-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1804-148-0x0000000000520000-0x0000000000531000-memory.dmp

Filesize
68KB

Download
memory/1804-147-0x00000000004B0000-0x00000000004CE000-memory.dmp

Filesize
120KB

Download
memory/1804-145-0x0000000001D90000-0x0000000001DDA000-memory.dmp

Filesize
296KB

Download
memory/1804-150-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1804-153-0x0000000001F00000-0x0000000001F2A000-memory.dmp

Filesize
168KB

Download
memory/1804-154-0x0000000001F00000-0x0000000001F2A000-memory.dmp

Filesize
168KB

Download
memory/1948-70-0x00000000003B0000-0x00000000003FA000-memory.dmp

Filesize
296KB

Download
memory/1948-75-0x0000000000550000-0x0000000000561000-memory.dmp

Filesize
68KB

Download
memory/1948-79-0x0000000000570000-0x000000000059A000-memory.dmp

Filesize
168KB

Download
memory/1948-171-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1948-59-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1948-73-0x0000000000530000-0x000000000054E000-memory.dmp

Filesize
120KB

Download
memory/2076-183-0x00000000006C0000-0x00000000006DE000-memory.dmp

Filesize
120KB

Download
memory/2076-194-0x0000000000810000-0x000000000083A000-memory.dmp

Filesize
168KB

Download
memory/2076-184-0x00000000006E0000-0x00000000006F1000-memory.dmp

Filesize
68KB

Download
memory/2076-193-0x0000000000810000-0x000000000083A000-memory.dmp

Filesize
168KB

Download
memory/2076-181-0x00000000005C0000-0x000000000060A000-memory.dmp

Filesize
296KB

Download
memory/2076-186-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2144-173-0x0000000000380000-0x00000000003CA000-memory.dmp

Filesize
296KB

Download
memory/2144-170-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2144-257-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2144-180-0x0000000000470000-0x000000000049A000-memory.dmp

Filesize
168KB

Download
memory/2144-185-0x0000000000470000-0x000000000049A000-memory.dmp

Filesize
168KB

Download
memory/2212-362-0x0000000001E70000-0x0000000001E9A000-memory.dmp

Filesize
168KB

Download
memory/2212-361-0x0000000001E70000-0x0000000001E9A000-memory.dmp

Filesize
168KB

Download
memory/2212-404-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2252-289-0x0000000001E80000-0x0000000001EAA000-memory.dmp

Filesize
168KB

Download
memory/2252-334-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2252-288-0x0000000001E80000-0x0000000001EAA000-memory.dmp

Filesize
168KB

Download
memory/2300-249-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2300-168-0x0000000000480000-0x00000000004AA000-memory.dmp

Filesize
168KB

Download
memory/2300-160-0x0000000000330000-0x000000000037A000-memory.dmp

Filesize
296KB

Download
memory/2300-162-0x0000000000440000-0x000000000045E000-memory.dmp

Filesize
120KB

Download
memory/2300-169-0x0000000000480000-0x00000000004AA000-memory.dmp

Filesize
168KB

Download
memory/2300-163-0x0000000000460000-0x0000000000471000-memory.dmp

Filesize
68KB

Download
memory/2368-339-0x0000000001DC0000-0x0000000001DEA000-memory.dmp

Filesize
168KB

Download
memory/2368-338-0x0000000001DC0000-0x0000000001DEA000-memory.dmp

Filesize
168KB

Download
memory/2368-380-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2368-326-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2532-363-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2532-416-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2532-374-0x0000000001ED0000-0x0000000001EFA000-memory.dmp

Filesize
168KB

Download
memory/2624-16-0x00000000002B0000-0x00000000002CE000-memory.dmp

Filesize
120KB

Download
memory/2624-25-0x0000000001CC0000-0x0000000001CEA000-memory.dmp

Filesize
168KB

Download
memory/2624-42-0x0000000001CC0000-0x0000000001CEA000-memory.dmp

Filesize
168KB

Download
memory/2624-19-0x0000000001CA0000-0x0000000001CB1000-memory.dmp

Filesize
68KB

Download
memory/2624-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2624-12-0x0000000001C50000-0x0000000001C9A000-memory.dmp

Filesize
296KB

Download
memory/2624-144-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2644-399-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2644-410-0x0000000000450000-0x000000000047A000-memory.dmp

Filesize
168KB

Download
memory/2644-411-0x0000000000450000-0x000000000047A000-memory.dmp

Filesize
168KB

Download
memory/2676-301-0x00000000004B0000-0x00000000004DA000-memory.dmp

Filesize
168KB

Download
memory/2676-346-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2676-300-0x00000000004B0000-0x00000000004DA000-memory.dmp

Filesize
168KB

Download
memory/2692-58-0x0000000001C90000-0x0000000001CBA000-memory.dmp

Filesize
168KB

Download
memory/2692-43-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2692-152-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2692-46-0x0000000001DE0000-0x0000000001E2A000-memory.dmp

Filesize
296KB

Download
memory/2692-53-0x0000000001C60000-0x0000000001C71000-memory.dmp

Filesize
68KB

Download
memory/2692-50-0x0000000001BF0000-0x0000000001C0E000-memory.dmp

Filesize
120KB

Download
memory/2692-55-0x0000000001C90000-0x0000000001CBA000-memory.dmp

Filesize
168KB

Download
memory/2696-205-0x00000000005C0000-0x00000000005EA000-memory.dmp

Filesize
168KB

Download
memory/2696-204-0x00000000005C0000-0x00000000005EA000-memory.dmp

Filesize
168KB

Download
memory/2696-196-0x0000000000370000-0x00000000003BA000-memory.dmp

Filesize
296KB

Download
memory/2696-198-0x00000000003C0000-0x00000000003DE000-memory.dmp

Filesize
120KB

Download
memory/2696-261-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2696-199-0x00000000003E0000-0x00000000003F1000-memory.dmp

Filesize
68KB

Download
memory/2696-195-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2708-94-0x0000000000430000-0x000000000044E000-memory.dmp

Filesize
120KB

Download
memory/2708-96-0x0000000000450000-0x0000000000461000-memory.dmp

Filesize
68KB

Download
memory/2708-91-0x0000000000220000-0x000000000026A000-memory.dmp

Filesize
296KB

Download
memory/2708-187-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2764-327-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2764-278-0x0000000002660000-0x000000000268A000-memory.dmp

Filesize
168KB

Download
memory/2764-277-0x0000000002660000-0x000000000268A000-memory.dmp

Filesize
168KB

Download
memory/2812-386-0x0000000000500000-0x000000000052A000-memory.dmp

Filesize
168KB

Download
memory/2812-387-0x0000000000500000-0x000000000052A000-memory.dmp

Filesize
168KB

Download
memory/2812-422-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2852-296-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2852-250-0x0000000001E10000-0x0000000001E3A000-memory.dmp

Filesize
168KB

Download
memory/2852-255-0x0000000001E10000-0x0000000001E3A000-memory.dmp

Filesize
168KB

Download
memory/2940-210-0x0000000001E70000-0x0000000001E81000-memory.dmp

Filesize
68KB

Download
memory/2940-264-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2940-206-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2940-209-0x0000000000540000-0x000000000055E000-memory.dmp

Filesize
120KB

Download
memory/2940-207-0x0000000001EB0000-0x0000000001EFA000-memory.dmp

Filesize
296KB

Download
memory/2940-216-0x0000000002030000-0x000000000205A000-memory.dmp

Filesize
168KB

Download
memory/2940-217-0x0000000002030000-0x000000000205A000-memory.dmp

Filesize
168KB

Download
memory/3028-283-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3028-240-0x00000000005B0000-0x00000000005DA000-memory.dmp

Filesize
168KB

Download
memory/3028-239-0x00000000005B0000-0x00000000005DA000-memory.dmp

Filesize
168KB

Download
memory/3028-231-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3032-76-0x0000000003D10000-0x0000000003D20000-memory.dmp

Filesize
64KB

Download
memory/3036-218-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3036-220-0x0000000000430000-0x000000000047A000-memory.dmp

Filesize
296KB

Download
memory/3036-222-0x00000000003E0000-0x00000000003FE000-memory.dmp

Filesize
120KB

Download
memory/3036-223-0x0000000000480000-0x0000000000491000-memory.dmp

Filesize
68KB

Download
memory/3036-230-0x00000000004E0000-0x000000000050A000-memory.dmp

Filesize
168KB

Download
memory/3036-229-0x00000000004E0000-0x000000000050A000-memory.dmp

Filesize
168KB

Download
memory/3036-271-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3048-149-0x00000000003C0000-0x00000000003EA000-memory.dmp

Filesize
168KB

Download
memory/3048-137-0x0000000000380000-0x000000000039E000-memory.dmp

Filesize
120KB

Download
memory/3048-139-0x00000000003A0000-0x00000000003B1000-memory.dmp

Filesize
68KB

Download
memory/3048-132-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3048-235-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3196-429-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3196-436-0x00000000004F0000-0x000000000051A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads