01a96940c20878157aa85abb198f7aa2c211d828bc15e32d5257298bb0635b4b

Analysis

max time kernel
32s
max time network
154s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/10/2024, 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe
Size

1.5MB
MD5

2530def488a99d27c611bc134e1e3934
SHA1

edd162e96a572b46fbcf8ba22ee21fefcf5bbc13
SHA256

01a96940c20878157aa85abb198f7aa2c211d828bc15e32d5257298bb0635b4b
SHA512

75e67dfdc12e0019b684051ebfa9525135ca6fa9bce8d487ee62dcadb77d073b1da44e09dae301b40a1f839955b75f0ceb016d9e3f8629bb62e91e868c18d0cf
SSDEEP

24576:nhTjcRKZWKxN31yueVCfDdij38ZW2bE95hR4KHGe7cFnohytzMkJcD+PDe:nBcRMvFaPsZW+E9PHH7kohyzJtre

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Executes dropped EXE 27 IoCs

pid	Process
2772	XP-0EE37CC5.EXE
2856	XP-0EE37CC5.EXE
2492	XP-0EE37CC5.EXE
1484	XP-0EE37CC5.EXE
2984	XP-0EE37CC5.EXE
1304	XP-0EE37CC5.EXE
1992	XP-0EE37CC5.EXE
2000	XP-0EE37CC5.EXE
2664	XP-0EE37CC5.EXE
2368	XP-0EE37CC5.EXE
2396	XP-0EE37CC5.EXE
2772	XP-0EE37CC5.EXE
1940	XP-0EE37CC5.EXE
832	XP-0EE37CC5.EXE
1812	XP-0EE37CC5.EXE
2984	XP-0EE37CC5.EXE
2392	XP-0EE37CC5.EXE
1020	XP-0EE37CC5.EXE
1776	XP-0EE37CC5.EXE
1016	XP-0EE37CC5.EXE
2592	XP-0EE37CC5.EXE
1076	XP-0EE37CC5.EXE
2392	XP-0EE37CC5.EXE
832	XP-0EE37CC5.EXE
1016	XP-0EE37CC5.EXE
1224	XP-0EE37CC5.EXE
2124	XP-0EE37CC5.EXE

Loads dropped DLL 64 IoCs

pid	Process
2396	2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe
2396	2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe
2396	2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe
2396	2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe
2396	2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe
2396	2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe
2772	XP-0EE37CC5.EXE
2772	XP-0EE37CC5.EXE
2772	XP-0EE37CC5.EXE
2772	XP-0EE37CC5.EXE
2772	XP-0EE37CC5.EXE
2772	XP-0EE37CC5.EXE
2856	XP-0EE37CC5.EXE
2856	XP-0EE37CC5.EXE
2856	XP-0EE37CC5.EXE
2856	XP-0EE37CC5.EXE
2856	XP-0EE37CC5.EXE
2856	XP-0EE37CC5.EXE
2492	XP-0EE37CC5.EXE
2492	XP-0EE37CC5.EXE
2492	XP-0EE37CC5.EXE
2492	XP-0EE37CC5.EXE
2492	XP-0EE37CC5.EXE
2492	XP-0EE37CC5.EXE
1484	XP-0EE37CC5.EXE
1484	XP-0EE37CC5.EXE
1484	XP-0EE37CC5.EXE
1484	XP-0EE37CC5.EXE
1484	XP-0EE37CC5.EXE
1484	XP-0EE37CC5.EXE
2984	XP-0EE37CC5.EXE
2984	XP-0EE37CC5.EXE
2984	XP-0EE37CC5.EXE
2984	XP-0EE37CC5.EXE
2984	XP-0EE37CC5.EXE
2984	XP-0EE37CC5.EXE
1304	XP-0EE37CC5.EXE
1304	XP-0EE37CC5.EXE
1304	XP-0EE37CC5.EXE
1304	XP-0EE37CC5.EXE
1304	XP-0EE37CC5.EXE
1304	XP-0EE37CC5.EXE
1992	XP-0EE37CC5.EXE
1992	XP-0EE37CC5.EXE
1992	XP-0EE37CC5.EXE
1992	XP-0EE37CC5.EXE
1992	XP-0EE37CC5.EXE
1992	XP-0EE37CC5.EXE
2000	XP-0EE37CC5.EXE
2000	XP-0EE37CC5.EXE
2000	XP-0EE37CC5.EXE
2000	XP-0EE37CC5.EXE
2000	XP-0EE37CC5.EXE
2000	XP-0EE37CC5.EXE
2664	XP-0EE37CC5.EXE
2664	XP-0EE37CC5.EXE
2664	XP-0EE37CC5.EXE
2664	XP-0EE37CC5.EXE
2664	XP-0EE37CC5.EXE
2664	XP-0EE37CC5.EXE
2368	XP-0EE37CC5.EXE
2368	XP-0EE37CC5.EXE
2368	XP-0EE37CC5.EXE
2368	XP-0EE37CC5.EXE

Writes to the Master Boot Record (MBR) 1 TTPs 27 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\XP-0EE37CC5.EXE	2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\XP-0EE37CC5.EXE	2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 54 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE

Modifies Internet Explorer settings 1 TTPs 44 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000f00000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000f00000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 200000001a00eebbfe2300001000d09ad3fd8f23af46adb46c85480369c700000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2396	2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe
2396	2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe
2396	2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe
2396	2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe
2396	2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe
2396	2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe
2772	XP-0EE37CC5.EXE
2772	XP-0EE37CC5.EXE
2772	XP-0EE37CC5.EXE
2772	XP-0EE37CC5.EXE
2772	XP-0EE37CC5.EXE
2772	XP-0EE37CC5.EXE
2856	XP-0EE37CC5.EXE
2856	XP-0EE37CC5.EXE
2856	XP-0EE37CC5.EXE
2856	XP-0EE37CC5.EXE
2856	XP-0EE37CC5.EXE
2856	XP-0EE37CC5.EXE
2492	XP-0EE37CC5.EXE
2492	XP-0EE37CC5.EXE
2492	XP-0EE37CC5.EXE
2492	XP-0EE37CC5.EXE
2492	XP-0EE37CC5.EXE
2492	XP-0EE37CC5.EXE
1484	XP-0EE37CC5.EXE
1484	XP-0EE37CC5.EXE
1484	XP-0EE37CC5.EXE
1484	XP-0EE37CC5.EXE
1484	XP-0EE37CC5.EXE
1484	XP-0EE37CC5.EXE
2984	XP-0EE37CC5.EXE
2984	XP-0EE37CC5.EXE
2984	XP-0EE37CC5.EXE
2984	XP-0EE37CC5.EXE
2984	XP-0EE37CC5.EXE
2984	XP-0EE37CC5.EXE
1304	XP-0EE37CC5.EXE
1304	XP-0EE37CC5.EXE
1304	XP-0EE37CC5.EXE
1304	XP-0EE37CC5.EXE
1304	XP-0EE37CC5.EXE
1304	XP-0EE37CC5.EXE
1992	XP-0EE37CC5.EXE
1992	XP-0EE37CC5.EXE
1992	XP-0EE37CC5.EXE
1992	XP-0EE37CC5.EXE
1992	XP-0EE37CC5.EXE
1992	XP-0EE37CC5.EXE
2000	XP-0EE37CC5.EXE
2000	XP-0EE37CC5.EXE
2000	XP-0EE37CC5.EXE
2000	XP-0EE37CC5.EXE
2000	XP-0EE37CC5.EXE
2000	XP-0EE37CC5.EXE
2664	XP-0EE37CC5.EXE
2664	XP-0EE37CC5.EXE
2664	XP-0EE37CC5.EXE
2664	XP-0EE37CC5.EXE
2664	XP-0EE37CC5.EXE
2664	XP-0EE37CC5.EXE
2368	XP-0EE37CC5.EXE
2368	XP-0EE37CC5.EXE
2368	XP-0EE37CC5.EXE
2368	XP-0EE37CC5.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2360	2396	2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe	30
PID 2396 wrote to memory of 2360	2396	2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe	30
PID 2396 wrote to memory of 2360	2396	2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe	30
PID 2396 wrote to memory of 2360	2396	2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe	30
PID 2396 wrote to memory of 2772	2396	2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe	32
PID 2396 wrote to memory of 2772	2396	2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe	32
PID 2396 wrote to memory of 2772	2396	2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe	32
PID 2396 wrote to memory of 2772	2396	2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe	32
PID 2772 wrote to memory of 2852	2772	XP-0EE37CC5.EXE	33
PID 2772 wrote to memory of 2852	2772	XP-0EE37CC5.EXE	33
PID 2772 wrote to memory of 2852	2772	XP-0EE37CC5.EXE	33
PID 2772 wrote to memory of 2852	2772	XP-0EE37CC5.EXE	33
PID 2772 wrote to memory of 2856	2772	XP-0EE37CC5.EXE	34
PID 2772 wrote to memory of 2856	2772	XP-0EE37CC5.EXE	34
PID 2772 wrote to memory of 2856	2772	XP-0EE37CC5.EXE	34
PID 2772 wrote to memory of 2856	2772	XP-0EE37CC5.EXE	34
PID 2856 wrote to memory of 1680	2856	XP-0EE37CC5.EXE	36
PID 2856 wrote to memory of 1680	2856	XP-0EE37CC5.EXE	36
PID 2856 wrote to memory of 1680	2856	XP-0EE37CC5.EXE	36
PID 2856 wrote to memory of 1680	2856	XP-0EE37CC5.EXE	36
PID 2856 wrote to memory of 2492	2856	XP-0EE37CC5.EXE	37
PID 2856 wrote to memory of 2492	2856	XP-0EE37CC5.EXE	37
PID 2856 wrote to memory of 2492	2856	XP-0EE37CC5.EXE	37
PID 2856 wrote to memory of 2492	2856	XP-0EE37CC5.EXE	37
PID 2492 wrote to memory of 1676	2492	XP-0EE37CC5.EXE	38
PID 2492 wrote to memory of 1676	2492	XP-0EE37CC5.EXE	38
PID 2492 wrote to memory of 1676	2492	XP-0EE37CC5.EXE	38
PID 2492 wrote to memory of 1676	2492	XP-0EE37CC5.EXE	38
PID 2492 wrote to memory of 1484	2492	XP-0EE37CC5.EXE	40
PID 2492 wrote to memory of 1484	2492	XP-0EE37CC5.EXE	40
PID 2492 wrote to memory of 1484	2492	XP-0EE37CC5.EXE	40
PID 2492 wrote to memory of 1484	2492	XP-0EE37CC5.EXE	40
PID 1484 wrote to memory of 940	1484	XP-0EE37CC5.EXE	42
PID 1484 wrote to memory of 940	1484	XP-0EE37CC5.EXE	42
PID 1484 wrote to memory of 940	1484	XP-0EE37CC5.EXE	42
PID 1484 wrote to memory of 940	1484	XP-0EE37CC5.EXE	42
PID 1484 wrote to memory of 2984	1484	XP-0EE37CC5.EXE	77
PID 1484 wrote to memory of 2984	1484	XP-0EE37CC5.EXE	77
PID 1484 wrote to memory of 2984	1484	XP-0EE37CC5.EXE	77
PID 1484 wrote to memory of 2984	1484	XP-0EE37CC5.EXE	77
PID 2984 wrote to memory of 2924	2984	XP-0EE37CC5.EXE	45
PID 2984 wrote to memory of 2924	2984	XP-0EE37CC5.EXE	45
PID 2984 wrote to memory of 2924	2984	XP-0EE37CC5.EXE	45
PID 2984 wrote to memory of 2924	2984	XP-0EE37CC5.EXE	45
PID 2984 wrote to memory of 1304	2984	XP-0EE37CC5.EXE	46
PID 2984 wrote to memory of 1304	2984	XP-0EE37CC5.EXE	46
PID 2984 wrote to memory of 1304	2984	XP-0EE37CC5.EXE	46
PID 2984 wrote to memory of 1304	2984	XP-0EE37CC5.EXE	46
PID 1304 wrote to memory of 1744	1304	XP-0EE37CC5.EXE	48
PID 1304 wrote to memory of 1744	1304	XP-0EE37CC5.EXE	48
PID 1304 wrote to memory of 1744	1304	XP-0EE37CC5.EXE	48
PID 1304 wrote to memory of 1744	1304	XP-0EE37CC5.EXE	48
PID 1304 wrote to memory of 1992	1304	XP-0EE37CC5.EXE	50
PID 1304 wrote to memory of 1992	1304	XP-0EE37CC5.EXE	50
PID 1304 wrote to memory of 1992	1304	XP-0EE37CC5.EXE	50
PID 1304 wrote to memory of 1992	1304	XP-0EE37CC5.EXE	50
PID 1992 wrote to memory of 588	1992	XP-0EE37CC5.EXE	52
PID 1992 wrote to memory of 588	1992	XP-0EE37CC5.EXE	52
PID 1992 wrote to memory of 588	1992	XP-0EE37CC5.EXE	52
PID 1992 wrote to memory of 588	1992	XP-0EE37CC5.EXE	52
PID 1992 wrote to memory of 2000	1992	XP-0EE37CC5.EXE	53
PID 1992 wrote to memory of 2000	1992	XP-0EE37CC5.EXE	53
PID 1992 wrote to memory of 2000	1992	XP-0EE37CC5.EXE	53
PID 1992 wrote to memory of 2000	1992	XP-0EE37CC5.EXE	53

C:\Users\Admin\AppData\Local\Temp\2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Windows\SysWOW64\explorer.exe
  explorer C:\Users\Admin\AppData\Local\Temp\2530def488a99d27c611bc134e1e3934_JaffaCakes118
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2360
- C:\Windows\SysWOW64\XP-0EE37CC5.EXE
  C:\Windows\system32\XP-0EE37CC5.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\SysWOW64\explorer.exe
    explorer C:\Windows\SysWOW64\XP-0EE37CC5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2852
- - C:\Windows\SysWOW64\XP-0EE37CC5.EXE
    C:\Windows\system32\XP-0EE37CC5.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Windows\SysWOW64\explorer.exe
      explorer C:\Windows\SysWOW64\XP-0EE37CC5
      4⤵
      System Location Discovery: System Language Discovery
      PID:1680
  - - C:\Windows\SysWOW64\XP-0EE37CC5.EXE
      C:\Windows\system32\XP-0EE37CC5.EXE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2492
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1676
    - - C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1484
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:940
      - C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:588
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2000
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1828
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2664
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2444
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2368
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1916
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        12⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:2396
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        13⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        14⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        15⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:832
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        16⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:1812
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:1208
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        17⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:980
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        18⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        19⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:1020
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2936
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        20⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:1776
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:2980
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        21⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:1016
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        22⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:1964
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        23⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:1076
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        24⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:780
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        25⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:832
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:2620
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        26⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:1016
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        27⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:1224
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        28⤵
        Executes dropped EXE
        
        PID:2124
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        29⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        29⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        30⤵
        
        PID:3100
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        30⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        31⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        31⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        32⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        32⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        33⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        33⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        34⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        34⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        35⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        35⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        36⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        36⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        37⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        37⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        38⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        38⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        39⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        39⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        40⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        40⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        41⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        41⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        42⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        42⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        43⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        43⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        44⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        44⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        45⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        45⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        46⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        46⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        47⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        47⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        48⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        48⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        49⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        49⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        50⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        50⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        51⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        51⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        52⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        52⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        53⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        53⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        54⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        54⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        55⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        55⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        56⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        56⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        57⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        57⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        58⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        58⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        59⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        59⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        60⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        60⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        61⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        61⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        62⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        62⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        63⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        63⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        64⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        64⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        65⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        65⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        66⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        66⤵
        
        PID:5496
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        67⤵
        
        PID:5568
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        67⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        68⤵
        
        PID:5704
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        68⤵
        
        PID:5748
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        69⤵
        
        PID:5844
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        69⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        70⤵
        
        PID:5968
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        70⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        71⤵
        
        PID:6100
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        71⤵
        
        PID:5124

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:2384

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:2608

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:2112

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:1068

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:676

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:964

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1912

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1548

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2088

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1888

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2296

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1900

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2128

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:1192

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2404

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2012

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2628

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2324

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:856

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1988

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3060

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2576

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1600

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2612

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2436

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2696

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:112

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1964

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3132

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3280

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3444

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3576

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3740

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3888

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4028

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3088

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3408

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3668

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3908

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3108

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3344

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3856

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2124

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3728

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3712

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2832

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4212

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4368

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4512

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4648

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4768

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4908

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5040

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:928

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4156

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4508

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4732

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5008

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4608

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5076

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4928

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4340

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5240

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5372

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5488

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5604

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5740

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5876

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6000

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E_4\RegEx.fnr

Filesize
212KB

MD5
fcfe0b30217481810787745a756f75ae

SHA1
d9b7dd9a97451801e547b4d134812d81cc826947

SHA256
bb2681081f265befb35295a12c87ef5d6bebe61f0e84307dc5a707f534c200e9

SHA512
f9eb4e7c142b620a21a62dc09aba9b961c73ecddb281028dbf67ce85dd9a8244a51052f10f79d454a0ff457e8cbf1cab145529bc892b45cb144ef8657ac02e73

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\eAPI.fne

Filesize
316KB

MD5
884d1480eb7c8eb0c10a9ef2c7ab2cf3

SHA1
15d7d4c23fcb2d05160a41334c08d6af52708cfc

SHA256
5b7ec7f0e92d60e87082ec934af2270e24286da9211f35dbb0ac32870c21a2dd

SHA512
bb87b3ab1920ef2cb03563ab077d16c0abc4cd2437018bab092cd21224da7d35cd8d5f1e1e7f41d3bc05e43c4517c02cbf41a49d5a4d9c0a91133e2f684df9d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\internet.fne

Filesize
180KB

MD5
c42abf56ffadaac8facd49deab5d7efd

SHA1
cf7f0a84b8cf5bd9a5435b9e43344cb39b2ee2e6

SHA256
36b1e6792d5e02ba1d00bf23147a1628d56d35ca8228089acb34f8b4bc90b6ab

SHA512
b153a5ee00c2767b4f7ce7e9ff080f6f5e89937d3ee1ab3749d3774b7efbf3c20ae737b3f7bb714a3b0a5b62a7215697aa75aad25d14155257ea1e349bd656e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\spec.fne

Filesize
72KB

MD5
ece50769d756f9276afa9c33a20c0fbf

SHA1
bd5e1818c8653653fd356b045e588fe81b74154c

SHA256
44b0c257f367f163811503ce371973d664600ff05bbdae520af8c5969c06ea69

SHA512
511744aa248a83204579e494abe338e6c312c5b86a0081853dd6191af52f5f216985f928fd223e22399f119424857ec74d606ddd8c37e8ea78c2efc8abf9b553

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\com.run

Filesize
264KB

MD5
1a01df75a83fcb696008fda1f2d57f2e

SHA1
9d8ab468c3cb825efba45c5d54ade0f8227f9aef

SHA256
df4cabce3ce6b1a3acaff18bdf2c1ab6f3eb796fafd16353198c30ffc8dca770

SHA512
38e4dffcd733578f9071b2c96859b24a6ce3f7d85c70e25307d1be61ce0024191ea3dbf68afc552545d1bb23ff75f9ada9a372d7ec8a37701ce3c137c58535c0

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\dp1.fne

Filesize
112KB

MD5
6faaaf12915fcaed1b8afca34fb5d765

SHA1
4ac8ba09fb3dd57ec2341b9aaeeb68257b1b3399

SHA256
393a8a89d6fad74d5b3b76580492459b4120910450204a79fdd72086263510f7

SHA512
fb046c00709163ae29a1b942d88776b69c161fcbc350c1bf9e13b18548fc04cea6c202fefa18420c71ce9d935621531ce38f8f9e379f5c366e1c496ef79250e0

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
1.0MB

MD5
cd3f9189bb853a8b61aa298943ac3d33

SHA1
9f8e35261f671c7769be911aa5b8be0e058acc77

SHA256
d6b59046670765457e1ad777b03f63fd44f41f9fd13fb88ba9ac5a1226f0fdf1

SHA512
4536125baf9f8c7f3fe3e4288faffec9c76864c10f7f7792a92c3a3d10b02c3d8ca9439270d9443206fed46eed835d3666497768322524835af566731f1f1b1d

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\shell.fne

Filesize
40KB

MD5
d0a0ee4778abc9ee1dc3ae99e92ad046

SHA1
434617f608018f52baf268715c411db88012ba5a

SHA256
3ed77b4f719b08b13145e8bef5fe0b87180c10f78a6f7d7d983e833b6263fca9

SHA512
3c5e243a68633303cb25b8a451c52ab37151a5111277d0b4a7d7904114fe479181c9681fe501a89b50c5046ae7ec6429dc91cb456e9fa8da2ba9a4a24e2a8771

Download Submit
\Windows\SysWOW64\XP-0EE37CC5.EXE

Filesize
1.5MB

MD5
2530def488a99d27c611bc134e1e3934

SHA1
edd162e96a572b46fbcf8ba22ee21fefcf5bbc13

SHA256
01a96940c20878157aa85abb198f7aa2c211d828bc15e32d5257298bb0635b4b

SHA512
75e67dfdc12e0019b684051ebfa9525135ca6fa9bce8d487ee62dcadb77d073b1da44e09dae301b40a1f839955b75f0ceb016d9e3f8629bb62e91e868c18d0cf

Download Submit
memory/832-244-0x0000000001D60000-0x0000000001D7E000-memory.dmp

Filesize
120KB

Download
memory/832-241-0x0000000001D10000-0x0000000001D5B000-memory.dmp

Filesize
300KB

Download
memory/832-240-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/1304-194-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1304-162-0x00000000004B0000-0x00000000004DD000-memory.dmp

Filesize
180KB

Download
memory/1304-156-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/1304-163-0x00000000004B0000-0x00000000004DD000-memory.dmp

Filesize
180KB

Download
memory/1304-193-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/1304-157-0x00000000003A0000-0x00000000003EB000-memory.dmp

Filesize
300KB

Download
memory/1304-158-0x0000000000490000-0x00000000004A1000-memory.dmp

Filesize
68KB

Download
memory/1304-159-0x0000000000450000-0x000000000046E000-memory.dmp

Filesize
120KB

Download
memory/1304-155-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1484-126-0x0000000000490000-0x00000000004BD000-memory.dmp

Filesize
180KB

Download
memory/1484-116-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/1484-173-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/1484-172-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1484-125-0x0000000000490000-0x00000000004BD000-memory.dmp

Filesize
180KB

Download
memory/1484-121-0x0000000000450000-0x000000000046E000-memory.dmp

Filesize
120KB

Download
memory/1484-122-0x0000000000470000-0x0000000000481000-memory.dmp

Filesize
68KB

Download
memory/1484-118-0x00000000003A0000-0x00000000003EB000-memory.dmp

Filesize
300KB

Download
memory/1940-231-0x00000000003E0000-0x00000000003FE000-memory.dmp

Filesize
120KB

Download
memory/1940-232-0x0000000000430000-0x0000000000441000-memory.dmp

Filesize
68KB

Download
memory/1992-170-0x0000000000300000-0x0000000000311000-memory.dmp

Filesize
68KB

Download
memory/1992-169-0x00000000002E0000-0x00000000002FE000-memory.dmp

Filesize
120KB

Download
memory/1992-174-0x00000000004B0000-0x00000000004DD000-memory.dmp

Filesize
180KB

Download
memory/1992-201-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1992-168-0x00000000003A0000-0x00000000003EB000-memory.dmp

Filesize
300KB

Download
memory/1992-202-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/2000-204-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/2000-179-0x0000000000220000-0x000000000026B000-memory.dmp

Filesize
300KB

Download
memory/2000-181-0x00000000005E0000-0x00000000005F1000-memory.dmp

Filesize
68KB

Download
memory/2000-180-0x00000000005C0000-0x00000000005DE000-memory.dmp

Filesize
120KB

Download
memory/2000-203-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2368-233-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2368-206-0x0000000000700000-0x0000000000711000-memory.dmp

Filesize
68KB

Download
memory/2368-234-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/2368-205-0x00000000004E0000-0x00000000004FE000-memory.dmp

Filesize
120KB

Download
memory/2384-69-0x0000000003790000-0x00000000037A0000-memory.dmp

Filesize
64KB

Download
memory/2396-212-0x0000000001DC0000-0x0000000001DDE000-memory.dmp

Filesize
120KB

Download
memory/2396-31-0x0000000001FC0000-0x0000000001FED000-memory.dmp

Filesize
180KB

Download
memory/2396-76-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2396-216-0x0000000001E00000-0x0000000001E2D000-memory.dmp

Filesize
180KB

Download
memory/2396-77-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/2396-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2396-213-0x0000000001DE0000-0x0000000001DF1000-memory.dmp

Filesize
68KB

Download
memory/2396-29-0x0000000001FC0000-0x0000000001FED000-memory.dmp

Filesize
180KB

Download
memory/2396-207-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2396-17-0x0000000000710000-0x000000000072E000-memory.dmp

Filesize
120KB

Download
memory/2396-20-0x0000000000750000-0x0000000000761000-memory.dmp

Filesize
68KB

Download
memory/2396-14-0x0000000000220000-0x000000000026B000-memory.dmp

Filesize
300KB

Download
memory/2396-243-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/2396-242-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2396-11-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/2492-99-0x0000000001E00000-0x0000000001E11000-memory.dmp

Filesize
68KB

Download
memory/2492-104-0x0000000001E20000-0x0000000001E4D000-memory.dmp

Filesize
180KB

Download
memory/2492-83-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2492-98-0x00000000004A0000-0x00000000004BE000-memory.dmp

Filesize
120KB

Download
memory/2492-161-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/2492-95-0x0000000000430000-0x000000000047B000-memory.dmp

Filesize
300KB

Download
memory/2492-160-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2492-94-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/2664-190-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/2664-191-0x00000000005A0000-0x00000000005BE000-memory.dmp

Filesize
120KB

Download
memory/2664-215-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/2664-196-0x0000000001DF0000-0x0000000001E1D000-memory.dmp

Filesize
180KB

Download
memory/2664-195-0x0000000001DF0000-0x0000000001E1D000-memory.dmp

Filesize
180KB

Download
memory/2664-214-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2664-192-0x0000000001DD0000-0x0000000001DE1000-memory.dmp

Filesize
68KB

Download
memory/2772-225-0x00000000003D0000-0x00000000003FD000-memory.dmp

Filesize
180KB

Download
memory/2772-51-0x0000000001D70000-0x0000000001D8E000-memory.dmp

Filesize
120KB

Download
memory/2772-101-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2772-56-0x0000000001DB0000-0x0000000001DDD000-memory.dmp

Filesize
180KB

Download
memory/2772-102-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/2772-57-0x0000000001DB0000-0x0000000001DDD000-memory.dmp

Filesize
180KB

Download
memory/2772-43-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/2772-222-0x0000000000370000-0x000000000038E000-memory.dmp

Filesize
120KB

Download
memory/2772-223-0x0000000000390000-0x00000000003A1000-memory.dmp

Filesize
68KB

Download
memory/2772-46-0x00000000005C0000-0x000000000060B000-memory.dmp

Filesize
300KB

Download
memory/2772-52-0x0000000001D90000-0x0000000001DA1000-memory.dmp

Filesize
68KB

Download
memory/2856-127-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2856-68-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/2856-75-0x00000000008A0000-0x00000000008BE000-memory.dmp

Filesize
120KB

Download
memory/2856-128-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/2856-73-0x0000000000320000-0x000000000036B000-memory.dmp

Filesize
300KB

Download
memory/2856-82-0x0000000001EE0000-0x0000000001F0D000-memory.dmp

Filesize
180KB

Download
memory/2856-81-0x0000000001EE0000-0x0000000001F0D000-memory.dmp

Filesize
180KB

Download
memory/2856-74-0x0000000001DA0000-0x0000000001DB1000-memory.dmp

Filesize
68KB

Download
memory/2856-58-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2984-182-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2984-130-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2984-183-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/2984-145-0x0000000000530000-0x000000000054E000-memory.dmp

Filesize
120KB

Download
memory/2984-153-0x0000000001FE0000-0x000000000200D000-memory.dmp

Filesize
180KB

Download
memory/2984-146-0x0000000000550000-0x0000000000561000-memory.dmp

Filesize
68KB

Download
memory/2984-142-0x0000000000220000-0x000000000026B000-memory.dmp

Filesize
300KB

Download
memory/2984-154-0x0000000001FE0000-0x000000000200D000-memory.dmp

Filesize
180KB

Download
memory/2984-140-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads