e8541ed4e1b8964fc1e8c31e528778e6bab6d338d7355cfac8888dbc080d8f46

Analysis

max time kernel
150s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2024, 04:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0df5e54be8f532a54c73b01f9c25c1d6_JaffaCakes118.exe
Size

1.2MB
MD5

0df5e54be8f532a54c73b01f9c25c1d6
SHA1

d92987052019161bc610184bf5a92084808ed58a
SHA256

e8541ed4e1b8964fc1e8c31e528778e6bab6d338d7355cfac8888dbc080d8f46
SHA512

687dff3e2ca201284d584f93f2ae87bda25b9f71bb35f702eb8cfbeb5a27c1abbef3dfa1a40d47cb578569e1db4173bb31fa4e2e6490a730474d4039f43bae1f
SSDEEP

24576:+vghg41N5L+s79FIY4ponf0e56xh3liEKKO7AynQedLSEgG:+vg/gq9FOC0esxh1i/ldQ2GEx

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Executes dropped EXE 12 IoCs

pid	Process
2740	XP-0EE37CC5.EXE
3696	XP-0EE37CC5.EXE
2892	XP-0EE37CC5.EXE
2908	XP-0EE37CC5.EXE
1792	XP-0EE37CC5.EXE
1544	XP-0EE37CC5.EXE
3328	XP-0EE37CC5.EXE
412	XP-0EE37CC5.EXE
3876	XP-0EE37CC5.EXE
4444	XP-0EE37CC5.EXE
4556	XP-0EE37CC5.EXE
1864	XP-0EE37CC5.EXE

Loads dropped DLL 64 IoCs

pid	Process
3944	0df5e54be8f532a54c73b01f9c25c1d6_JaffaCakes118.exe
3944	0df5e54be8f532a54c73b01f9c25c1d6_JaffaCakes118.exe
3944	0df5e54be8f532a54c73b01f9c25c1d6_JaffaCakes118.exe
3944	0df5e54be8f532a54c73b01f9c25c1d6_JaffaCakes118.exe
3944	0df5e54be8f532a54c73b01f9c25c1d6_JaffaCakes118.exe
3944	0df5e54be8f532a54c73b01f9c25c1d6_JaffaCakes118.exe
3944	0df5e54be8f532a54c73b01f9c25c1d6_JaffaCakes118.exe
2740	XP-0EE37CC5.EXE
2740	XP-0EE37CC5.EXE
2740	XP-0EE37CC5.EXE
2740	XP-0EE37CC5.EXE
2740	XP-0EE37CC5.EXE
2740	XP-0EE37CC5.EXE
2740	XP-0EE37CC5.EXE
3696	XP-0EE37CC5.EXE
3696	XP-0EE37CC5.EXE
3696	XP-0EE37CC5.EXE
3696	XP-0EE37CC5.EXE
3696	XP-0EE37CC5.EXE
3696	XP-0EE37CC5.EXE
3696	XP-0EE37CC5.EXE
2892	XP-0EE37CC5.EXE
2892	XP-0EE37CC5.EXE
2892	XP-0EE37CC5.EXE
2892	XP-0EE37CC5.EXE
2892	XP-0EE37CC5.EXE
2892	XP-0EE37CC5.EXE
2892	XP-0EE37CC5.EXE
2908	XP-0EE37CC5.EXE
2908	XP-0EE37CC5.EXE
2908	XP-0EE37CC5.EXE
2908	XP-0EE37CC5.EXE
2908	XP-0EE37CC5.EXE
2908	XP-0EE37CC5.EXE
2908	XP-0EE37CC5.EXE
1792	XP-0EE37CC5.EXE
1792	XP-0EE37CC5.EXE
1792	XP-0EE37CC5.EXE
1792	XP-0EE37CC5.EXE
1792	XP-0EE37CC5.EXE
1792	XP-0EE37CC5.EXE
1792	XP-0EE37CC5.EXE
1544	XP-0EE37CC5.EXE
1544	XP-0EE37CC5.EXE
1544	XP-0EE37CC5.EXE
1544	XP-0EE37CC5.EXE
1544	XP-0EE37CC5.EXE
1544	XP-0EE37CC5.EXE
1544	XP-0EE37CC5.EXE
3328	XP-0EE37CC5.EXE
3328	XP-0EE37CC5.EXE
3328	XP-0EE37CC5.EXE
3328	XP-0EE37CC5.EXE
3328	XP-0EE37CC5.EXE
3328	XP-0EE37CC5.EXE
3328	XP-0EE37CC5.EXE
412	XP-0EE37CC5.EXE
412	XP-0EE37CC5.EXE
412	XP-0EE37CC5.EXE
412	XP-0EE37CC5.EXE
412	XP-0EE37CC5.EXE
412	XP-0EE37CC5.EXE
412	XP-0EE37CC5.EXE
3876	XP-0EE37CC5.EXE

Writes to the Master Boot Record (MBR) 1 TTPs 12 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	0df5e54be8f532a54c73b01f9c25c1d6_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\XP-0EE37CC5.EXE	0df5e54be8f532a54c73b01f9c25c1d6_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\XP-0EE37CC5.EXE	0df5e54be8f532a54c73b01f9c25c1d6_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0df5e54be8f532a54c73b01f9c25c1d6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe

Suspicious behavior: AddClipboardFormatListener 7 IoCs

pid	Process
500	explorer.exe
400	explorer.exe
4480	explorer.exe
4864	explorer.exe
3108	explorer.exe
2512	explorer.exe
2980	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3944	0df5e54be8f532a54c73b01f9c25c1d6_JaffaCakes118.exe
3944	0df5e54be8f532a54c73b01f9c25c1d6_JaffaCakes118.exe
3944	0df5e54be8f532a54c73b01f9c25c1d6_JaffaCakes118.exe
3944	0df5e54be8f532a54c73b01f9c25c1d6_JaffaCakes118.exe
3944	0df5e54be8f532a54c73b01f9c25c1d6_JaffaCakes118.exe
3944	0df5e54be8f532a54c73b01f9c25c1d6_JaffaCakes118.exe
2740	XP-0EE37CC5.EXE
2740	XP-0EE37CC5.EXE
2740	XP-0EE37CC5.EXE
2740	XP-0EE37CC5.EXE
2740	XP-0EE37CC5.EXE
2740	XP-0EE37CC5.EXE
3696	XP-0EE37CC5.EXE
3696	XP-0EE37CC5.EXE
3696	XP-0EE37CC5.EXE
3696	XP-0EE37CC5.EXE
3696	XP-0EE37CC5.EXE
3696	XP-0EE37CC5.EXE
500	explorer.exe
500	explorer.exe
2892	XP-0EE37CC5.EXE
2892	XP-0EE37CC5.EXE
2892	XP-0EE37CC5.EXE
2892	XP-0EE37CC5.EXE
2892	XP-0EE37CC5.EXE
2892	XP-0EE37CC5.EXE
400	explorer.exe
400	explorer.exe
2908	XP-0EE37CC5.EXE
2908	XP-0EE37CC5.EXE
2908	XP-0EE37CC5.EXE
2908	XP-0EE37CC5.EXE
2908	XP-0EE37CC5.EXE
2908	XP-0EE37CC5.EXE
4480	explorer.exe
4480	explorer.exe
1792	XP-0EE37CC5.EXE
1792	XP-0EE37CC5.EXE
1792	XP-0EE37CC5.EXE
1792	XP-0EE37CC5.EXE
1792	XP-0EE37CC5.EXE
1792	XP-0EE37CC5.EXE
1544	XP-0EE37CC5.EXE
1544	XP-0EE37CC5.EXE
1544	XP-0EE37CC5.EXE
1544	XP-0EE37CC5.EXE
1544	XP-0EE37CC5.EXE
4864	explorer.exe
4864	explorer.exe
1544	XP-0EE37CC5.EXE
3328	XP-0EE37CC5.EXE
3328	XP-0EE37CC5.EXE
3328	XP-0EE37CC5.EXE
3328	XP-0EE37CC5.EXE
3328	XP-0EE37CC5.EXE
3328	XP-0EE37CC5.EXE
3108	explorer.exe
3108	explorer.exe
412	XP-0EE37CC5.EXE
412	XP-0EE37CC5.EXE
412	XP-0EE37CC5.EXE
412	XP-0EE37CC5.EXE
412	XP-0EE37CC5.EXE
412	XP-0EE37CC5.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3944 wrote to memory of 2548	3944	0df5e54be8f532a54c73b01f9c25c1d6_JaffaCakes118.exe	89
PID 3944 wrote to memory of 2548	3944	0df5e54be8f532a54c73b01f9c25c1d6_JaffaCakes118.exe	89
PID 3944 wrote to memory of 2548	3944	0df5e54be8f532a54c73b01f9c25c1d6_JaffaCakes118.exe	89
PID 3944 wrote to memory of 2740	3944	0df5e54be8f532a54c73b01f9c25c1d6_JaffaCakes118.exe	91
PID 3944 wrote to memory of 2740	3944	0df5e54be8f532a54c73b01f9c25c1d6_JaffaCakes118.exe	91
PID 3944 wrote to memory of 2740	3944	0df5e54be8f532a54c73b01f9c25c1d6_JaffaCakes118.exe	91
PID 2740 wrote to memory of 2404	2740	XP-0EE37CC5.EXE	92
PID 2740 wrote to memory of 2404	2740	XP-0EE37CC5.EXE	92
PID 2740 wrote to memory of 2404	2740	XP-0EE37CC5.EXE	92
PID 2740 wrote to memory of 3696	2740	XP-0EE37CC5.EXE	93
PID 2740 wrote to memory of 3696	2740	XP-0EE37CC5.EXE	93
PID 2740 wrote to memory of 3696	2740	XP-0EE37CC5.EXE	93
PID 3696 wrote to memory of 3216	3696	XP-0EE37CC5.EXE	130
PID 3696 wrote to memory of 3216	3696	XP-0EE37CC5.EXE	130
PID 3696 wrote to memory of 3216	3696	XP-0EE37CC5.EXE	130
PID 3696 wrote to memory of 2892	3696	XP-0EE37CC5.EXE	96
PID 3696 wrote to memory of 2892	3696	XP-0EE37CC5.EXE	96
PID 3696 wrote to memory of 2892	3696	XP-0EE37CC5.EXE	96
PID 2892 wrote to memory of 2164	2892	XP-0EE37CC5.EXE	98
PID 2892 wrote to memory of 2164	2892	XP-0EE37CC5.EXE	98
PID 2892 wrote to memory of 2164	2892	XP-0EE37CC5.EXE	98
PID 2892 wrote to memory of 2908	2892	XP-0EE37CC5.EXE	99
PID 2892 wrote to memory of 2908	2892	XP-0EE37CC5.EXE	99
PID 2892 wrote to memory of 2908	2892	XP-0EE37CC5.EXE	99
PID 2908 wrote to memory of 1104	2908	XP-0EE37CC5.EXE	101
PID 2908 wrote to memory of 1104	2908	XP-0EE37CC5.EXE	101
PID 2908 wrote to memory of 1104	2908	XP-0EE37CC5.EXE	101
PID 2908 wrote to memory of 1792	2908	XP-0EE37CC5.EXE	102
PID 2908 wrote to memory of 1792	2908	XP-0EE37CC5.EXE	102
PID 2908 wrote to memory of 1792	2908	XP-0EE37CC5.EXE	102
PID 1792 wrote to memory of 1064	1792	XP-0EE37CC5.EXE	104
PID 1792 wrote to memory of 1064	1792	XP-0EE37CC5.EXE	104
PID 1792 wrote to memory of 1064	1792	XP-0EE37CC5.EXE	104
PID 1792 wrote to memory of 1544	1792	XP-0EE37CC5.EXE	105
PID 1792 wrote to memory of 1544	1792	XP-0EE37CC5.EXE	105
PID 1792 wrote to memory of 1544	1792	XP-0EE37CC5.EXE	105
PID 1544 wrote to memory of 4688	1544	XP-0EE37CC5.EXE	299
PID 1544 wrote to memory of 4688	1544	XP-0EE37CC5.EXE	299
PID 1544 wrote to memory of 4688	1544	XP-0EE37CC5.EXE	299
PID 1544 wrote to memory of 3328	1544	XP-0EE37CC5.EXE	108
PID 1544 wrote to memory of 3328	1544	XP-0EE37CC5.EXE	108
PID 1544 wrote to memory of 3328	1544	XP-0EE37CC5.EXE	108
PID 3328 wrote to memory of 4204	3328	XP-0EE37CC5.EXE	110
PID 3328 wrote to memory of 4204	3328	XP-0EE37CC5.EXE	110
PID 3328 wrote to memory of 4204	3328	XP-0EE37CC5.EXE	110
PID 3328 wrote to memory of 412	3328	XP-0EE37CC5.EXE	111
PID 3328 wrote to memory of 412	3328	XP-0EE37CC5.EXE	111
PID 3328 wrote to memory of 412	3328	XP-0EE37CC5.EXE	111
PID 412 wrote to memory of 708	412	XP-0EE37CC5.EXE	129
PID 412 wrote to memory of 708	412	XP-0EE37CC5.EXE	129
PID 412 wrote to memory of 708	412	XP-0EE37CC5.EXE	129
PID 412 wrote to memory of 3876	412	XP-0EE37CC5.EXE	114
PID 412 wrote to memory of 3876	412	XP-0EE37CC5.EXE	114
PID 412 wrote to memory of 3876	412	XP-0EE37CC5.EXE	114
PID 3876 wrote to memory of 3120	3876	XP-0EE37CC5.EXE	117
PID 3876 wrote to memory of 3120	3876	XP-0EE37CC5.EXE	117
PID 3876 wrote to memory of 3120	3876	XP-0EE37CC5.EXE	117
PID 3876 wrote to memory of 4444	3876	XP-0EE37CC5.EXE	148
PID 3876 wrote to memory of 4444	3876	XP-0EE37CC5.EXE	148
PID 3876 wrote to memory of 4444	3876	XP-0EE37CC5.EXE	148
PID 4444 wrote to memory of 2644	4444	XP-0EE37CC5.EXE	336
PID 4444 wrote to memory of 2644	4444	XP-0EE37CC5.EXE	336
PID 4444 wrote to memory of 2644	4444	XP-0EE37CC5.EXE	336
PID 4444 wrote to memory of 4556	4444	XP-0EE37CC5.EXE	138

C:\Users\Admin\AppData\Local\Temp\0df5e54be8f532a54c73b01f9c25c1d6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0df5e54be8f532a54c73b01f9c25c1d6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3944
- C:\Windows\SysWOW64\explorer.exe
  explorer C:\Users\Admin\AppData\Local\Temp\0df5e54be8f532a54c73b01f9c25c1d6_JaffaCakes118
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2548
- C:\Windows\SysWOW64\XP-0EE37CC5.EXE
  C:\Windows\system32\XP-0EE37CC5.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\SysWOW64\explorer.exe
    explorer C:\Windows\SysWOW64\XP-0EE37CC5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2404
- - C:\Windows\SysWOW64\XP-0EE37CC5.EXE
    C:\Windows\system32\XP-0EE37CC5.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3696
  - - C:\Windows\SysWOW64\explorer.exe
      explorer C:\Windows\SysWOW64\XP-0EE37CC5
      4⤵
      System Location Discovery: System Language Discovery
      PID:3216
  - - C:\Windows\SysWOW64\XP-0EE37CC5.EXE
      C:\Windows\system32\XP-0EE37CC5.EXE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2892
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2164
    - - C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2908
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1104
      - C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1792
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1064
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4688
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3328
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4204
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:412
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:708
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3120
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        11⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        12⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:4556
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:892
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1864
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        14⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        14⤵
        
        PID:324
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        15⤵
        
        PID:708
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        15⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        16⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        16⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        17⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        17⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        18⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        18⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        19⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        19⤵
        
        PID:324
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        20⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        20⤵
        
        PID:1260
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        21⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        21⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        22⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        22⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        23⤵
        
        PID:1108
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        23⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        24⤵
        
        PID:5224
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        24⤵
        
        PID:5288
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        25⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        25⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        26⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        26⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        27⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        27⤵
        
        PID:5912
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        28⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        28⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        29⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        29⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        30⤵
        
        PID:5752
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        30⤵
        
        PID:5308
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        31⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        31⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        32⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        32⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        33⤵
        
        PID:5696
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        33⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        34⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        34⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        35⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        35⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        36⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        36⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        37⤵
        
        PID:6764
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        37⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        38⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        38⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        39⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        39⤵
        
        PID:7140
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        40⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        40⤵
        
        PID:6448
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        41⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        41⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        42⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        42⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        43⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        43⤵
        
        PID:844
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        44⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        44⤵
        
        PID:6852
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        45⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        45⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        46⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        46⤵
        
        PID:6860
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        47⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        47⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        48⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        48⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        49⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        49⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        50⤵
        
        PID:5128
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        50⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        51⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        51⤵
        
        PID:548
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        52⤵
        
        PID:7280
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        52⤵
        
        PID:7336
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        53⤵
        
        PID:7464
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        53⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        54⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        54⤵
        
        PID:7696
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        55⤵
        
        PID:7808
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        55⤵
        
        PID:7844
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        56⤵
        
        PID:7984
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        56⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        57⤵
        
        PID:8176
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        57⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        58⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        58⤵
        
        PID:7400
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        59⤵
        
        PID:7552
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        59⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        60⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        60⤵
        
        PID:7636
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        61⤵
        
        PID:5708
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        61⤵
        
        PID:7708
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        62⤵
        
        PID:5660
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        62⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        63⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        63⤵
        
        PID:6112
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        64⤵
        
        PID:8076
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        64⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        65⤵
        
        PID:7308
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        65⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        66⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        66⤵
        
        PID:8096
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        67⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        67⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        68⤵
        
        PID:7280
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        68⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        69⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        69⤵
        
        PID:6920
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        70⤵
        
        PID:8264
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        70⤵
        
        PID:8308
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        71⤵
        
        PID:8444
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        71⤵
        
        PID:8488
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        72⤵
        
        PID:8636
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        72⤵
        
        PID:8676
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        73⤵
        
        PID:8824
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        73⤵
        
        PID:8868
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        74⤵
        
        PID:9052
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        74⤵
        
        PID:9096
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        75⤵
        
        PID:9212
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        75⤵
        
        PID:8212
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        76⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        76⤵
        
        PID:6708
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        77⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        77⤵
        
        PID:8736
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        78⤵
        
        PID:8612
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        78⤵
        
        PID:8840
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        79⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        79⤵
        
        PID:8384
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        80⤵
        
        PID:9116
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        80⤵
        
        PID:8284
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        81⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        81⤵
        
        PID:8344
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        82⤵
        
        PID:8468
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        82⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        83⤵
        
        PID:5328
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        83⤵
        
        PID:9148
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        84⤵
        
        PID:5640
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        84⤵
        
        PID:8744
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        85⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        85⤵
        
        PID:7976
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        86⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        86⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        87⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        87⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        88⤵
        
        PID:428
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        88⤵
        
        PID:5860
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        89⤵
        
        PID:7648
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        89⤵
        
        PID:5520
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        90⤵
        
        PID:9268
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        90⤵
        
        PID:9308
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        91⤵
        
        PID:9444
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        91⤵
        
        PID:9480
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        92⤵
        
        PID:9616
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        92⤵
        
        PID:9692
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        93⤵
        
        PID:9816
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        93⤵
        
        PID:9852
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        94⤵
        
        PID:10000
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        94⤵
        
        PID:10028
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        95⤵
        
        PID:10152
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        95⤵
        
        PID:10216
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        96⤵
        
        PID:9288
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        96⤵
        
        PID:9368
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        97⤵
        
        PID:9476
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        97⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        98⤵
        
        PID:9336
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        98⤵
        
        PID:9640
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        99⤵
        
        PID:9816
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        99⤵
        
        PID:10112
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        100⤵
        
        PID:9956
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        100⤵
        
        PID:8080
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        101⤵
        
        PID:10192
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        101⤵
        
        PID:9288
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        102⤵
        
        PID:10232
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        102⤵
        
        PID:6756
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        103⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        103⤵
        
        PID:9848
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        104⤵
        
        PID:10032
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        104⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        105⤵
        
        PID:6536
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        105⤵
        
        PID:644
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        106⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        106⤵
        
        PID:9804
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        107⤵
        
        PID:9220
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        107⤵
        
        PID:7752
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        108⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        108⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        109⤵
        
        PID:8080
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        109⤵
        
        PID:6352
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        110⤵
        
        PID:8856
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        110⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        111⤵
        
        PID:9772
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        111⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        112⤵
        
        PID:8172
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        112⤵
        
        PID:6096
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        113⤵
        
        PID:10392
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        113⤵
        
        PID:10440
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        114⤵
        
        PID:10660
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        114⤵
        
        PID:10712
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        115⤵
        
        PID:10844
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        115⤵
        
        PID:10884
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        116⤵
        
        PID:11016
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        116⤵
        
        PID:11056
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        117⤵
        
        PID:11256
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        117⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        118⤵
        
        PID:10352
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        118⤵
        
        PID:10544
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        119⤵
        
        PID:10676
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        119⤵
        
        PID:10912
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        120⤵
        
        PID:11080
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        120⤵
        
        PID:11104
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        121⤵
        
        PID:11212
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        121⤵
        
        PID:10348
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        122⤵
        
        PID:11060
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        122⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        123⤵
        
        PID:9472
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        123⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        124⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        124⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        125⤵
        
        PID:10884
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        125⤵
        
        PID:11088
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        126⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        126⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        127⤵
        
        PID:8460
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        127⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        128⤵
        
        PID:10556
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        128⤵
        
        PID:10252

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:500

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:400

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4480

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4864

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3108

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:2512

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:2980

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4552

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4628,i,8293235976513689021,7261015831736501466,262144 --variations-seed-version --mojo-platform-channel-handle=3824 /prefetch:8
1⤵
PID:2684

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:5052

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:4156

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3584

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2120

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2704

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1564

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4448

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4312

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:892

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2480

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:368

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4676

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1648

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5296

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5484

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5712

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5920

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4992

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5404

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5288

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6092

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5984

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5312

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6216

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6408

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6652

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6804

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6984

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7156

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6428

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6680

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6568

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7108

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6224

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1448

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6828

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5208

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5264

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4388

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6576

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1156

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7348

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7508

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7712

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7852

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8044

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7212

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7404

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7640

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7632

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5748

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7412

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7464

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5800

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8072

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7304

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1940

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4688

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5360

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8316

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8496

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8684

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8880

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9104

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8260

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8540

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8324

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8848

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1944

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8416

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7000

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:224

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2796

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8804

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5248

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1060

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5616

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7604

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:428

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9340

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9492

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9720

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9860

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10060

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10204

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9324

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7184

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9628

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4832

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9852

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8216

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9312

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7012

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7720

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5148

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7516

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4472

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6892

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7736

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8644

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7952

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10264

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10472

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10752

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10892

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11064

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8360

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6096

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10744

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11028

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9136

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1660

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10928

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10748

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10916

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10548

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3256

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E_4\RegEx.fnr

Filesize
212KB

MD5
a67daddcb30335163cf7d99f282f5ae0

SHA1
c033169006bef68bebfa77405c4a35688ab41a99

SHA256
8027e7512cf17388b14c3e2bbf9c3700f875c26d942a4dd27d1dcf8203a192f8

SHA512
16cb5cffdf935d10bb06b86b874a63e9594e4854359885890fe4641f0e4329fd047daa5f0ddd5a02d241974834b67666b2ad65ef791e110d29637434057808c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\com.run

Filesize
260KB

MD5
ce2f773275d3fe8b78f4cf067d5e6a0f

SHA1
b7135e34d46eb4303147492d5cee5e1ef7b392ab

SHA256
eb8099c0ad2d82d9d80530443e2909f3b34be0844d445e844f1c994476c86d2d

SHA512
d733dc01c047be56680629a385abdd2aa1598a2b5459269028446da9097b6f6c1e7ade5b74e3ac3809dd8a3f8d1cbbe7fd669f2762be61f9c38fd4a2cca9e063

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\dp1.fne

Filesize
112KB

MD5
6d4b2e73f6f8ecff02f19f7e8ef9a8c7

SHA1
09c32ca167136a17fd69df8c525ea5ffeca6c534

SHA256
fe5783e64aa70fac10c2e42d460732d9770534357329d8bc78576557c165f040

SHA512
2fd7a95cb632e9c4ac6b34e5b6b875aae94e73cd4b1f213e78f46dadab4846227a030776461bca08f9d75a1d61a0d45427f7b0c8b71406b7debc14db04b2ce04

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\eAPI.fne

Filesize
316KB

MD5
25b794b18bd8d03dc9530111cbce4173

SHA1
a6774d62bd1e9497fdfe6c61c495011fc6c274c6

SHA256
81757b48f2caecd6fd4f6699906e9320704c10b5c5dadc6c796b9809f0359ee4

SHA512
5892dc3c681571b2130695c4e8f598e732462746b9f5b8e7689108e393fb6d4edc32c97ef1f39f0c0abc901a590677f92c1abd1b809e5a875d025f4131d831ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\internet.fne

Filesize
180KB

MD5
56e9e121d68b5631a360d56b2ef4777f

SHA1
e9d11a2baf46769c90ee1671cd17072efd8cfb52

SHA256
c247997b04fc5535bb07ab43c3628326c6365aa6a0bd82a6f380b8ab66a09d2f

SHA512
1ef52e0283d286a308fa1c927ff12aa43975a49d94d9386ee4a02b7e4f47de2e239a340a4427534c73c0039ea2c249e91b68f2dce1dfebf13c9879c4ea60b97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
1.0MB

MD5
1081d7eb7a17faedfa588b93fc85365e

SHA1
884e264fa37bfb9e71d24f3f5c7554fdf94a8b9f

SHA256
0351d055cf1e194302ab125cc93208a8c733efb45dc301ca6e7e2a4051f411e0

SHA512
1ff9e7c495b9e005c8d3b56219794c31d804fe1944429e3d4fe013fd8fcb3f51c02b588748c7d9d869fdb115851932e8db4e6792aecd9c83f28237702582ba81

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\shell.fne

Filesize
40KB

MD5
d54753e7fc3ea03aec0181447969c0e8

SHA1
824e7007b6569ae36f174c146ae1b7242f98f734

SHA256
192608ff371400c1529aa05f1adba0fe4fdd769fcbf35ee5f8b4f78a838a7ec9

SHA512
c25ed4cb38d5d5e95a267979f0f3f9398c04a1bf5822dceb03d6f6d9b4832dfb227f1e6868327e52a0303f45c36b9ba806e75b16bd7419a7c5203c2ecbae838f

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\spec.fne

Filesize
68KB

MD5
1518651c682109e9b9c304c9c109d777

SHA1
6c440810bf11907fc16dbca17a9494377c0bdcf1

SHA256
0496ea1f78bf11204491388bc9c1dfbb49bebdaeffe32717bffdf688b148bfaa

SHA512
e6e03475b37f8463ac47dd559b31b81e254b07280e083200e21cc66f022c8730d45924776684d96e6bc1ce2d5cf9350a13ca37cda966de1c430eeec602e00535

Download Submit
C:\Windows\SysWOW64\XP-0EE37CC5.EXE

Filesize
1.2MB

MD5
0df5e54be8f532a54c73b01f9c25c1d6

SHA1
d92987052019161bc610184bf5a92084808ed58a

SHA256
e8541ed4e1b8964fc1e8c31e528778e6bab6d338d7355cfac8888dbc080d8f46

SHA512
687dff3e2ca201284d584f93f2ae87bda25b9f71bb35f702eb8cfbeb5a27c1abbef3dfa1a40d47cb578569e1db4173bb31fa4e2e6490a730474d4039f43bae1f

Download Submit
memory/324-212-0x0000000002720000-0x000000000273E000-memory.dmp

Filesize
120KB

Download
memory/324-209-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/324-288-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/324-213-0x0000000002740000-0x0000000002751000-memory.dmp

Filesize
68KB

Download
memory/324-210-0x0000000002140000-0x000000000218A000-memory.dmp

Filesize
296KB

Download
memory/324-259-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/324-234-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/412-190-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/412-162-0x00000000026E0000-0x00000000026FE000-memory.dmp

Filesize
120KB

Download
memory/412-163-0x0000000002700000-0x0000000002711000-memory.dmp

Filesize
68KB

Download
memory/412-160-0x0000000002220000-0x000000000226A000-memory.dmp

Filesize
296KB

Download
memory/412-159-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/548-601-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/548-576-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/844-526-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/844-497-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1260-294-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1260-269-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1544-175-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1544-141-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1544-142-0x0000000002010000-0x000000000205A000-memory.dmp

Filesize
296KB

Download
memory/1544-145-0x0000000002920000-0x0000000002931000-memory.dmp

Filesize
68KB

Download
memory/1544-144-0x00000000027D0000-0x00000000027EE000-memory.dmp

Filesize
120KB

Download
memory/1792-170-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1792-133-0x0000000002230000-0x000000000227A000-memory.dmp

Filesize
296KB

Download
memory/1792-135-0x0000000002480000-0x000000000249E000-memory.dmp

Filesize
120KB

Download
memory/1792-131-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1864-203-0x0000000002610000-0x0000000002621000-memory.dmp

Filesize
68KB

Download
memory/1864-202-0x00000000025F0000-0x000000000260E000-memory.dmp

Filesize
120KB

Download
memory/1864-201-0x0000000002280000-0x00000000022CA000-memory.dmp

Filesize
296KB

Download
memory/1864-231-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2740-54-0x0000000002640000-0x000000000265E000-memory.dmp

Filesize
120KB

Download
memory/2740-49-0x00000000022D0000-0x000000000231A000-memory.dmp

Filesize
296KB

Download
memory/2740-116-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2740-58-0x0000000002660000-0x0000000002671000-memory.dmp

Filesize
68KB

Download
memory/2892-100-0x00000000026E0000-0x00000000026F1000-memory.dmp

Filesize
68KB

Download
memory/2892-94-0x00000000006F0000-0x000000000073A000-memory.dmp

Filesize
296KB

Download
memory/2892-146-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2892-81-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2892-97-0x00000000026C0000-0x00000000026DE000-memory.dmp

Filesize
120KB

Download
memory/2908-164-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2908-113-0x0000000002240000-0x000000000228A000-memory.dmp

Filesize
296KB

Download
memory/2908-122-0x00000000026F0000-0x0000000002701000-memory.dmp

Filesize
68KB

Download
memory/2908-119-0x00000000026D0000-0x00000000026EE000-memory.dmp

Filesize
120KB

Download
memory/3208-322-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3208-299-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3212-239-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3212-264-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3216-244-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3216-214-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3216-223-0x00000000027F0000-0x0000000002801000-memory.dmp

Filesize
68KB

Download
memory/3216-221-0x0000000002090000-0x00000000020DA000-memory.dmp

Filesize
296KB

Download
memory/3328-183-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3328-151-0x0000000002320000-0x000000000236A000-memory.dmp

Filesize
296KB

Download
memory/3328-153-0x0000000002470000-0x000000000248E000-memory.dmp

Filesize
120KB

Download
memory/3328-154-0x00000000025E0000-0x00000000025F1000-memory.dmp

Filesize
68KB

Download
memory/3416-229-0x0000000002160000-0x00000000021AA000-memory.dmp

Filesize
296KB

Download
memory/3416-232-0x00000000023A0000-0x00000000023BE000-memory.dmp

Filesize
120KB

Download
memory/3416-254-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3416-233-0x0000000002410000-0x0000000002421000-memory.dmp

Filesize
68KB

Download
memory/3416-228-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3696-69-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3696-132-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3696-72-0x00000000022B0000-0x00000000022FA000-memory.dmp

Filesize
296KB

Download
memory/3876-195-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3876-169-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3876-174-0x0000000002800000-0x0000000002811000-memory.dmp

Filesize
68KB

Download
memory/3876-171-0x0000000002410000-0x000000000245A000-memory.dmp

Filesize
296KB

Download
memory/3944-28-0x00000000026C0000-0x00000000026D1000-memory.dmp

Filesize
68KB

Download
memory/3944-15-0x0000000002460000-0x00000000024AA000-memory.dmp

Filesize
296KB

Download
memory/3944-115-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/3944-22-0x0000000002570000-0x000000000258E000-memory.dmp

Filesize
120KB

Download
memory/3944-0-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4088-312-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4088-289-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4400-279-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4400-249-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4444-184-0x0000000002390000-0x00000000023AE000-memory.dmp

Filesize
120KB

Download
memory/4444-278-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4444-176-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4444-302-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4444-204-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4444-185-0x00000000025F0000-0x0000000002601000-memory.dmp

Filesize
68KB

Download
memory/4556-191-0x0000000002330000-0x000000000237A000-memory.dmp

Filesize
296KB

Download
memory/4556-193-0x0000000002420000-0x000000000243E000-memory.dmp

Filesize
120KB

Download
memory/4556-194-0x0000000003070000-0x0000000003081000-memory.dmp

Filesize
68KB

Download
memory/4556-219-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4808-388-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4808-359-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/5124-348-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/5124-371-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/5272-575-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/5272-547-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/5288-334-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/5288-309-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/5308-393-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/5308-368-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/5340-411-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/5340-387-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/5472-349-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/5472-315-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/5476-398-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/5476-421-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/5696-358-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/5696-325-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/5912-341-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/6136-378-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/6136-401-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/6204-404-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/6204-428-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/6392-447-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/6392-414-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/6448-492-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/6448-465-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/6536-566-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/6536-589-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/6552-556-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/6552-581-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/6644-452-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/6644-429-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/6648-542-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/6648-513-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/6668-477-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/6668-502-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/6780-512-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/6780-487-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/6812-438-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/6812-462-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/6852-530-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/6852-507-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/6860-529-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/6936-537-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/6936-561-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/6972-472-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/7140-457-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/7140-486-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/7336-582-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/7500-596-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads