93ff0ea4842fd80abfb9059cbd2c148a062286f3da29d416cf153b49756757f8

Analysis

max time kernel
8s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2024, 10:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe
Size

1.4MB
MD5

b0bdf36903b4df97ff16a2e9392cd65f
SHA1

0a318924eb7a7f0263353e19e095cb302332614e
SHA256

93ff0ea4842fd80abfb9059cbd2c148a062286f3da29d416cf153b49756757f8
SHA512

7e24d06ae851f398c884be408db35024f89b0596b414bab4a6536f5516d7f01ac1c26d8517cdfab1fc228be99a013545bdddabdb6e3050f5b7c8f00c9790b4ad
SSDEEP

24576:2EQWl8ewe67CF4ED/dBDC7ftYZedd5eoqCss/lZE1NRELt:2SlkDe4ELmYZeVyC7ZE1rEx

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Executes dropped EXE 12 IoCs

pid	Process
2044	E37CC5.EXE
2580	E37CC5.EXE
1176	E37CC5.EXE
4564	E37CC5.EXE
832	E37CC5.EXE
2916	E37CC5.EXE
4924	E37CC5.EXE
3684	E37CC5.EXE
1188	E37CC5.EXE
868	E37CC5.EXE
2956	E37CC5.EXE
5100	E37CC5.EXE

Loads dropped DLL 64 IoCs

pid	Process
3396	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe
3396	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe
3396	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe
3396	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe
3396	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe
3396	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe
3396	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe
2044	E37CC5.EXE
2044	E37CC5.EXE
2044	E37CC5.EXE
2044	E37CC5.EXE
2044	E37CC5.EXE
2044	E37CC5.EXE
2044	E37CC5.EXE
2580	E37CC5.EXE
2580	E37CC5.EXE
2580	E37CC5.EXE
2580	E37CC5.EXE
2580	E37CC5.EXE
2580	E37CC5.EXE
2580	E37CC5.EXE
1176	E37CC5.EXE
1176	E37CC5.EXE
1176	E37CC5.EXE
1176	E37CC5.EXE
1176	E37CC5.EXE
1176	E37CC5.EXE
1176	E37CC5.EXE
4564	E37CC5.EXE
4564	E37CC5.EXE
4564	E37CC5.EXE
4564	E37CC5.EXE
4564	E37CC5.EXE
4564	E37CC5.EXE
4564	E37CC5.EXE
832	E37CC5.EXE
832	E37CC5.EXE
832	E37CC5.EXE
832	E37CC5.EXE
832	E37CC5.EXE
832	E37CC5.EXE
832	E37CC5.EXE
2916	E37CC5.EXE
2916	E37CC5.EXE
2916	E37CC5.EXE
2916	E37CC5.EXE
2916	E37CC5.EXE
2916	E37CC5.EXE
2916	E37CC5.EXE
4924	E37CC5.EXE
4924	E37CC5.EXE
4924	E37CC5.EXE
4924	E37CC5.EXE
4924	E37CC5.EXE
4924	E37CC5.EXE
4924	E37CC5.EXE
3684	E37CC5.EXE
3684	E37CC5.EXE
3684	E37CC5.EXE
3684	E37CC5.EXE
3684	E37CC5.EXE
3684	E37CC5.EXE
3684	E37CC5.EXE
1188	E37CC5.EXE

Writes to the Master Boot Record (MBR) 1 TTPs 12 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE
File opened for modification	\??\PhysicalDrive0	E37CC5.EXE

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ADE119	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\9E3B3C	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\C021A2	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ADE119\E37CC5.EXE	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ADE119\E37CC5.EXE	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	E37CC5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe

Suspicious behavior: AddClipboardFormatListener 5 IoCs

pid	Process
1948	explorer.exe
1972	explorer.exe
1628	explorer.exe
1732	explorer.exe
916	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3396	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe
3396	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe
3396	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe
3396	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe
3396	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe
3396	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe
2044	E37CC5.EXE
2044	E37CC5.EXE
2044	E37CC5.EXE
2044	E37CC5.EXE
2044	E37CC5.EXE
2044	E37CC5.EXE
2580	E37CC5.EXE
2580	E37CC5.EXE
2580	E37CC5.EXE
2580	E37CC5.EXE
2580	E37CC5.EXE
1948	explorer.exe
1948	explorer.exe
2580	E37CC5.EXE
1176	E37CC5.EXE
1176	E37CC5.EXE
1176	E37CC5.EXE
1176	E37CC5.EXE
1176	E37CC5.EXE
1176	E37CC5.EXE
1972	explorer.exe
1972	explorer.exe
4564	E37CC5.EXE
4564	E37CC5.EXE
4564	E37CC5.EXE
4564	E37CC5.EXE
4564	E37CC5.EXE
4564	E37CC5.EXE
832	E37CC5.EXE
832	E37CC5.EXE
832	E37CC5.EXE
832	E37CC5.EXE
832	E37CC5.EXE
832	E37CC5.EXE
1628	explorer.exe
1628	explorer.exe
2916	E37CC5.EXE
2916	E37CC5.EXE
2916	E37CC5.EXE
2916	E37CC5.EXE
2916	E37CC5.EXE
2916	E37CC5.EXE
4924	E37CC5.EXE
4924	E37CC5.EXE
4924	E37CC5.EXE
4924	E37CC5.EXE
4924	E37CC5.EXE
4924	E37CC5.EXE
1732	explorer.exe
1732	explorer.exe
916	explorer.exe
916	explorer.exe
3684	E37CC5.EXE
3684	E37CC5.EXE
3684	E37CC5.EXE
3684	E37CC5.EXE
3684	E37CC5.EXE
3684	E37CC5.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3396 wrote to memory of 1320	3396	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe	83
PID 3396 wrote to memory of 1320	3396	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe	83
PID 3396 wrote to memory of 1320	3396	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe	83
PID 3396 wrote to memory of 2044	3396	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe	85
PID 3396 wrote to memory of 2044	3396	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe	85
PID 3396 wrote to memory of 2044	3396	b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe	85
PID 2044 wrote to memory of 4692	2044	E37CC5.EXE	86
PID 2044 wrote to memory of 4692	2044	E37CC5.EXE	86
PID 2044 wrote to memory of 4692	2044	E37CC5.EXE	86
PID 2044 wrote to memory of 2580	2044	E37CC5.EXE	87
PID 2044 wrote to memory of 2580	2044	E37CC5.EXE	87
PID 2044 wrote to memory of 2580	2044	E37CC5.EXE	87
PID 2580 wrote to memory of 1132	2580	E37CC5.EXE	89
PID 2580 wrote to memory of 1132	2580	E37CC5.EXE	89
PID 2580 wrote to memory of 1132	2580	E37CC5.EXE	89
PID 2580 wrote to memory of 1176	2580	E37CC5.EXE	90
PID 2580 wrote to memory of 1176	2580	E37CC5.EXE	90
PID 2580 wrote to memory of 1176	2580	E37CC5.EXE	90
PID 1176 wrote to memory of 1568	1176	E37CC5.EXE	92
PID 1176 wrote to memory of 1568	1176	E37CC5.EXE	92
PID 1176 wrote to memory of 1568	1176	E37CC5.EXE	92
PID 1176 wrote to memory of 4564	1176	E37CC5.EXE	94
PID 1176 wrote to memory of 4564	1176	E37CC5.EXE	94
PID 1176 wrote to memory of 4564	1176	E37CC5.EXE	94
PID 4564 wrote to memory of 4656	4564	E37CC5.EXE	95
PID 4564 wrote to memory of 4656	4564	E37CC5.EXE	95
PID 4564 wrote to memory of 4656	4564	E37CC5.EXE	95
PID 4564 wrote to memory of 832	4564	E37CC5.EXE	96
PID 4564 wrote to memory of 832	4564	E37CC5.EXE	96
PID 4564 wrote to memory of 832	4564	E37CC5.EXE	96
PID 832 wrote to memory of 2808	832	E37CC5.EXE	98
PID 832 wrote to memory of 2808	832	E37CC5.EXE	98
PID 832 wrote to memory of 2808	832	E37CC5.EXE	98
PID 832 wrote to memory of 2916	832	E37CC5.EXE	99
PID 832 wrote to memory of 2916	832	E37CC5.EXE	99
PID 832 wrote to memory of 2916	832	E37CC5.EXE	99
PID 2916 wrote to memory of 2688	2916	E37CC5.EXE	101
PID 2916 wrote to memory of 2688	2916	E37CC5.EXE	101
PID 2916 wrote to memory of 2688	2916	E37CC5.EXE	101
PID 2916 wrote to memory of 4924	2916	E37CC5.EXE	102
PID 2916 wrote to memory of 4924	2916	E37CC5.EXE	102
PID 2916 wrote to memory of 4924	2916	E37CC5.EXE	102
PID 4924 wrote to memory of 1000	4924	E37CC5.EXE	104
PID 4924 wrote to memory of 1000	4924	E37CC5.EXE	104
PID 4924 wrote to memory of 1000	4924	E37CC5.EXE	104
PID 4924 wrote to memory of 3684	4924	E37CC5.EXE	134
PID 4924 wrote to memory of 3684	4924	E37CC5.EXE	134
PID 4924 wrote to memory of 3684	4924	E37CC5.EXE	134
PID 3684 wrote to memory of 3372	3684	E37CC5.EXE	107
PID 3684 wrote to memory of 3372	3684	E37CC5.EXE	107
PID 3684 wrote to memory of 3372	3684	E37CC5.EXE	107
PID 3684 wrote to memory of 1188	3684	E37CC5.EXE	108
PID 3684 wrote to memory of 1188	3684	E37CC5.EXE	108
PID 3684 wrote to memory of 1188	3684	E37CC5.EXE	108
PID 1188 wrote to memory of 2188	1188	E37CC5.EXE	110
PID 1188 wrote to memory of 2188	1188	E37CC5.EXE	110
PID 1188 wrote to memory of 2188	1188	E37CC5.EXE	110
PID 1188 wrote to memory of 868	1188	E37CC5.EXE	111
PID 1188 wrote to memory of 868	1188	E37CC5.EXE	111
PID 1188 wrote to memory of 868	1188	E37CC5.EXE	111
PID 868 wrote to memory of 3768	868	E37CC5.EXE	113
PID 868 wrote to memory of 3768	868	E37CC5.EXE	113
PID 868 wrote to memory of 3768	868	E37CC5.EXE	113
PID 868 wrote to memory of 2956	868	E37CC5.EXE	116

C:\Users\Admin\AppData\Local\Temp\b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3396
- C:\Windows\SysWOW64\explorer.exe
  explorer C:\Users\Admin\AppData\Local\Temp\b0bdf36903b4df97ff16a2e9392cd65f_JaffaCakes118
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1320
- C:\Windows\SysWOW64\ADE119\E37CC5.EXE
  C:\Windows\system32\ADE119\E37CC5.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\SysWOW64\explorer.exe
    explorer C:\Windows\SysWOW64\ADE119\E37CC5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4692
- - C:\Windows\SysWOW64\ADE119\E37CC5.EXE
    C:\Windows\system32\ADE119\E37CC5.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Windows\SysWOW64\explorer.exe
      explorer C:\Windows\SysWOW64\ADE119\E37CC5
      4⤵
      System Location Discovery: System Language Discovery
      PID:1132
  - - C:\Windows\SysWOW64\ADE119\E37CC5.EXE
      C:\Windows\system32\ADE119\E37CC5.EXE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Writes to the Master Boot Record (MBR)
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1176
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1568
    - - C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4564
      - C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4656
      - C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:832
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1000
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3684
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3372
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1188
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        11⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3768
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        12⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1208
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        13⤵
        Executes dropped EXE
        
        PID:5100
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        14⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        14⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        15⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        15⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        16⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        16⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        17⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        17⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        18⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        18⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        19⤵
        
        PID:1984
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        19⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        20⤵
        
        PID:4936
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        20⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        21⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        21⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        22⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        22⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        23⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        23⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        24⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        24⤵
        
        PID:5388
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        25⤵
        
        PID:5492
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        25⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        26⤵
        
        PID:5672
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        26⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        27⤵
        
        PID:5868
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        27⤵
        
        PID:5932
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        28⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        28⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        29⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        29⤵
        
        PID:5272
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        30⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        30⤵
        
        PID:5616
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        31⤵
        
        PID:5792
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        31⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        32⤵
        
        PID:5996
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        32⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        33⤵
        
        PID:6056
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        33⤵
        
        PID:5444
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        34⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        34⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        35⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        35⤵
        
        PID:6040
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        36⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        36⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        37⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        37⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        38⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        38⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        39⤵
        
        PID:6168
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        39⤵
        
        PID:6220
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        40⤵
        
        PID:6372
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        40⤵
        
        PID:6412
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        41⤵
        
        PID:6548
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        41⤵
        
        PID:6608
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        42⤵
        
        PID:6728
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        42⤵
        
        PID:6804
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        43⤵
        
        PID:6908
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        43⤵
        
        PID:6984
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        44⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        44⤵
        
        PID:5964
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        45⤵
        
        PID:5984
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        45⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        46⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        46⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        47⤵
        
        PID:6956
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        47⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        48⤵
        
        PID:6936
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        48⤵
        
        PID:6248
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        49⤵
        
        PID:7116
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        49⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        50⤵
        
        PID:6204
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        50⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        51⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        51⤵
        
        PID:6472
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        52⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        52⤵
        
        PID:5952
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        53⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        53⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        54⤵
        
        PID:5484
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        54⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        55⤵
        
        PID:5588
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        55⤵
        
        PID:6980
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        56⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        56⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        57⤵
        
        PID:6848
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        57⤵
        
        PID:7200
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        58⤵
        
        PID:7316
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        58⤵
        
        PID:7356
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        59⤵
        
        PID:7452
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        59⤵
        
        PID:7484
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        60⤵
        
        PID:7584
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        60⤵
        
        PID:7648
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        61⤵
        
        PID:7728
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        61⤵
        
        PID:7796
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        62⤵
        
        PID:7880
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        62⤵
        
        PID:7916
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        63⤵
        
        PID:8016
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        63⤵
        
        PID:8056
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        64⤵
        
        PID:8152
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        64⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        65⤵
        
        PID:5512
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        65⤵
        
        PID:7188
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        66⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        66⤵
        
        PID:7364
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        67⤵
        
        PID:7820
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        67⤵
        
        PID:7488
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        68⤵
        
        PID:7672
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        68⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        69⤵
        
        PID:7984
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        69⤵
        
        PID:6024
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        70⤵
        
        PID:7588
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        70⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        71⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        71⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        72⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        72⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        73⤵
        
        PID:7472
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        73⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        74⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        74⤵
        
        PID:5396
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        75⤵
        
        PID:6452
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        75⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        76⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        76⤵
        
        PID:7184
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        77⤵
        
        PID:372
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        77⤵
        
        PID:888
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        78⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        78⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        79⤵
        
        PID:8300
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        79⤵
        
        PID:8352
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        80⤵
        
        PID:8492
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        80⤵
        
        PID:8556
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        81⤵
        
        PID:8656
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        81⤵
        
        PID:8712
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        82⤵
        
        PID:8828
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        82⤵
        
        PID:8880
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        83⤵
        
        PID:8996
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        83⤵
        
        PID:9028
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        84⤵
        
        PID:9152
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        84⤵
        
        PID:9188
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        85⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        85⤵
        
        PID:8396
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        86⤵
        
        PID:8324
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        86⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        87⤵
        
        PID:8484
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        87⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        88⤵
        
        PID:8956
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        88⤵
        
        PID:8832
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        89⤵
        
        PID:8712
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        89⤵
        
        PID:6104
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        90⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        90⤵
        
        PID:9152
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        91⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        91⤵
        
        PID:5392
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        92⤵
        
        PID:8752
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        92⤵
        
        PID:7120
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        93⤵
        
        PID:8956
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        93⤵
        
        PID:8756
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        94⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        94⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        95⤵
        
        PID:8512
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        95⤵
        
        PID:9164
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        96⤵
        
        PID:8712
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        96⤵
        
        PID:9152
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        97⤵
        
        PID:7804
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        97⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        98⤵
        
        PID:8672
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        98⤵
        
        PID:6164
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        99⤵
        
        PID:6196
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        99⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        100⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        100⤵
        
        PID:6596
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        101⤵
        
        PID:8492
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        101⤵
        
        PID:9244
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        102⤵
        
        PID:9360
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        102⤵
        
        PID:9412
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        103⤵
        
        PID:9500
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        103⤵
        
        PID:9560
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        104⤵
        
        PID:9684
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        104⤵
        
        PID:9728
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        105⤵
        
        PID:9824
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        105⤵
        
        PID:9896
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        106⤵
        
        PID:9984
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        106⤵
        
        PID:10028
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        107⤵
        
        PID:10164
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        107⤵
        
        PID:10200
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        108⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        108⤵
        
        PID:7092
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        109⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        109⤵
        
        PID:9584
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        110⤵
        
        PID:9752
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        110⤵
        
        PID:9700
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        111⤵
        
        PID:9872
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        111⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        112⤵
        
        PID:6796
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        112⤵
        
        PID:9904
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        113⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        113⤵
        
        PID:9272
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        114⤵
        
        PID:9760
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        114⤵
        
        PID:9736
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        115⤵
        
        PID:10140
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        115⤵
        
        PID:8472
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        116⤵
        
        PID:9392
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        116⤵
        
        PID:9872
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        117⤵
        
        PID:8204
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        117⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        118⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        118⤵
        
        PID:8556
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        119⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        119⤵
        
        PID:10252
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        120⤵
        
        PID:10356
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        120⤵
        
        PID:10400
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        121⤵
        
        PID:10516
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        121⤵
        
        PID:10652
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        122⤵
        
        PID:10740
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        122⤵
        
        PID:10776
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        123⤵
        
        PID:10928
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        123⤵
        
        PID:10960
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        124⤵
        
        PID:11136
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        124⤵
        
        PID:11180
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        125⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        125⤵
        
        PID:6072
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        126⤵
        
        PID:9752
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        126⤵
        
        PID:9080
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        127⤵
        
        PID:10632
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        127⤵
        
        PID:10796
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        128⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        128⤵
        
        PID:10732
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        129⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        129⤵
        
        PID:10944
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        130⤵
        
        PID:8576
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        130⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        131⤵
        
        PID:9384
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        131⤵
        
        PID:10336
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        132⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        132⤵
        
        PID:11192
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        133⤵
        
        PID:8636
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        133⤵
        
        PID:10404
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer C:\Windows\SysWOW64\ADE119\E37CC5
        134⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\ADE119\E37CC5.EXE
        
        C:\Windows\system32\ADE119\E37CC5.EXE
        134⤵
        
        PID:8936

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1948

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1972

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1628

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1732

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:916

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3004

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1464

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:1560

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:1632

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:5068

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:512

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:392

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4416

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3008

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4412

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:328

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3680

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4508

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1812

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3220

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3408

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5244

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5400

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5568

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5752

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5944

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6088

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5284

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:180

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5880

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4588

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4652

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5332

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5280

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6036

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6008

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1580

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6228

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6420

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6616

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6816

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6992

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6160

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2948

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6220

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7024

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6808

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6184

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6856

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3772

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6544

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6824

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4568

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5984

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4224

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7208

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7368

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7492

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7656

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7828

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7924

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8064

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6248

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6848

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7312

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7944

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7800

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5348

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7288

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7564

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7352

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7796

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1480

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4460

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4468

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:760

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8196

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8360

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8568

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8720

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8888

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9040

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9196

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1456

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8548

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8764

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8852

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9096

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9116

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8340

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7972

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2456

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4948

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6104

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7196

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7692

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3980

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5392

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1536

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9264

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9440

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9568

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9740

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9876

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10036

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10208

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9164

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9592

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9448

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9980

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10176

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1176

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7964

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10216

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9836

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4884

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6416

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10280

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10408

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10644

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10808

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10968

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11172

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10244

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10288

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3696

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10696

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10940

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1696

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10976

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5724

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3808

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E_4\RegEx.fnr

Filesize
212KB

MD5
493dde767dd07971ff879af1d39e2871

SHA1
c28de7d00331b43d23d44773e75a16036e1b7297

SHA256
c1c10d620005fdb874a029b7c1a73a2a399037298906d07e9ff505edb8dac0d9

SHA512
00e8d7fe6ec4c52101f7659dd46a7653cf7e4de17eda6079dcb9479caa6a4ef67ec9984200955de204a574fd43bbaac5254b6bc8860d62967a21149eb3ec6c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\com.run

Filesize
264KB

MD5
02dff30ebc19aed131679756eb50a2be

SHA1
b35edef9578b97f74c4bd81f14e2af4c0c84aea2

SHA256
ae14e796e66640ae5b960fa9dc2b1547c095718ba0391bd4d4fd633e64d53344

SHA512
50c50e1a7c0f1daf2b72cf88b966b8726d77d5a7db4bc8f4b6ab8ad9d6e083d99db0986ac743ca74cff613dc1bfeb39e00c8ddf2c82bf55d5f21dcd1e1344643

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\dp1.fne

Filesize
112KB

MD5
6bc845ca548877ffd05c335b89728425

SHA1
7b162942e1e22ebed7659358e52a6ab7ff0124fc

SHA256
665702efbea9c7718c123302b34f74b3ad479709379d83b46f477923d66b8de4

SHA512
2f9bcddd21f6b3a183f07fa754c31394d3a647e3c564d8db4b35c3044be3107fed375daca0965092a12a328cc9b2423cea63e341ecbe70c5504100958b75948d

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\eAPI.fne

Filesize
316KB

MD5
ecfc87b5c94d89b1fa1e2d575056145c

SHA1
20779380d6a2ea8af81a15e647c046073f134bb5

SHA256
d2a3445e2a7f6451653a02540b09c32b17a949d15404cce5a88a76a645618c7e

SHA512
204e8e4406a478c79644e25161a783242f36c0a16e4042baa87ec5caea8af8a0e9e6d9ae1ab459bc652ffcf2b9984588c822032c75c96248d84d772c3956c4b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\internet.fne

Filesize
180KB

MD5
6aa9bb7655fc5e90550ee61355df8547

SHA1
e6515d4992dc99e765f139871ba7f4fb2c3a5f24

SHA256
99c7bbd2665760553c91225f41f9d0030aa8ec25d7f333535e30f413dae6ca8c

SHA512
33d6cca8413e0e24a49c6fe00ccb5a9552c4f66b2e93347ca738928dde4eec80557ae070190fb2aee3d41825744a2228a3bc9533849a783f864eb1926f19f0e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr

Filesize
1.0MB

MD5
987052e6354d7d2931286c5e4bdd92f7

SHA1
f516e0d834a057834e9ae06083ab04c98031e19c

SHA256
f77f09fdc89f0012e078cf9a2dc48b467ffcafb636c14da28d21a220ada2063f

SHA512
f0bf7ab2d0e111e9241d5088442ee27435d4c7320c8c0678ff8bd2afdb8fea80b69b50ed09ce0272e72ed9fdc3396f60a78f88129e44fbd3a7d2ea786a30d080

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\shell.fne

Filesize
40KB

MD5
59c8df28d012034a7492df1609ec2d1a

SHA1
81e0a43332b6ba7a3d8a9f00f429282ed2fe2395

SHA256
aab57aa2e13079f4b3991c99c01d153ef2c29e0dc8aeb3c3c90c9cdea4f21cea

SHA512
a722123c4295e5bea5f22c25e9df9ac88356420f7d2b554b910c3288ae5739eafc9b3953f321c6bb58b296b82281e7c85def2a8324f5e897688c3fc57785fcfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\spec.fne

Filesize
72KB

MD5
0d1ae5e6215353e69f354b0853e43348

SHA1
851a191dd344503c2148dda3d6b624373b2210f8

SHA256
9255c9576f2e30c9a8676a44bc25973a9baec960a2710049458b14fad30b1ab4

SHA512
0b4925c8fbbc4a727a0c45b06d6359a3e4185409dd632920ade9065890592be315254e9bbac14046a12d6c760dfdb8593effe51a98f060adb1e00f380dd18693

Download Submit
C:\Windows\SysWOW64\ADE119\E37CC5.EXE

Filesize
1.4MB

MD5
b0bdf36903b4df97ff16a2e9392cd65f

SHA1
0a318924eb7a7f0263353e19e095cb302332614e

SHA256
93ff0ea4842fd80abfb9059cbd2c148a062286f3da29d416cf153b49756757f8

SHA512
7e24d06ae851f398c884be408db35024f89b0596b414bab4a6536f5516d7f01ac1c26d8517cdfab1fc228be99a013545bdddabdb6e3050f5b7c8f00c9790b4ad

Download Submit
memory/832-137-0x00000000027F0000-0x0000000002801000-memory.dmp

Filesize
68KB

Download
memory/832-132-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/832-169-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/832-138-0x0000000002810000-0x000000000282E000-memory.dmp

Filesize
120KB

Download
memory/832-134-0x0000000002560000-0x00000000025AB000-memory.dmp

Filesize
300KB

Download
memory/832-133-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/832-168-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/868-212-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/868-190-0x0000000002600000-0x000000000261E000-memory.dmp

Filesize
120KB

Download
memory/868-211-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/868-184-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/868-188-0x0000000002260000-0x00000000022AB000-memory.dmp

Filesize
300KB

Download
memory/868-185-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/868-189-0x00000000023E0000-0x00000000023F1000-memory.dmp

Filesize
68KB

Download
memory/1176-80-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1176-92-0x0000000002330000-0x000000000237B000-memory.dmp

Filesize
300KB

Download
memory/1176-97-0x00000000026F0000-0x0000000002701000-memory.dmp

Filesize
68KB

Download
memory/1176-149-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/1176-98-0x0000000002710000-0x000000000272E000-memory.dmp

Filesize
120KB

Download
memory/1176-148-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1188-206-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1188-178-0x0000000002480000-0x0000000002491000-memory.dmp

Filesize
68KB

Download
memory/1188-175-0x0000000002090000-0x00000000020DB000-memory.dmp

Filesize
300KB

Download
memory/1188-174-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1188-179-0x00000000024A0000-0x00000000024BE000-memory.dmp

Filesize
120KB

Download
memory/1188-207-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/1396-227-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1396-229-0x0000000002F60000-0x0000000002F71000-memory.dmp

Filesize
68KB

Download
memory/1396-230-0x0000000003080000-0x000000000309E000-memory.dmp

Filesize
120KB

Download
memory/1396-228-0x0000000000700000-0x000000000074B000-memory.dmp

Filesize
300KB

Download
memory/2044-123-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/2044-50-0x0000000002100000-0x000000000214B000-memory.dmp

Filesize
300KB

Download
memory/2044-58-0x0000000002850000-0x000000000286E000-memory.dmp

Filesize
120KB

Download
memory/2044-54-0x0000000002830000-0x0000000002841000-memory.dmp

Filesize
68KB

Download
memory/2044-122-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2580-78-0x0000000002710000-0x000000000272E000-memory.dmp

Filesize
120KB

Download
memory/2580-135-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2580-136-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/2580-69-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/2580-72-0x0000000002090000-0x00000000020DB000-memory.dmp

Filesize
300KB

Download
memory/2580-77-0x00000000023F0000-0x0000000002401000-memory.dmp

Filesize
68KB

Download
memory/2916-177-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/2916-146-0x00000000026E0000-0x00000000026F1000-memory.dmp

Filesize
68KB

Download
memory/2916-145-0x0000000002120000-0x000000000216B000-memory.dmp

Filesize
300KB

Download
memory/2916-144-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/2916-143-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2916-147-0x0000000002700000-0x000000000271E000-memory.dmp

Filesize
120KB

Download
memory/2916-176-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2956-213-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2956-214-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/2956-200-0x0000000002920000-0x000000000293E000-memory.dmp

Filesize
120KB

Download
memory/2956-199-0x0000000002900000-0x0000000002911000-memory.dmp

Filesize
68KB

Download
memory/2956-196-0x0000000002470000-0x00000000024BB000-memory.dmp

Filesize
300KB

Download
memory/2956-195-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/3396-18-0x00000000022F0000-0x000000000233B000-memory.dmp

Filesize
300KB

Download
memory/3396-24-0x0000000002B30000-0x0000000002B41000-memory.dmp

Filesize
68KB

Download
memory/3396-10-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/3396-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3396-113-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3396-114-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/3396-25-0x0000000002B30000-0x0000000002B41000-memory.dmp

Filesize
68KB

Download
memory/3396-31-0x0000000002B50000-0x0000000002B6E000-memory.dmp

Filesize
120KB

Download
memory/3684-167-0x0000000002F70000-0x0000000002F8E000-memory.dmp

Filesize
120KB

Download
memory/3684-166-0x0000000002900000-0x0000000002911000-memory.dmp

Filesize
68KB

Download
memory/3684-165-0x0000000002320000-0x000000000236B000-memory.dmp

Filesize
300KB

Download
memory/3684-198-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3684-197-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/3684-162-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3812-237-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3812-240-0x0000000003090000-0x00000000030AE000-memory.dmp

Filesize
120KB

Download
memory/3812-238-0x0000000001FA0000-0x0000000001FEB000-memory.dmp

Filesize
300KB

Download
memory/3812-239-0x0000000002850000-0x0000000002861000-memory.dmp

Filesize
68KB

Download
memory/4564-110-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/4564-164-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/4564-105-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4564-115-0x0000000002150000-0x000000000219B000-memory.dmp

Filesize
300KB

Download
memory/4564-121-0x0000000002900000-0x000000000291E000-memory.dmp

Filesize
120KB

Download
memory/4564-120-0x00000000027D0000-0x00000000027E1000-memory.dmp

Filesize
68KB

Download
memory/4564-163-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4924-154-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/4924-156-0x00000000029F0000-0x0000000002A01000-memory.dmp

Filesize
68KB

Download
memory/4924-187-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/4924-186-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4924-155-0x0000000002010000-0x000000000205B000-memory.dmp

Filesize
300KB

Download
memory/4924-157-0x0000000002A10000-0x0000000002A2E000-memory.dmp

Filesize
120KB

Download
memory/5100-210-0x0000000002830000-0x000000000284E000-memory.dmp

Filesize
120KB

Download
memory/5100-205-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/5100-232-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/5100-231-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/5100-209-0x00000000025F0000-0x0000000002601000-memory.dmp

Filesize
68KB

Download
memory/5100-208-0x0000000002190000-0x00000000021DB000-memory.dmp

Filesize
300KB

Download
memory/5116-222-0x0000000002410000-0x000000000242E000-memory.dmp

Filesize
120KB

Download
memory/5116-221-0x00000000023F0000-0x0000000002401000-memory.dmp

Filesize
68KB

Download
memory/5116-220-0x00000000020A0000-0x00000000020EB000-memory.dmp

Filesize
300KB

Download
memory/5116-219-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/5116-241-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads