01a96940c20878157aa85abb198f7aa2c211d828bc15e32d5257298bb0635b4b

Analysis

max time kernel
7s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08/10/2024, 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe
Size

1.5MB
MD5

2530def488a99d27c611bc134e1e3934
SHA1

edd162e96a572b46fbcf8ba22ee21fefcf5bbc13
SHA256

01a96940c20878157aa85abb198f7aa2c211d828bc15e32d5257298bb0635b4b
SHA512

75e67dfdc12e0019b684051ebfa9525135ca6fa9bce8d487ee62dcadb77d073b1da44e09dae301b40a1f839955b75f0ceb016d9e3f8629bb62e91e868c18d0cf
SSDEEP

24576:nhTjcRKZWKxN31yueVCfDdij38ZW2bE95hR4KHGe7cFnohytzMkJcD+PDe:nBcRMvFaPsZW+E9PHH7kohyzJtre

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Executes dropped EXE 11 IoCs

pid	Process
872	XP-0EE37CC5.EXE
424	XP-0EE37CC5.EXE
2792	XP-0EE37CC5.EXE
2360	XP-0EE37CC5.EXE
4912	XP-0EE37CC5.EXE
4888	XP-0EE37CC5.EXE
3776	XP-0EE37CC5.EXE
3356	XP-0EE37CC5.EXE
1180	XP-0EE37CC5.EXE
4548	XP-0EE37CC5.EXE
4972	XP-0EE37CC5.EXE

Loads dropped DLL 64 IoCs

pid	Process
116	2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe
116	2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe
116	2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe
116	2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe
116	2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe
116	2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe
116	2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe
872	XP-0EE37CC5.EXE
872	XP-0EE37CC5.EXE
872	XP-0EE37CC5.EXE
872	XP-0EE37CC5.EXE
872	XP-0EE37CC5.EXE
872	XP-0EE37CC5.EXE
872	XP-0EE37CC5.EXE
424	XP-0EE37CC5.EXE
424	XP-0EE37CC5.EXE
424	XP-0EE37CC5.EXE
424	XP-0EE37CC5.EXE
424	XP-0EE37CC5.EXE
424	XP-0EE37CC5.EXE
424	XP-0EE37CC5.EXE
2792	XP-0EE37CC5.EXE
2792	XP-0EE37CC5.EXE
2792	XP-0EE37CC5.EXE
2792	XP-0EE37CC5.EXE
2792	XP-0EE37CC5.EXE
2792	XP-0EE37CC5.EXE
2792	XP-0EE37CC5.EXE
2360	XP-0EE37CC5.EXE
2360	XP-0EE37CC5.EXE
2360	XP-0EE37CC5.EXE
2360	XP-0EE37CC5.EXE
2360	XP-0EE37CC5.EXE
2360	XP-0EE37CC5.EXE
2360	XP-0EE37CC5.EXE
4912	XP-0EE37CC5.EXE
4912	XP-0EE37CC5.EXE
4912	XP-0EE37CC5.EXE
4912	XP-0EE37CC5.EXE
4912	XP-0EE37CC5.EXE
4912	XP-0EE37CC5.EXE
4912	XP-0EE37CC5.EXE
4888	XP-0EE37CC5.EXE
4888	XP-0EE37CC5.EXE
4888	XP-0EE37CC5.EXE
4888	XP-0EE37CC5.EXE
4888	XP-0EE37CC5.EXE
4888	XP-0EE37CC5.EXE
4888	XP-0EE37CC5.EXE
3776	XP-0EE37CC5.EXE
3776	XP-0EE37CC5.EXE
3776	XP-0EE37CC5.EXE
3776	XP-0EE37CC5.EXE
3776	XP-0EE37CC5.EXE
3776	XP-0EE37CC5.EXE
3776	XP-0EE37CC5.EXE
3356	XP-0EE37CC5.EXE
3356	XP-0EE37CC5.EXE
3356	XP-0EE37CC5.EXE
3356	XP-0EE37CC5.EXE
3356	XP-0EE37CC5.EXE
3356	XP-0EE37CC5.EXE
3356	XP-0EE37CC5.EXE
1180	XP-0EE37CC5.EXE

Writes to the Master Boot Record (MBR) 1 TTPs 12 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE
File opened for modification	\??\PhysicalDrive0	XP-0EE37CC5.EXE

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\XP-0EE37CC5.EXE	2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\XP-0EE37CC5.EXE	2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XP-0EE37CC5.EXE

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	explorer.exe

Suspicious behavior: AddClipboardFormatListener 7 IoCs

pid	Process
1884	explorer.exe
4252	explorer.exe
4036	explorer.exe
400	explorer.exe
4568	explorer.exe
2624	explorer.exe
2960	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
116	2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe
116	2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe
116	2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe
116	2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe
116	2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe
116	2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe
872	XP-0EE37CC5.EXE
872	XP-0EE37CC5.EXE
872	XP-0EE37CC5.EXE
872	XP-0EE37CC5.EXE
872	XP-0EE37CC5.EXE
872	XP-0EE37CC5.EXE
424	XP-0EE37CC5.EXE
424	XP-0EE37CC5.EXE
424	XP-0EE37CC5.EXE
424	XP-0EE37CC5.EXE
424	XP-0EE37CC5.EXE
424	XP-0EE37CC5.EXE
4252	explorer.exe
4252	explorer.exe
2792	XP-0EE37CC5.EXE
2792	XP-0EE37CC5.EXE
2792	XP-0EE37CC5.EXE
2792	XP-0EE37CC5.EXE
2792	XP-0EE37CC5.EXE
2792	XP-0EE37CC5.EXE
1884	explorer.exe
1884	explorer.exe
2360	XP-0EE37CC5.EXE
2360	XP-0EE37CC5.EXE
2360	XP-0EE37CC5.EXE
2360	XP-0EE37CC5.EXE
2360	XP-0EE37CC5.EXE
2360	XP-0EE37CC5.EXE
4912	XP-0EE37CC5.EXE
4912	XP-0EE37CC5.EXE
4912	XP-0EE37CC5.EXE
4912	XP-0EE37CC5.EXE
4912	XP-0EE37CC5.EXE
4912	XP-0EE37CC5.EXE
4888	XP-0EE37CC5.EXE
4888	XP-0EE37CC5.EXE
4888	XP-0EE37CC5.EXE
400	explorer.exe
400	explorer.exe
4888	XP-0EE37CC5.EXE
4888	XP-0EE37CC5.EXE
4888	XP-0EE37CC5.EXE
4036	explorer.exe
4036	explorer.exe
3776	XP-0EE37CC5.EXE
3776	XP-0EE37CC5.EXE
3776	XP-0EE37CC5.EXE
3776	XP-0EE37CC5.EXE
3776	XP-0EE37CC5.EXE
4568	explorer.exe
4568	explorer.exe
3776	XP-0EE37CC5.EXE
3356	XP-0EE37CC5.EXE
3356	XP-0EE37CC5.EXE
3356	XP-0EE37CC5.EXE
3356	XP-0EE37CC5.EXE
3356	XP-0EE37CC5.EXE
3356	XP-0EE37CC5.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 116 wrote to memory of 216	116	2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe	86
PID 116 wrote to memory of 216	116	2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe	86
PID 116 wrote to memory of 216	116	2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe	86
PID 116 wrote to memory of 872	116	2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe	88
PID 116 wrote to memory of 872	116	2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe	88
PID 116 wrote to memory of 872	116	2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe	88
PID 872 wrote to memory of 3424	872	XP-0EE37CC5.EXE	89
PID 872 wrote to memory of 3424	872	XP-0EE37CC5.EXE	89
PID 872 wrote to memory of 3424	872	XP-0EE37CC5.EXE	89
PID 872 wrote to memory of 424	872	XP-0EE37CC5.EXE	90
PID 872 wrote to memory of 424	872	XP-0EE37CC5.EXE	90
PID 872 wrote to memory of 424	872	XP-0EE37CC5.EXE	90
PID 424 wrote to memory of 4936	424	XP-0EE37CC5.EXE	92
PID 424 wrote to memory of 4936	424	XP-0EE37CC5.EXE	92
PID 424 wrote to memory of 4936	424	XP-0EE37CC5.EXE	92
PID 424 wrote to memory of 2792	424	XP-0EE37CC5.EXE	204
PID 424 wrote to memory of 2792	424	XP-0EE37CC5.EXE	204
PID 424 wrote to memory of 2792	424	XP-0EE37CC5.EXE	204
PID 2792 wrote to memory of 4308	2792	XP-0EE37CC5.EXE	95
PID 2792 wrote to memory of 4308	2792	XP-0EE37CC5.EXE	95
PID 2792 wrote to memory of 4308	2792	XP-0EE37CC5.EXE	95
PID 2792 wrote to memory of 2360	2792	XP-0EE37CC5.EXE	130
PID 2792 wrote to memory of 2360	2792	XP-0EE37CC5.EXE	130
PID 2792 wrote to memory of 2360	2792	XP-0EE37CC5.EXE	130
PID 2360 wrote to memory of 4004	2360	XP-0EE37CC5.EXE	98
PID 2360 wrote to memory of 4004	2360	XP-0EE37CC5.EXE	98
PID 2360 wrote to memory of 4004	2360	XP-0EE37CC5.EXE	98
PID 2360 wrote to memory of 4912	2360	XP-0EE37CC5.EXE	100
PID 2360 wrote to memory of 4912	2360	XP-0EE37CC5.EXE	100
PID 2360 wrote to memory of 4912	2360	XP-0EE37CC5.EXE	100
PID 4912 wrote to memory of 1240	4912	XP-0EE37CC5.EXE	101
PID 4912 wrote to memory of 1240	4912	XP-0EE37CC5.EXE	101
PID 4912 wrote to memory of 1240	4912	XP-0EE37CC5.EXE	101
PID 4912 wrote to memory of 4888	4912	XP-0EE37CC5.EXE	133
PID 4912 wrote to memory of 4888	4912	XP-0EE37CC5.EXE	133
PID 4912 wrote to memory of 4888	4912	XP-0EE37CC5.EXE	133
PID 4888 wrote to memory of 4844	4888	XP-0EE37CC5.EXE	104
PID 4888 wrote to memory of 4844	4888	XP-0EE37CC5.EXE	104
PID 4888 wrote to memory of 4844	4888	XP-0EE37CC5.EXE	104
PID 4888 wrote to memory of 3776	4888	XP-0EE37CC5.EXE	105
PID 4888 wrote to memory of 3776	4888	XP-0EE37CC5.EXE	105
PID 4888 wrote to memory of 3776	4888	XP-0EE37CC5.EXE	105
PID 3776 wrote to memory of 4344	3776	XP-0EE37CC5.EXE	148
PID 3776 wrote to memory of 4344	3776	XP-0EE37CC5.EXE	148
PID 3776 wrote to memory of 4344	3776	XP-0EE37CC5.EXE	148
PID 3776 wrote to memory of 3356	3776	XP-0EE37CC5.EXE	419
PID 3776 wrote to memory of 3356	3776	XP-0EE37CC5.EXE	419
PID 3776 wrote to memory of 3356	3776	XP-0EE37CC5.EXE	419
PID 3356 wrote to memory of 4388	3356	XP-0EE37CC5.EXE	110
PID 3356 wrote to memory of 4388	3356	XP-0EE37CC5.EXE	110
PID 3356 wrote to memory of 4388	3356	XP-0EE37CC5.EXE	110
PID 3356 wrote to memory of 1180	3356	XP-0EE37CC5.EXE	111
PID 3356 wrote to memory of 1180	3356	XP-0EE37CC5.EXE	111
PID 3356 wrote to memory of 1180	3356	XP-0EE37CC5.EXE	111
PID 1180 wrote to memory of 2908	1180	XP-0EE37CC5.EXE	113
PID 1180 wrote to memory of 2908	1180	XP-0EE37CC5.EXE	113
PID 1180 wrote to memory of 2908	1180	XP-0EE37CC5.EXE	113
PID 1180 wrote to memory of 4548	1180	XP-0EE37CC5.EXE	114
PID 1180 wrote to memory of 4548	1180	XP-0EE37CC5.EXE	114
PID 1180 wrote to memory of 4548	1180	XP-0EE37CC5.EXE	114
PID 4548 wrote to memory of 4164	4548	XP-0EE37CC5.EXE	116
PID 4548 wrote to memory of 4164	4548	XP-0EE37CC5.EXE	116
PID 4548 wrote to memory of 4164	4548	XP-0EE37CC5.EXE	116
PID 4548 wrote to memory of 4972	4548	XP-0EE37CC5.EXE	117

C:\Users\Admin\AppData\Local\Temp\2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2530def488a99d27c611bc134e1e3934_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:116
- C:\Windows\SysWOW64\explorer.exe
  explorer C:\Users\Admin\AppData\Local\Temp\2530def488a99d27c611bc134e1e3934_JaffaCakes118
  2⤵
  - System Location Discovery: System Language Discovery
  PID:216
- C:\Windows\SysWOW64\XP-0EE37CC5.EXE
  C:\Windows\system32\XP-0EE37CC5.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:872
- - C:\Windows\SysWOW64\explorer.exe
    explorer C:\Windows\SysWOW64\XP-0EE37CC5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3424
- - C:\Windows\SysWOW64\XP-0EE37CC5.EXE
    C:\Windows\system32\XP-0EE37CC5.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:424
  - - C:\Windows\SysWOW64\explorer.exe
      explorer C:\Windows\SysWOW64\XP-0EE37CC5
      4⤵
      System Location Discovery: System Language Discovery
      PID:4936
  - - C:\Windows\SysWOW64\XP-0EE37CC5.EXE
      C:\Windows\system32\XP-0EE37CC5.EXE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2792
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4308
    - - C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2360
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4004
      - C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1240
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4844
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3776
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4344
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3356
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4388
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        11⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4164
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        12⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:4972
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1008
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        13⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        14⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        14⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        15⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        15⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        16⤵
        
        PID:60
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        16⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        17⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        17⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        18⤵
        
        PID:3900
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        18⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        19⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        19⤵
        
        PID:116
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        20⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        20⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        21⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        21⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        22⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        22⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        23⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        23⤵
        
        PID:996
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        24⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        24⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        25⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        25⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        26⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        26⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        27⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        27⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        28⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        28⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        29⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        29⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        30⤵
        
        PID:5384
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        30⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        31⤵
        
        PID:5552
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        31⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        32⤵
        
        PID:5764
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        32⤵
        
        PID:5840
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        33⤵
        
        PID:5948
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        33⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        34⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        34⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        35⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        35⤵
        
        PID:5476
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        36⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        36⤵
        
        PID:5160
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        37⤵
        
        PID:5896
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        37⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        38⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        38⤵
        
        PID:5380
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        39⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        39⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        40⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        40⤵
        
        PID:5544
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        41⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        41⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        42⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        42⤵
        
        PID:6156
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        43⤵
        
        PID:6276
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        43⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        44⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        44⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        45⤵
        
        PID:6648
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        45⤵
        
        PID:6700
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        46⤵
        
        PID:6812
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        46⤵
        
        PID:6900
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        47⤵
        
        PID:7020
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        47⤵
        
        PID:7072
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        48⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        48⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        49⤵
        
        PID:6344
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        49⤵
        
        PID:6560
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        50⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        50⤵
        
        PID:6192
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        51⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        51⤵
        
        PID:7028
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        52⤵
        
        PID:5832
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        52⤵
        
        PID:6792
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        53⤵
        
        PID:5960
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        53⤵
        
        PID:6692
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        54⤵
        
        PID:6480
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        54⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        55⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        55⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        56⤵
        
        PID:6532
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        56⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        57⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        57⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        58⤵
        
        PID:6940
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        58⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        59⤵
        
        PID:6500
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        59⤵
        
        PID:7200
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        60⤵
        
        PID:7308
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        60⤵
        
        PID:7356
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        61⤵
        
        PID:7480
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        61⤵
        
        PID:7520
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        62⤵
        
        PID:7632
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        62⤵
        
        PID:7672
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        63⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        63⤵
        
        PID:7808
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        64⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        64⤵
        
        PID:7960
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        65⤵
        
        PID:8052
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        65⤵
        
        PID:8092
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        66⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        66⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        67⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        67⤵
        
        PID:7336
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        68⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        68⤵
        
        PID:7516
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        69⤵
        
        PID:7648
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        69⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        70⤵
        
        PID:7732
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        70⤵
        
        PID:7948
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        71⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        71⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        72⤵
        
        PID:7200
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        72⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        73⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        73⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        74⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        74⤵
        
        PID:6288
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        75⤵
        
        PID:8120
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        75⤵
        
        PID:7904
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        76⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        76⤵
        
        PID:7628
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        77⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        77⤵
        
        PID:8120
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        78⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        78⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        79⤵
        
        PID:6436
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        79⤵
        
        PID:6388
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        80⤵
        
        PID:8204
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        80⤵
        
        PID:8248
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        81⤵
        
        PID:8360
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        81⤵
        
        PID:8400
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        82⤵
        
        PID:8528
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        82⤵
        
        PID:8564
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        83⤵
        
        PID:8680
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        83⤵
        
        PID:8724
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        84⤵
        
        PID:8824
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        84⤵
        
        PID:8880
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        85⤵
        
        PID:8980
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        85⤵
        
        PID:9028
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        86⤵
        
        PID:9128
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        86⤵
        
        PID:9164
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        87⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        87⤵
        
        PID:8120
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        88⤵
        
        PID:7708
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        88⤵
        
        PID:8388
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        89⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        89⤵
        
        PID:8512
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        90⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        90⤵
        
        PID:8664
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        91⤵
        
        PID:8728
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        91⤵
        
        PID:8276
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        92⤵
        
        PID:9032
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        92⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        93⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        93⤵
        
        PID:8536
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        94⤵
        
        PID:8964
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        94⤵
        
        PID:8768
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        95⤵
        
        PID:9004
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        95⤵
        
        PID:7664
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        96⤵
        
        PID:964
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        96⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        97⤵
        
        PID:9136
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        97⤵
        
        PID:7716
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        98⤵
        
        PID:9116
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        98⤵
        
        PID:8704
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        99⤵
        
        PID:8268
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        99⤵
        
        PID:7664
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        100⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        100⤵
        
        PID:7788
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        101⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        101⤵
        
        PID:6720
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        102⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        102⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        103⤵
        
        PID:9248
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        103⤵
        
        PID:9288
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        104⤵
        
        PID:9388
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        104⤵
        
        PID:9440
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        105⤵
        
        PID:9564
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        105⤵
        
        PID:9604
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        106⤵
        
        PID:9716
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        106⤵
        
        PID:9760
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        107⤵
        
        PID:9872
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        107⤵
        
        PID:9912
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        108⤵
        
        PID:10096
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        108⤵
        
        PID:10172
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        109⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        109⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        110⤵
        
        PID:9468
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        110⤵
        
        PID:9484
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        111⤵
        
        PID:9592
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        111⤵
        
        PID:5776
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        112⤵
        
        PID:9736
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        112⤵
        
        PID:9612
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        113⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        113⤵
        
        PID:10100
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        114⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        114⤵
        
        PID:6876
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        115⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        115⤵
        
        PID:7292
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        116⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        116⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        117⤵
        
        PID:9880
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        117⤵
        
        PID:4152
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        118⤵
        
        PID:7836
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        118⤵
        
        PID:9704
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        119⤵
        
        PID:5700
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        119⤵
        
        PID:10288
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        120⤵
        
        PID:10496
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        120⤵
        
        PID:10664
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        121⤵
        
        PID:10852
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        121⤵
        
        PID:10892
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        122⤵
        
        PID:11044
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        122⤵
        
        PID:11088
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        123⤵
        
        PID:11204
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        123⤵
        
        PID:11236
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        124⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        124⤵
        
        PID:5516
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        125⤵
        
        PID:8392
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        125⤵
        
        PID:10624
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        126⤵
        
        PID:10292
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        126⤵
        
        PID:10852
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        127⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        127⤵
        
        PID:11044
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        128⤵
        
        PID:11212
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        128⤵
        
        PID:10596
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        129⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        129⤵
        
        PID:11236
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        130⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        130⤵
        
        PID:8748
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        131⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        131⤵
        
        PID:9472
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        132⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        132⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        133⤵
        
        PID:10484
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        133⤵
        
        PID:808
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        134⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        134⤵
        
        PID:11092
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        135⤵
        
        PID:6232
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        135⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        136⤵
        
        PID:10692
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        136⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\XP-0EE37CC5
        137⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\XP-0EE37CC5.EXE
        
        C:\Windows\system32\XP-0EE37CC5.EXE
        137⤵
        
        PID:6928

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4252

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1884

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:400

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4036

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4568

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:2624

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:2960

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:636

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4180

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4924

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4408

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4296

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2240

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4320

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2360

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4888

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4364

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3312

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3320

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3864

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4344

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3428

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4316

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1360

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3068

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:528

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4216

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5284

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5444

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5624

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5856

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6032

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4676

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5480

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5400

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5772

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4512

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6056

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5436

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv j0Wqv0AkoUmN9+nMsbRgDQ.0.1
1⤵
PID:2792

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4328

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6164

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6368

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6536

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6708

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6908

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7088

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:752

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6584

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6260

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6620

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2380

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2952

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5560

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1312

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5220

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:392

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4468

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7208

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7364

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7528

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7680

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7816

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7968

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8100

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7252

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7316

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1424

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6140

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8140

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5956

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7300

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8060

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5492

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7928

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5340

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4456

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7424

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4656

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8256

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8408

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8572

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8732

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8872

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9036

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9180

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4808

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8360

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4308

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8568

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6872

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8552

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9060

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7276

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7696

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5468

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8220

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5092

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5684

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2488

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5964

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6564

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9280

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9460

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9616

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9796

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9924

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10204

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9328

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6612

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3356

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9608

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10096

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6716

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9600

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9444

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8448

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9640

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10440

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10672

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10908

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11096

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11244

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6148

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10524

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10880

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2320

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7672

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9008

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10520

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10032

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6380

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9968

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10040

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6120

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1852

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E_4\RegEx.fnr

Filesize
212KB

MD5
fcfe0b30217481810787745a756f75ae

SHA1
d9b7dd9a97451801e547b4d134812d81cc826947

SHA256
bb2681081f265befb35295a12c87ef5d6bebe61f0e84307dc5a707f534c200e9

SHA512
f9eb4e7c142b620a21a62dc09aba9b961c73ecddb281028dbf67ce85dd9a8244a51052f10f79d454a0ff457e8cbf1cab145529bc892b45cb144ef8657ac02e73

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\com.run

Filesize
264KB

MD5
1a01df75a83fcb696008fda1f2d57f2e

SHA1
9d8ab468c3cb825efba45c5d54ade0f8227f9aef

SHA256
df4cabce3ce6b1a3acaff18bdf2c1ab6f3eb796fafd16353198c30ffc8dca770

SHA512
38e4dffcd733578f9071b2c96859b24a6ce3f7d85c70e25307d1be61ce0024191ea3dbf68afc552545d1bb23ff75f9ada9a372d7ec8a37701ce3c137c58535c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\dp1.fne

Filesize
112KB

MD5
6faaaf12915fcaed1b8afca34fb5d765

SHA1
4ac8ba09fb3dd57ec2341b9aaeeb68257b1b3399

SHA256
393a8a89d6fad74d5b3b76580492459b4120910450204a79fdd72086263510f7

SHA512
fb046c00709163ae29a1b942d88776b69c161fcbc350c1bf9e13b18548fc04cea6c202fefa18420c71ce9d935621531ce38f8f9e379f5c366e1c496ef79250e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\eAPI.fne

Filesize
316KB

MD5
884d1480eb7c8eb0c10a9ef2c7ab2cf3

SHA1
15d7d4c23fcb2d05160a41334c08d6af52708cfc

SHA256
5b7ec7f0e92d60e87082ec934af2270e24286da9211f35dbb0ac32870c21a2dd

SHA512
bb87b3ab1920ef2cb03563ab077d16c0abc4cd2437018bab092cd21224da7d35cd8d5f1e1e7f41d3bc05e43c4517c02cbf41a49d5a4d9c0a91133e2f684df9d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\internet.fne

Filesize
180KB

MD5
c42abf56ffadaac8facd49deab5d7efd

SHA1
cf7f0a84b8cf5bd9a5435b9e43344cb39b2ee2e6

SHA256
36b1e6792d5e02ba1d00bf23147a1628d56d35ca8228089acb34f8b4bc90b6ab

SHA512
b153a5ee00c2767b4f7ce7e9ff080f6f5e89937d3ee1ab3749d3774b7efbf3c20ae737b3f7bb714a3b0a5b62a7215697aa75aad25d14155257ea1e349bd656e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
1.0MB

MD5
cd3f9189bb853a8b61aa298943ac3d33

SHA1
9f8e35261f671c7769be911aa5b8be0e058acc77

SHA256
d6b59046670765457e1ad777b03f63fd44f41f9fd13fb88ba9ac5a1226f0fdf1

SHA512
4536125baf9f8c7f3fe3e4288faffec9c76864c10f7f7792a92c3a3d10b02c3d8ca9439270d9443206fed46eed835d3666497768322524835af566731f1f1b1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\shell.fne

Filesize
40KB

MD5
d0a0ee4778abc9ee1dc3ae99e92ad046

SHA1
434617f608018f52baf268715c411db88012ba5a

SHA256
3ed77b4f719b08b13145e8bef5fe0b87180c10f78a6f7d7d983e833b6263fca9

SHA512
3c5e243a68633303cb25b8a451c52ab37151a5111277d0b4a7d7904114fe479181c9681fe501a89b50c5046ae7ec6429dc91cb456e9fa8da2ba9a4a24e2a8771

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\spec.fne

Filesize
72KB

MD5
ece50769d756f9276afa9c33a20c0fbf

SHA1
bd5e1818c8653653fd356b045e588fe81b74154c

SHA256
44b0c257f367f163811503ce371973d664600ff05bbdae520af8c5969c06ea69

SHA512
511744aa248a83204579e494abe338e6c312c5b86a0081853dd6191af52f5f216985f928fd223e22399f119424857ec74d606ddd8c37e8ea78c2efc8abf9b553

Download Submit
C:\Windows\SysWOW64\XP-0EE37CC5.EXE

Filesize
1.5MB

MD5
2530def488a99d27c611bc134e1e3934

SHA1
edd162e96a572b46fbcf8ba22ee21fefcf5bbc13

SHA256
01a96940c20878157aa85abb198f7aa2c211d828bc15e32d5257298bb0635b4b

SHA512
75e67dfdc12e0019b684051ebfa9525135ca6fa9bce8d487ee62dcadb77d073b1da44e09dae301b40a1f839955b75f0ceb016d9e3f8629bb62e91e868c18d0cf

Download Submit
memory/116-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/116-115-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/116-11-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/116-17-0x0000000002170000-0x00000000021BB000-memory.dmp

Filesize
300KB

Download
memory/116-27-0x0000000002820000-0x000000000283E000-memory.dmp

Filesize
120KB

Download
memory/116-30-0x0000000002840000-0x0000000002851000-memory.dmp

Filesize
68KB

Download
memory/116-114-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/424-78-0x0000000002380000-0x00000000023CB000-memory.dmp

Filesize
300KB

Download
memory/424-140-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/424-141-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/424-70-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/424-77-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/424-79-0x0000000002F40000-0x0000000002F5E000-memory.dmp

Filesize
120KB

Download
memory/424-80-0x0000000002F60000-0x0000000002F71000-memory.dmp

Filesize
68KB

Download
memory/872-69-0x0000000002610000-0x0000000002621000-memory.dmp

Filesize
68KB

Download
memory/872-126-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/872-46-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/872-68-0x00000000025F0000-0x000000000260E000-memory.dmp

Filesize
120KB

Download
memory/872-127-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/872-67-0x0000000002160000-0x00000000021AB000-memory.dmp

Filesize
300KB

Download
memory/872-66-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/1180-209-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/1180-208-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1180-183-0x00000000026F0000-0x000000000270E000-memory.dmp

Filesize
120KB

Download
memory/1180-180-0x0000000002230000-0x000000000227B000-memory.dmp

Filesize
300KB

Download
memory/1180-179-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/1180-178-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1180-184-0x0000000002710000-0x0000000002721000-memory.dmp

Filesize
68KB

Download
memory/1900-235-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/1900-234-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2360-124-0x00000000028F0000-0x000000000290E000-memory.dmp

Filesize
120KB

Download
memory/2360-118-0x00000000021C0000-0x000000000220B000-memory.dmp

Filesize
300KB

Download
memory/2360-113-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/2360-167-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2360-125-0x0000000003060000-0x0000000003071000-memory.dmp

Filesize
68KB

Download
memory/2360-103-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2360-119-0x00000000021C0000-0x000000000220B000-memory.dmp

Filesize
300KB

Download
memory/2360-168-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/2792-101-0x0000000003060000-0x0000000003071000-memory.dmp

Filesize
68KB

Download
memory/2792-100-0x0000000002F40000-0x0000000002F5E000-memory.dmp

Filesize
120KB

Download
memory/2792-91-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2792-152-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/2792-151-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2792-92-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/2792-95-0x0000000002310000-0x000000000235B000-memory.dmp

Filesize
300KB

Download
memory/3000-228-0x00000000026F0000-0x000000000270E000-memory.dmp

Filesize
120KB

Download
memory/3000-225-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3000-226-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/3000-227-0x0000000002450000-0x000000000249B000-memory.dmp

Filesize
300KB

Download
memory/3000-229-0x0000000002710000-0x0000000002721000-memory.dmp

Filesize
68KB

Download
memory/3356-203-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3356-162-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3356-166-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/3356-204-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/3356-169-0x0000000002230000-0x000000000227B000-memory.dmp

Filesize
300KB

Download
memory/3356-170-0x00000000025F0000-0x000000000260E000-memory.dmp

Filesize
120KB

Download
memory/3356-171-0x0000000002610000-0x0000000002621000-memory.dmp

Filesize
68KB

Download
memory/3776-153-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3776-160-0x0000000002470000-0x0000000002481000-memory.dmp

Filesize
68KB

Download
memory/3776-159-0x0000000002450000-0x000000000246E000-memory.dmp

Filesize
120KB

Download
memory/3776-192-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/3776-191-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3776-158-0x0000000002080000-0x00000000020CB000-memory.dmp

Filesize
300KB

Download
memory/3904-217-0x0000000002490000-0x00000000024AE000-memory.dmp

Filesize
120KB

Download
memory/3904-218-0x0000000002700000-0x0000000002711000-memory.dmp

Filesize
68KB

Download
memory/3904-216-0x0000000002130000-0x000000000217B000-memory.dmp

Filesize
300KB

Download
memory/3904-214-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3904-215-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/4548-219-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4548-190-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/4548-196-0x0000000002F90000-0x0000000002FA1000-memory.dmp

Filesize
68KB

Download
memory/4548-195-0x0000000002F70000-0x0000000002F8E000-memory.dmp

Filesize
120KB

Download
memory/4548-220-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/4548-194-0x00000000023D0000-0x000000000241B000-memory.dmp

Filesize
300KB

Download
memory/4548-193-0x00000000023D0000-0x000000000241B000-memory.dmp

Filesize
300KB

Download
memory/4548-185-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4888-148-0x00000000020D0000-0x000000000211B000-memory.dmp

Filesize
300KB

Download
memory/4888-181-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/4888-149-0x0000000002700000-0x000000000271E000-memory.dmp

Filesize
120KB

Download
memory/4888-150-0x0000000002720000-0x0000000002731000-memory.dmp

Filesize
68KB

Download
memory/4888-147-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/4888-146-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4888-182-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4912-173-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/4912-172-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4912-138-0x00000000025E0000-0x00000000025FE000-memory.dmp

Filesize
120KB

Download
memory/4912-139-0x0000000002600000-0x0000000002611000-memory.dmp

Filesize
68KB

Download
memory/4912-137-0x00000000021A0000-0x00000000021EB000-memory.dmp

Filesize
300KB

Download
memory/4912-136-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4972-207-0x0000000002730000-0x0000000002741000-memory.dmp

Filesize
68KB

Download
memory/4972-202-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/4972-197-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4972-205-0x0000000002150000-0x000000000219B000-memory.dmp

Filesize
300KB

Download
memory/4972-206-0x0000000002710000-0x000000000272E000-memory.dmp

Filesize
120KB

Download
memory/4972-236-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4972-237-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads