93ff0ea4842fd80abfb9059cbd2c148a062286f3da29d416cf153b49756757f8

Analysis

max time kernel
43s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-11-2024 10:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe
Size

1.4MB
MD5

b0bdf36903b4df97ff16a2e9392cd65f
SHA1

0a318924eb7a7f0263353e19e095cb302332614e
SHA256

93ff0ea4842fd80abfb9059cbd2c148a062286f3da29d416cf153b49756757f8
SHA512

7e24d06ae851f398c884be408db35024f89b0596b414bab4a6536f5516d7f01ac1c26d8517cdfab1fc228be99a013545bdddabdb6e3050f5b7c8f00c9790b4ad
SSDEEP

24576:2EQWl8ewe67CF4ED/dBDC7ftYZedd5eoqCss/lZE1NRELt:2SlkDe4ELmYZeVyC7ZE1rEx

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Executes dropped EXE 59 IoCs

Processes:

E37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXE

pid	Process
2264	E37CC5.EXE
2644	E37CC5.EXE
2508	E37CC5.EXE
2964	E37CC5.EXE
2456	E37CC5.EXE
1076	E37CC5.EXE
1708	E37CC5.EXE
1124	E37CC5.EXE
2564	E37CC5.EXE
1340	E37CC5.EXE
2660	E37CC5.EXE
2004	E37CC5.EXE
1508	E37CC5.EXE
2888	E37CC5.EXE
2216	E37CC5.EXE
1052	E37CC5.EXE
2904	E37CC5.EXE
1076	E37CC5.EXE
1748	E37CC5.EXE
2324	E37CC5.EXE
2208	E37CC5.EXE
1804	E37CC5.EXE
2780	E37CC5.EXE
2760	E37CC5.EXE
1748	E37CC5.EXE
2600	E37CC5.EXE
1692	E37CC5.EXE
2768	E37CC5.EXE
3208	E37CC5.EXE
3360	E37CC5.EXE
3492	E37CC5.EXE
3628	E37CC5.EXE
3776	E37CC5.EXE
3888	E37CC5.EXE
4008	E37CC5.EXE
3144	E37CC5.EXE
1692	E37CC5.EXE
3608	E37CC5.EXE
3716	E37CC5.EXE
3952	E37CC5.EXE
3384	E37CC5.EXE
3844	E37CC5.EXE
3248	E37CC5.EXE
3936	E37CC5.EXE
3084	E37CC5.EXE
3844	E37CC5.EXE
4208	E37CC5.EXE
4344	E37CC5.EXE
4460	E37CC5.EXE
4596	E37CC5.EXE
4704	E37CC5.EXE
4816	E37CC5.EXE
4932	E37CC5.EXE
5052	E37CC5.EXE
3512	E37CC5.EXE
4360	E37CC5.EXE
3324	E37CC5.EXE
4684	E37CC5.EXE
4904	E37CC5.EXE

Loads dropped DLL 64 IoCs

Processes:

b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exeE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXE

pid	Process
2788	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe
2788	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe
2788	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe
2788	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe
2788	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe
2788	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe
2264	E37CC5.EXE
2264	E37CC5.EXE
2264	E37CC5.EXE
2264	E37CC5.EXE
2264	E37CC5.EXE
2264	E37CC5.EXE
2644	E37CC5.EXE
2644	E37CC5.EXE
2644	E37CC5.EXE
2644	E37CC5.EXE
2644	E37CC5.EXE
2644	E37CC5.EXE
2508	E37CC5.EXE
2508	E37CC5.EXE
2508	E37CC5.EXE
2508	E37CC5.EXE
2508	E37CC5.EXE
2508	E37CC5.EXE
2964	E37CC5.EXE
2964	E37CC5.EXE
2964	E37CC5.EXE
2964	E37CC5.EXE
2964	E37CC5.EXE
2964	E37CC5.EXE
2456	E37CC5.EXE
2456	E37CC5.EXE
2456	E37CC5.EXE
2456	E37CC5.EXE
2456	E37CC5.EXE
2456	E37CC5.EXE
1076	E37CC5.EXE
1076	E37CC5.EXE
1076	E37CC5.EXE
1076	E37CC5.EXE
1076	E37CC5.EXE
1076	E37CC5.EXE
1708	E37CC5.EXE
1708	E37CC5.EXE
1708	E37CC5.EXE
1708	E37CC5.EXE
1708	E37CC5.EXE
1708	E37CC5.EXE
1124	E37CC5.EXE
1124	E37CC5.EXE
1124	E37CC5.EXE
1124	E37CC5.EXE
1124	E37CC5.EXE
1124	E37CC5.EXE
2564	E37CC5.EXE
2564	E37CC5.EXE
2564	E37CC5.EXE
2564	E37CC5.EXE
2564	E37CC5.EXE
2564	E37CC5.EXE
1340	E37CC5.EXE
1340	E37CC5.EXE
1340	E37CC5.EXE
1340	E37CC5.EXE

Writes to the Master Boot Record (MBR) 1 TTPs 59 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

E37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEb0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exeE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXE

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE

Drops file in System32 directory 5 IoCs

Processes:

b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ADE119	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\9E3B3C	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\C021A2	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ADE119\E37CC5.EXE	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ADE119\E37CC5.EXE	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe

Drops file in Windows directory 12 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeE37CC5.EXEE37CC5.EXEE37CC5.EXEexplorer.exeexplorer.exeexplorer.exeexplorer.exeb0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exeexplorer.exeexplorer.exeE37CC5.EXEE37CC5.EXEexplorer.exeE37CC5.EXEE37CC5.EXEE37CC5.EXEexplorer.exeE37CC5.EXEE37CC5.EXEexplorer.exeE37CC5.EXEexplorer.exeexplorer.exeexplorer.exeE37CC5.EXEexplorer.exeexplorer.exeexplorer.exeE37CC5.EXEexplorer.exeE37CC5.EXEexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeE37CC5.EXEE37CC5.EXEE37CC5.EXEexplorer.exeE37CC5.EXEexplorer.exeE37CC5.EXEE37CC5.EXEE37CC5.EXEexplorer.exeE37CC5.EXEexplorer.exeexplorer.exeexplorer.exeexplorer.exeE37CC5.EXEexplorer.exeexplorer.exeE37CC5.EXEE37CC5.EXEE37CC5.EXEexplorer.exeE37CC5.EXEE37CC5.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E37CC5.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe

Modifies registry class 64 IoCs

Processes:

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000f00000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000f00000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000f00000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000f00000000000000000000000	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exeE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXE

pid	Process
2788	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe
2788	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe
2788	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe
2788	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe
2788	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe
2788	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe
2264	E37CC5.EXE
2264	E37CC5.EXE
2264	E37CC5.EXE
2264	E37CC5.EXE
2264	E37CC5.EXE
2264	E37CC5.EXE
2644	E37CC5.EXE
2644	E37CC5.EXE
2644	E37CC5.EXE
2644	E37CC5.EXE
2644	E37CC5.EXE
2644	E37CC5.EXE
2508	E37CC5.EXE
2508	E37CC5.EXE
2508	E37CC5.EXE
2508	E37CC5.EXE
2508	E37CC5.EXE
2508	E37CC5.EXE
2964	E37CC5.EXE
2964	E37CC5.EXE
2964	E37CC5.EXE
2964	E37CC5.EXE
2964	E37CC5.EXE
2964	E37CC5.EXE
2456	E37CC5.EXE
2456	E37CC5.EXE
2456	E37CC5.EXE
2456	E37CC5.EXE
2456	E37CC5.EXE
2456	E37CC5.EXE
1076	E37CC5.EXE
1076	E37CC5.EXE
1076	E37CC5.EXE
1076	E37CC5.EXE
1076	E37CC5.EXE
1076	E37CC5.EXE
1708	E37CC5.EXE
1708	E37CC5.EXE
1708	E37CC5.EXE
1708	E37CC5.EXE
1708	E37CC5.EXE
1708	E37CC5.EXE
1124	E37CC5.EXE
1124	E37CC5.EXE
1124	E37CC5.EXE
1124	E37CC5.EXE
1124	E37CC5.EXE
1124	E37CC5.EXE
2564	E37CC5.EXE
2564	E37CC5.EXE
2564	E37CC5.EXE
2564	E37CC5.EXE
2564	E37CC5.EXE
2564	E37CC5.EXE
1340	E37CC5.EXE
1340	E37CC5.EXE
1340	E37CC5.EXE
1340	E37CC5.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exeE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXEE37CC5.EXE

description	pid	Process	procid_target
PID 2788 wrote to memory of 2864	2788	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe	30
PID 2788 wrote to memory of 2864	2788	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe	30
PID 2788 wrote to memory of 2864	2788	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe	30
PID 2788 wrote to memory of 2864	2788	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe	30
PID 2788 wrote to memory of 2264	2788	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe	32
PID 2788 wrote to memory of 2264	2788	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe	32
PID 2788 wrote to memory of 2264	2788	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe	32
PID 2788 wrote to memory of 2264	2788	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe	32
PID 2264 wrote to memory of 2680	2264	E37CC5.EXE	33
PID 2264 wrote to memory of 2680	2264	E37CC5.EXE	33
PID 2264 wrote to memory of 2680	2264	E37CC5.EXE	33
PID 2264 wrote to memory of 2680	2264	E37CC5.EXE	33
PID 2264 wrote to memory of 2644	2264	E37CC5.EXE	34
PID 2264 wrote to memory of 2644	2264	E37CC5.EXE	34
PID 2264 wrote to memory of 2644	2264	E37CC5.EXE	34
PID 2264 wrote to memory of 2644	2264	E37CC5.EXE	34
PID 2644 wrote to memory of 2888	2644	E37CC5.EXE	71
PID 2644 wrote to memory of 2888	2644	E37CC5.EXE	71
PID 2644 wrote to memory of 2888	2644	E37CC5.EXE	71
PID 2644 wrote to memory of 2888	2644	E37CC5.EXE	71
PID 2644 wrote to memory of 2508	2644	E37CC5.EXE	37
PID 2644 wrote to memory of 2508	2644	E37CC5.EXE	37
PID 2644 wrote to memory of 2508	2644	E37CC5.EXE	37
PID 2644 wrote to memory of 2508	2644	E37CC5.EXE	37
PID 2508 wrote to memory of 2368	2508	E37CC5.EXE	38
PID 2508 wrote to memory of 2368	2508	E37CC5.EXE	38
PID 2508 wrote to memory of 2368	2508	E37CC5.EXE	38
PID 2508 wrote to memory of 2368	2508	E37CC5.EXE	38
PID 2508 wrote to memory of 2964	2508	E37CC5.EXE	40
PID 2508 wrote to memory of 2964	2508	E37CC5.EXE	40
PID 2508 wrote to memory of 2964	2508	E37CC5.EXE	40
PID 2508 wrote to memory of 2964	2508	E37CC5.EXE	40
PID 2964 wrote to memory of 2052	2964	E37CC5.EXE	41
PID 2964 wrote to memory of 2052	2964	E37CC5.EXE	41
PID 2964 wrote to memory of 2052	2964	E37CC5.EXE	41
PID 2964 wrote to memory of 2052	2964	E37CC5.EXE	41
PID 2964 wrote to memory of 2456	2964	E37CC5.EXE	43
PID 2964 wrote to memory of 2456	2964	E37CC5.EXE	43
PID 2964 wrote to memory of 2456	2964	E37CC5.EXE	43
PID 2964 wrote to memory of 2456	2964	E37CC5.EXE	43
PID 2456 wrote to memory of 1604	2456	E37CC5.EXE	45
PID 2456 wrote to memory of 1604	2456	E37CC5.EXE	45
PID 2456 wrote to memory of 1604	2456	E37CC5.EXE	45
PID 2456 wrote to memory of 1604	2456	E37CC5.EXE	45
PID 2456 wrote to memory of 1076	2456	E37CC5.EXE	83
PID 2456 wrote to memory of 1076	2456	E37CC5.EXE	83
PID 2456 wrote to memory of 1076	2456	E37CC5.EXE	83
PID 2456 wrote to memory of 1076	2456	E37CC5.EXE	83
PID 1076 wrote to memory of 1696	1076	E37CC5.EXE	48
PID 1076 wrote to memory of 1696	1076	E37CC5.EXE	48
PID 1076 wrote to memory of 1696	1076	E37CC5.EXE	48
PID 1076 wrote to memory of 1696	1076	E37CC5.EXE	48
PID 1076 wrote to memory of 1708	1076	E37CC5.EXE	49
PID 1076 wrote to memory of 1708	1076	E37CC5.EXE	49
PID 1076 wrote to memory of 1708	1076	E37CC5.EXE	49
PID 1076 wrote to memory of 1708	1076	E37CC5.EXE	49
PID 1708 wrote to memory of 924	1708	E37CC5.EXE	91
PID 1708 wrote to memory of 924	1708	E37CC5.EXE	91
PID 1708 wrote to memory of 924	1708	E37CC5.EXE	91
PID 1708 wrote to memory of 924	1708	E37CC5.EXE	91
PID 1708 wrote to memory of 1124	1708	E37CC5.EXE	52
PID 1708 wrote to memory of 1124	1708	E37CC5.EXE	52
PID 1708 wrote to memory of 1124	1708	E37CC5.EXE	52
PID 1708 wrote to memory of 1124	1708	E37CC5.EXE	52

C:\Users\Admin\AppData\Local\Temp\b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Windows\SysWOW64\explorer.exe
  explorer C:\Users\Admin\AppData\Local\Temp\b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2864
- C:\Windows\SysWOW64\ADE119\E37CC5.EXE
  C:\Windows\system32\ADE119\E37CC5.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\SysWOW64\explorer.exe
    explorer C:\Windows\SysWOW64\ADE119\E37CC5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2680
- - C:\Windows\SysWOW64\ADE119\E37CC5.EXE
    C:\Windows\system32\ADE119\E37CC5.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\SysWOW64\explorer.exe
      explorer C:\Windows\SysWOW64\ADE119\E37CC5
      4⤵
      System Location Discovery: System Language Discovery
      PID:2888
  - - C:\Windows\SysWOW64\ADE119\E37CC5.EXE
      C:\Windows\system32\ADE119\E37CC5.EXE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2508
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2368
    - - C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2964
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        6⤵
        
        PID:2052
      - C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        7⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1696
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:924
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetWindowsHookEx
        
        PID:1124
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        10⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2564
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        11⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetWindowsHookEx
        
        PID:1340
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        12⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        13⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        13⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:2004
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:1100
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        14⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:1508
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        15⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:2888
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:352
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        16⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:2216
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:1544
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        17⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:1052
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        18⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        18⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:2904
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:376
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        19⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:1076
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        20⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        20⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:1748
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        21⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        21⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:2324
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        22⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:2208
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        23⤵
        System Location Discovery: System Language Discovery
        
        PID:1080
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        23⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:1804
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        24⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:2780
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        25⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        26⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        26⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:1748
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        27⤵
        
        PID:880
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        27⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:2600
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        28⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        28⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        29⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        29⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        30⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        30⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:3208
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:3312
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        31⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:3360
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:3444
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        32⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:3492
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        33⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        33⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:3628
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        34⤵
        System Location Discovery: System Language Discovery
        
        PID:3720
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        34⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:3776
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:3840
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        35⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:3888
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:3968
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        36⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:4008
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        37⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        37⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:3144
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:3384
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        38⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:1692
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:3636
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        39⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:3608
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        40⤵
        System Location Discovery: System Language Discovery
        
        PID:3364
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        40⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:3716
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:3984
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        41⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:3952
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:3504
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        42⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:3384
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        43⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        43⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:3844
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        44⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        44⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:3248
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        45⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        45⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:3936
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        46⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        46⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:3084
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        47⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        47⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:3844
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        48⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        48⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:4208
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:4304
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        49⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:4344
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:4420
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        50⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:4460
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:4552
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        51⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:4596
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:4676
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        52⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:4704
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        53⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        53⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:4816
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:4892
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        54⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:4932
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:5020
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        55⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:5052
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:4100
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        56⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:3512
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        57⤵
        System Location Discovery: System Language Discovery
        
        PID:4288
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        57⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        
        PID:4360
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        58⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        58⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:3324
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        59⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        59⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:4684
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:4944
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4904
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        61⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        61⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        62⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        62⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        63⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        63⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        64⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        64⤵
        
        PID:4440
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        65⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        65⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        66⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        66⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        67⤵
        
        PID:5200
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        67⤵
        
        PID:5232
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        68⤵
        
        PID:5312
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        68⤵
        
        PID:5344
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        69⤵
        
        PID:5412
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        69⤵
        
        PID:5456
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        70⤵
        
        PID:5532
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        70⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        71⤵
        
        PID:5656
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        71⤵
        
        PID:5688
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        72⤵
        
        PID:5760
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        72⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        73⤵
        
        PID:5876
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        73⤵
        
        PID:5916
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        74⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        74⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        75⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        75⤵
        
        PID:5144
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        76⤵
        
        PID:5208
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        76⤵
        
        PID:5364
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        77⤵
        
        PID:5436
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        77⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        78⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        78⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        79⤵
        
        PID:6052
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        79⤵
        
        PID:6008
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        80⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        80⤵
        
        PID:5536
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        81⤵
        
        PID:5936
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        81⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        82⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        82⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        83⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        83⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        84⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        84⤵
        
        PID:6224
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        85⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        85⤵
        
        PID:6360
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        86⤵
        
        PID:6440
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        86⤵
        
        PID:6488
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        87⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        87⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        88⤵
        
        PID:6696
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        88⤵
        
        PID:6736
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        89⤵
        
        PID:6840
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        89⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        90⤵
        
        PID:6960
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        90⤵
        
        PID:6992
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        91⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        91⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        92⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        92⤵
        
        PID:6240
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        93⤵
        
        PID:6332
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        93⤵
        
        PID:6504
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        94⤵
        
        PID:6652
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        94⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        95⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        95⤵
        
        PID:6600
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        96⤵
        
        PID:7088
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        96⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        97⤵
        
        PID:6668
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        97⤵
        
        PID:7008
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        98⤵
        
        PID:5800
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        98⤵
        
        PID:6212
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        99⤵
        
        PID:7084
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        99⤵
        
        PID:6380
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        100⤵
        
        PID:7212
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        100⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        101⤵
        
        PID:7348
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        101⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        102⤵
        
        PID:7480
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        102⤵
        
        PID:7524
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        103⤵
        
        PID:7600
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        103⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        104⤵
        
        PID:7716
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        104⤵
        
        PID:7764
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        105⤵
        
        PID:7876
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        105⤵
        
        PID:7912
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        106⤵
        
        PID:7992
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        106⤵
        
        PID:8028
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        107⤵
        
        PID:8116
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        107⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        108⤵
        
        PID:7268
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        108⤵
        
        PID:7320
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        109⤵
        
        PID:7536
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        109⤵
        
        PID:7252
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        110⤵
        
        PID:7776
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        110⤵
        
        PID:7716
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        111⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        111⤵
        
        PID:8008
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        112⤵
        
        PID:8108
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        112⤵
        
        PID:7332
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        113⤵
        
        PID:7572
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        113⤵
        
        PID:7724
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        114⤵
        
        PID:7644
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        114⤵
        
        PID:7404
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        115⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        115⤵
        
        PID:7220
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        116⤵
        
        PID:8256
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        116⤵
        
        PID:8296
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        117⤵
        
        PID:8360
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        117⤵
        
        PID:8408
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        118⤵
        
        PID:8500
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        118⤵
        
        PID:8536
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        119⤵
        
        PID:8628
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        119⤵
        
        PID:8660
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        120⤵
        
        PID:8740
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        120⤵
        
        PID:8772
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        121⤵
        
        PID:8852
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        121⤵
        
        PID:8892
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        122⤵
        
        PID:8992
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        122⤵
        
        PID:9032
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        123⤵
        
        PID:9124
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        123⤵
        
        PID:9156
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        124⤵
        
        PID:7656
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        124⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        125⤵
        
        PID:8360
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        125⤵
        
        PID:8504
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        126⤵
        
        PID:8780
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        126⤵
        
        PID:8756
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        127⤵
        
        PID:8664
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        127⤵
        
        PID:9020
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        128⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        128⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        129⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        129⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        130⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        130⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        131⤵
        
        PID:9008
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        131⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        132⤵
        
        PID:8208
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        132⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        133⤵
        
        PID:9020
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        133⤵
        
        PID:8424
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        134⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        134⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        135⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        135⤵
        
        PID:9152
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        136⤵
        
        PID:8344
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        136⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        137⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        137⤵
        
        PID:6816

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:2736

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:3064

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:2124

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2332

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:1272

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1232

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:772

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2068

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2748

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2728

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2232

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1776

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1332

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2504

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:1732

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:876

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2328

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:2832

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2268

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1712

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:924

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2056

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1912

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:292

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:1080

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2676

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:2636

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2812

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:3200

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3352

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:3484

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:3620

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3768

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3880

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4000

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
PID:3140

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:3312

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3596

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3916

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:3076

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3460

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3868

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3988

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3864

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3164

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1804

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4200

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4336

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4452

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4588

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4712

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4808

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:4924

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
PID:5044

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3224

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4352

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4540

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4760

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4920

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4820

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4620

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4892

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4684

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3248

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3632

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5224

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5336

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5448

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5556

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5680

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5792

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5908

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6028

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5136

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5356

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5620

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5784

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5996

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5208

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5732

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2412

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5920

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6216

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6352

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6480

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6592

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6728

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6872

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6984

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7108

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6232

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2952

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6580

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6840

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6992

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6360

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6608

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6864

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7244

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7380

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7516

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7628

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7756

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7904

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8020

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8148

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7232

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7584

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7808

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8016

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7012

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7752

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7408

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7228

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8288

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8400

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8528

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8652

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8764

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8884

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9024

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9164

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8312

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8516

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8748

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8772

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2588

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8676

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2184

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8776

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2304

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2752

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2820

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2352

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2968

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E_4\RegEx.fnr

Filesize
212KB

MD5
493dde767dd07971ff879af1d39e2871

SHA1
c28de7d00331b43d23d44773e75a16036e1b7297

SHA256
c1c10d620005fdb874a029b7c1a73a2a399037298906d07e9ff505edb8dac0d9

SHA512
00e8d7fe6ec4c52101f7659dd46a7653cf7e4de17eda6079dcb9479caa6a4ef67ec9984200955de204a574fd43bbaac5254b6bc8860d62967a21149eb3ec6c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\eAPI.fne

Filesize
316KB

MD5
ecfc87b5c94d89b1fa1e2d575056145c

SHA1
20779380d6a2ea8af81a15e647c046073f134bb5

SHA256
d2a3445e2a7f6451653a02540b09c32b17a949d15404cce5a88a76a645618c7e

SHA512
204e8e4406a478c79644e25161a783242f36c0a16e4042baa87ec5caea8af8a0e9e6d9ae1ab459bc652ffcf2b9984588c822032c75c96248d84d772c3956c4b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\internet.fne

Filesize
180KB

MD5
6aa9bb7655fc5e90550ee61355df8547

SHA1
e6515d4992dc99e765f139871ba7f4fb2c3a5f24

SHA256
99c7bbd2665760553c91225f41f9d0030aa8ec25d7f333535e30f413dae6ca8c

SHA512
33d6cca8413e0e24a49c6fe00ccb5a9552c4f66b2e93347ca738928dde4eec80557ae070190fb2aee3d41825744a2228a3bc9533849a783f864eb1926f19f0e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\spec.fne

Filesize
72KB

MD5
0d1ae5e6215353e69f354b0853e43348

SHA1
851a191dd344503c2148dda3d6b624373b2210f8

SHA256
9255c9576f2e30c9a8676a44bc25973a9baec960a2710049458b14fad30b1ab4

SHA512
0b4925c8fbbc4a727a0c45b06d6359a3e4185409dd632920ade9065890592be315254e9bbac14046a12d6c760dfdb8593effe51a98f060adb1e00f380dd18693

Download Submit
C:\Windows\SysWOW64\ADE119\E37CC5.EXE

Filesize
1.4MB

MD5
b0bdf36903b4df97ff16a2e9392cd65f

SHA1
0a318924eb7a7f0263353e19e095cb302332614e

SHA256
93ff0ea4842fd80abfb9059cbd2c148a062286f3da29d416cf153b49756757f8

SHA512
7e24d06ae851f398c884be408db35024f89b0596b414bab4a6536f5516d7f01ac1c26d8517cdfab1fc228be99a013545bdddabdb6e3050f5b7c8f00c9790b4ad

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\com.run

Filesize
264KB

MD5
02dff30ebc19aed131679756eb50a2be

SHA1
b35edef9578b97f74c4bd81f14e2af4c0c84aea2

SHA256
ae14e796e66640ae5b960fa9dc2b1547c095718ba0391bd4d4fd633e64d53344

SHA512
50c50e1a7c0f1daf2b72cf88b966b8726d77d5a7db4bc8f4b6ab8ad9d6e083d99db0986ac743ca74cff613dc1bfeb39e00c8ddf2c82bf55d5f21dcd1e1344643

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\dp1.fne

Filesize
112KB

MD5
6bc845ca548877ffd05c335b89728425

SHA1
7b162942e1e22ebed7659358e52a6ab7ff0124fc

SHA256
665702efbea9c7718c123302b34f74b3ad479709379d83b46f477923d66b8de4

SHA512
2f9bcddd21f6b3a183f07fa754c31394d3a647e3c564d8db4b35c3044be3107fed375daca0965092a12a328cc9b2423cea63e341ecbe70c5504100958b75948d

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
1.0MB

MD5
987052e6354d7d2931286c5e4bdd92f7

SHA1
f516e0d834a057834e9ae06083ab04c98031e19c

SHA256
f77f09fdc89f0012e078cf9a2dc48b467ffcafb636c14da28d21a220ada2063f

SHA512
f0bf7ab2d0e111e9241d5088442ee27435d4c7320c8c0678ff8bd2afdb8fea80b69b50ed09ce0272e72ed9fdc3396f60a78f88129e44fbd3a7d2ea786a30d080

Download Submit
\Users\Admin\AppData\Local\Temp\E_4\shell.fne

Filesize
40KB

MD5
59c8df28d012034a7492df1609ec2d1a

SHA1
81e0a43332b6ba7a3d8a9f00f429282ed2fe2395

SHA256
aab57aa2e13079f4b3991c99c01d153ef2c29e0dc8aeb3c3c90c9cdea4f21cea

SHA512
a722123c4295e5bea5f22c25e9df9ac88356420f7d2b554b910c3288ae5739eafc9b3953f321c6bb58b296b82281e7c85def2a8324f5e897688c3fc57785fcfa

Download Submit
memory/1076-146-0x0000000001CF0000-0x0000000001D0E000-memory.dmp

Filesize
120KB

Download
memory/1076-147-0x0000000000430000-0x000000000047B000-memory.dmp

Filesize
300KB

Download
memory/1076-145-0x0000000001CD0000-0x0000000001CE1000-memory.dmp

Filesize
68KB

Download
memory/1076-211-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1076-149-0x0000000001DA0000-0x0000000001DCD000-memory.dmp

Filesize
180KB

Download
memory/1076-150-0x0000000001DA0000-0x0000000001DCD000-memory.dmp

Filesize
180KB

Download
memory/1076-144-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/1076-212-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/1124-171-0x0000000000280000-0x00000000002CB000-memory.dmp

Filesize
300KB

Download
memory/1124-177-0x00000000004C0000-0x00000000004DE000-memory.dmp

Filesize
120KB

Download
memory/1124-231-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1124-179-0x00000000004E0000-0x000000000050D000-memory.dmp

Filesize
180KB

Download
memory/1124-178-0x00000000004E0000-0x000000000050D000-memory.dmp

Filesize
180KB

Download
memory/1124-232-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/1124-167-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1124-168-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/1124-176-0x00000000004A0000-0x00000000004B1000-memory.dmp

Filesize
68KB

Download
memory/1340-200-0x0000000000430000-0x000000000045D000-memory.dmp

Filesize
180KB

Download
memory/1340-201-0x0000000000430000-0x000000000045D000-memory.dmp

Filesize
180KB

Download
memory/1340-198-0x00000000003E0000-0x00000000003FE000-memory.dmp

Filesize
120KB

Download
memory/1340-195-0x0000000001FD0000-0x000000000201B000-memory.dmp

Filesize
300KB

Download
memory/1340-199-0x00000000003C0000-0x00000000003D1000-memory.dmp

Filesize
68KB

Download
memory/1340-194-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/1508-233-0x00000000003B0000-0x00000000003C1000-memory.dmp

Filesize
68KB

Download
memory/1508-238-0x00000000004B0000-0x00000000004DD000-memory.dmp

Filesize
180KB

Download
memory/1508-237-0x00000000004B0000-0x00000000004DD000-memory.dmp

Filesize
180KB

Download
memory/1508-234-0x00000000003D0000-0x00000000003EE000-memory.dmp

Filesize
120KB

Download
memory/1708-216-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/1708-155-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/1708-215-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1708-158-0x0000000000480000-0x000000000049E000-memory.dmp

Filesize
120KB

Download
memory/1708-162-0x0000000000750000-0x000000000077D000-memory.dmp

Filesize
180KB

Download
memory/1708-156-0x0000000001F10000-0x0000000001F5B000-memory.dmp

Filesize
300KB

Download
memory/1708-157-0x0000000000440000-0x0000000000451000-memory.dmp

Filesize
68KB

Download
memory/2004-223-0x0000000000300000-0x0000000000311000-memory.dmp

Filesize
68KB

Download
memory/2004-224-0x00000000003A0000-0x00000000003BE000-memory.dmp

Filesize
120KB

Download
memory/2004-225-0x0000000000530000-0x000000000055D000-memory.dmp

Filesize
180KB

Download
memory/2004-226-0x0000000000530000-0x000000000055D000-memory.dmp

Filesize
180KB

Download
memory/2264-52-0x0000000001D10000-0x0000000001D2E000-memory.dmp

Filesize
120KB

Download
memory/2264-42-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/2264-161-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/2264-160-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2264-48-0x0000000000440000-0x0000000000451000-memory.dmp

Filesize
68KB

Download
memory/2264-55-0x0000000001DB0000-0x0000000001DDD000-memory.dmp

Filesize
180KB

Download
memory/2264-45-0x0000000001D60000-0x0000000001DAB000-memory.dmp

Filesize
300KB

Download
memory/2456-197-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/2456-129-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/2456-196-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2456-139-0x0000000000450000-0x000000000047D000-memory.dmp

Filesize
180KB

Download
memory/2456-135-0x0000000000430000-0x000000000044E000-memory.dmp

Filesize
120KB

Download
memory/2456-133-0x0000000000370000-0x0000000000381000-memory.dmp

Filesize
68KB

Download
memory/2456-131-0x00000000003A0000-0x00000000003EB000-memory.dmp

Filesize
300KB

Download
memory/2508-173-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/2508-96-0x0000000000740000-0x000000000076D000-memory.dmp

Filesize
180KB

Download
memory/2508-89-0x0000000000270000-0x00000000002BB000-memory.dmp

Filesize
300KB

Download
memory/2508-172-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2508-87-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/2508-93-0x0000000000380000-0x000000000039E000-memory.dmp

Filesize
120KB

Download
memory/2508-91-0x0000000000360000-0x0000000000371000-memory.dmp

Filesize
68KB

Download
memory/2564-235-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2564-236-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/2564-188-0x00000000003D0000-0x00000000003FD000-memory.dmp

Filesize
180KB

Download
memory/2564-184-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/2564-185-0x0000000000280000-0x00000000002CB000-memory.dmp

Filesize
300KB

Download
memory/2564-186-0x0000000000300000-0x0000000000311000-memory.dmp

Filesize
68KB

Download
memory/2564-187-0x00000000003B0000-0x00000000003CE000-memory.dmp

Filesize
120KB

Download
memory/2564-189-0x00000000003D0000-0x00000000003FD000-memory.dmp

Filesize
180KB

Download
memory/2644-169-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2644-170-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/2644-67-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/2644-72-0x0000000000430000-0x0000000000441000-memory.dmp

Filesize
68KB

Download
memory/2644-73-0x0000000000450000-0x000000000046E000-memory.dmp

Filesize
120KB

Download
memory/2644-69-0x00000000003B0000-0x00000000003FB000-memory.dmp

Filesize
300KB

Download
memory/2644-66-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2660-217-0x00000000004D0000-0x00000000004FD000-memory.dmp

Filesize
180KB

Download
memory/2660-218-0x00000000004D0000-0x00000000004FD000-memory.dmp

Filesize
180KB

Download
memory/2660-204-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2660-213-0x0000000000480000-0x0000000000491000-memory.dmp

Filesize
68KB

Download
memory/2660-214-0x00000000004B0000-0x00000000004CE000-memory.dmp

Filesize
120KB

Download
memory/2736-51-0x0000000003A90000-0x0000000003AA0000-memory.dmp

Filesize
64KB

Download
memory/2788-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2788-29-0x0000000001E60000-0x0000000001E8D000-memory.dmp

Filesize
180KB

Download
memory/2788-11-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/2788-13-0x00000000002C0000-0x000000000030B000-memory.dmp

Filesize
300KB

Download
memory/2788-137-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2788-138-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/2788-17-0x0000000000310000-0x0000000000321000-memory.dmp

Filesize
68KB

Download
memory/2788-20-0x0000000000340000-0x000000000035E000-memory.dmp

Filesize
120KB

Download
memory/2964-118-0x0000000000550000-0x000000000057D000-memory.dmp

Filesize
180KB

Download
memory/2964-107-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2964-116-0x0000000000550000-0x000000000057D000-memory.dmp

Filesize
180KB

Download
memory/2964-175-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2964-174-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/2964-113-0x00000000003B0000-0x00000000003FB000-memory.dmp

Filesize
300KB

Download
memory/2964-114-0x0000000000530000-0x000000000054E000-memory.dmp

Filesize
120KB

Download
memory/2964-110-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/2964-112-0x0000000000310000-0x0000000000321000-memory.dmp

Filesize
68KB

Download