28cc656312bcd6d8e07969007caeb7a550e8e40ae8c0dfe20609f5d04301cfb0

Analysis

max time kernel
139s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/09/2024, 12:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d64dedce2f9ce71a0c5d5c234fb943d4_JaffaCakes118.exe
Size

68KB
MD5

d64dedce2f9ce71a0c5d5c234fb943d4
SHA1

624df9c273d26d348d18da16791530d1229e58a6
SHA256

28cc656312bcd6d8e07969007caeb7a550e8e40ae8c0dfe20609f5d04301cfb0
SHA512

24cfde2403c7119123d6f6aac32c0d898beb4f5eaa7164815335823eae738d2fb67a9e115e9da90ca2df8020331c8b584ab6227dcd8a1bde29f99ce40b38dd89
SSDEEP

384:ojQTC55+M7eSqtIWA4rL8pWqAR+suhNryatM3o3L/poWo:1TCH+M7extIWACLDqARGTmm

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MsnMessenger = "C:\\Windows\\System32\\Msn.bat"	reg.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ShellWin.bat	cmd.exe
File opened for modification	C:\Windows\SysWOW64\ShellWin.bat	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5507FCA1-6EA6-11EF-B699-EE9D5ADBD8E3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f54200000000020000000000106600000001000020000000ce46ad054416d7cf61ef489868fcbfedf4c996fa13b9931f6269a430a0a9a594000000000e800000000200002000000086b9a502791c0d3c8e37832a38957a21c4d19b86792b0d43bbfb24ede45e988490000000ea8d2306238ff0ead61fe57e52502e560fdf82e37bb64c7ebe785e023ac71b0e77d9d7a9fa9f2643a18c9a40f4b82252e4c64e90bc277bc2cc2479cd5c77023434b94bffab31dee57a15859a0dd51fadacb8f47623ee01c62f5cfee48c58792c3452c9737ed3d4b1f75d260612f88c2e41c430c07e0f8f0afd7936e73607cba596bc9cfb800fd51a16dd01c8550cda5f4000000083cb2a551a3fdd8dd18eaf61f00a02f3b41e37d3163d564f96008a6aa906c9bf0cfd15973a42c4e7280788e2c62e3b252a2e05c0932fa99af6f319115bebe04b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "432046528"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2160	reg.exe

Suspicious behavior: EnumeratesProcesses 63 IoCs

pid	Process
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe
564	iexplore.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2380	iexplore.exe
2516	iexplore.exe
1400	iexplore.exe
564	iexplore.exe
1232	iexplore.exe
3492	iexplore.exe

Suspicious use of SetWindowsHookEx 34 IoCs

pid	Process
2380	iexplore.exe
2380	iexplore.exe
2516	iexplore.exe
2516	iexplore.exe
1400	iexplore.exe
1400	iexplore.exe
564	iexplore.exe
564	iexplore.exe
1232	iexplore.exe
1232	iexplore.exe
3492	iexplore.exe
3492	iexplore.exe
2404	IEXPLORE.EXE
2404	IEXPLORE.EXE
1888	IEXPLORE.EXE
1888	IEXPLORE.EXE
2128	IEXPLORE.EXE
2128	IEXPLORE.EXE
3444	IEXPLORE.EXE
3444	IEXPLORE.EXE
3324	IEXPLORE.EXE
3324	IEXPLORE.EXE
3660	IEXPLORE.EXE
3660	IEXPLORE.EXE
10528	IEXPLORE.EXE
10528	IEXPLORE.EXE
3324	IEXPLORE.EXE
3324	IEXPLORE.EXE
15756	IEXPLORE.EXE
15756	IEXPLORE.EXE
15768	IEXPLORE.EXE
15768	IEXPLORE.EXE
15756	IEXPLORE.EXE
15756	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 2272	1712	d64dedce2f9ce71a0c5d5c234fb943d4_JaffaCakes118.exe	30
PID 1712 wrote to memory of 2272	1712	d64dedce2f9ce71a0c5d5c234fb943d4_JaffaCakes118.exe	30
PID 1712 wrote to memory of 2272	1712	d64dedce2f9ce71a0c5d5c234fb943d4_JaffaCakes118.exe	30
PID 1712 wrote to memory of 2272	1712	d64dedce2f9ce71a0c5d5c234fb943d4_JaffaCakes118.exe	30
PID 2272 wrote to memory of 2160	2272	cmd.exe	32
PID 2272 wrote to memory of 2160	2272	cmd.exe	32
PID 2272 wrote to memory of 2160	2272	cmd.exe	32
PID 2272 wrote to memory of 2160	2272	cmd.exe	32
PID 2272 wrote to memory of 2164	2272	cmd.exe	33
PID 2272 wrote to memory of 2164	2272	cmd.exe	33
PID 2272 wrote to memory of 2164	2272	cmd.exe	33
PID 2272 wrote to memory of 2164	2272	cmd.exe	33
PID 2272 wrote to memory of 2344	2272	cmd.exe	34
PID 2272 wrote to memory of 2344	2272	cmd.exe	34
PID 2272 wrote to memory of 2344	2272	cmd.exe	34
PID 2272 wrote to memory of 2344	2272	cmd.exe	34
PID 2272 wrote to memory of 2796	2272	cmd.exe	35
PID 2272 wrote to memory of 2796	2272	cmd.exe	35
PID 2272 wrote to memory of 2796	2272	cmd.exe	35
PID 2272 wrote to memory of 2796	2272	cmd.exe	35
PID 2272 wrote to memory of 2180	2272	cmd.exe	36
PID 2272 wrote to memory of 2180	2272	cmd.exe	36
PID 2272 wrote to memory of 2180	2272	cmd.exe	36
PID 2272 wrote to memory of 2180	2272	cmd.exe	36
PID 2272 wrote to memory of 1924	2272	cmd.exe	37
PID 2272 wrote to memory of 1924	2272	cmd.exe	37
PID 2272 wrote to memory of 1924	2272	cmd.exe	37
PID 2272 wrote to memory of 1924	2272	cmd.exe	37
PID 2272 wrote to memory of 2256	2272	cmd.exe	38
PID 2272 wrote to memory of 2256	2272	cmd.exe	38
PID 2272 wrote to memory of 2256	2272	cmd.exe	38
PID 2272 wrote to memory of 2256	2272	cmd.exe	38
PID 2272 wrote to memory of 340	2272	cmd.exe	39
PID 2272 wrote to memory of 340	2272	cmd.exe	39
PID 2272 wrote to memory of 340	2272	cmd.exe	39
PID 2272 wrote to memory of 340	2272	cmd.exe	39
PID 2272 wrote to memory of 2720	2272	cmd.exe	40
PID 2272 wrote to memory of 2720	2272	cmd.exe	40
PID 2272 wrote to memory of 2720	2272	cmd.exe	40
PID 2272 wrote to memory of 2720	2272	cmd.exe	40
PID 2272 wrote to memory of 2996	2272	cmd.exe	41
PID 2272 wrote to memory of 2996	2272	cmd.exe	41
PID 2272 wrote to memory of 2996	2272	cmd.exe	41
PID 2272 wrote to memory of 2996	2272	cmd.exe	41
PID 2272 wrote to memory of 2756	2272	cmd.exe	42
PID 2272 wrote to memory of 2756	2272	cmd.exe	42
PID 2272 wrote to memory of 2756	2272	cmd.exe	42
PID 2272 wrote to memory of 2756	2272	cmd.exe	42
PID 2272 wrote to memory of 2844	2272	cmd.exe	43
PID 2272 wrote to memory of 2844	2272	cmd.exe	43
PID 2272 wrote to memory of 2844	2272	cmd.exe	43
PID 2272 wrote to memory of 2844	2272	cmd.exe	43
PID 2272 wrote to memory of 2840	2272	cmd.exe	44
PID 2272 wrote to memory of 2840	2272	cmd.exe	44
PID 2272 wrote to memory of 2840	2272	cmd.exe	44
PID 2272 wrote to memory of 2840	2272	cmd.exe	44
PID 2272 wrote to memory of 2852	2272	cmd.exe	45
PID 2272 wrote to memory of 2852	2272	cmd.exe	45
PID 2272 wrote to memory of 2852	2272	cmd.exe	45
PID 2272 wrote to memory of 2852	2272	cmd.exe	45
PID 2272 wrote to memory of 2872	2272	cmd.exe	46
PID 2272 wrote to memory of 2872	2272	cmd.exe	46
PID 2272 wrote to memory of 2872	2272	cmd.exe	46
PID 2272 wrote to memory of 2872	2272	cmd.exe	46

C:\Users\Admin\AppData\Local\Temp\d64dedce2f9ce71a0c5d5c234fb943d4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d64dedce2f9ce71a0c5d5c234fb943d4_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\B2E1\batfile.bat" "
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "MsnMessenger" /t REG_SZ /d C:\Windows\System32\Msn.bat
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2160
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2164
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2344
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2796
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2180
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1924
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2256
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:340
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2996
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2756
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2844
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2840
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2852
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2872
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2868
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2836
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2768
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2616
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2236
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2736
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2728
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2644
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2816
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2636
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2808
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2632
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2776
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2724
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1008
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2784
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2612
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2620
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2628
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:296
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1316
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1572
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1064
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1112
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:292
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2700
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2968
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2936
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2944
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2940
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2156
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1704
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1648
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:848
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1612
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1688
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1868
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1960
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1424
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1764
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1724
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2220
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2300
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:3052
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3068
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2976
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2240
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2448
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1068
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2188
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2708
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2136
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2544
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2564
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2008
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2152
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2444
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1420
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1928
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2588
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2076
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2328
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:740
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:884
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1152
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2276
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2460
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:3004
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2804
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1848
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1288
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2316
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1812
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1560
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1436
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1548
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1460
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:3020
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1992
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2980
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1932
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.soygay.com/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:2380
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2380 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2404
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.petardas.com/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:2516
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2516 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2128
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.amo-a-raki0n.tk/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:1400
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1400 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1888
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1400 CREDAT:5780482 /prefetch:2
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:10528
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.cph-manda.com/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:564
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:564 CREDAT:275457 /prefetch:2
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:3324
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:564 CREDAT:7549953 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:15756
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:564 CREDAT:7681025 /prefetch:2
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:15768
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.soy-lammer.com/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:1232
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1232 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K start notepad.exe
    3⤵
    PID:2504
  - - C:\Windows\SysWOW64\notepad.exe
      notepad.exe
      4⤵
      PID:3456
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2060
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:3032
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1828
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2324
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2692
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2004
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1412
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1956
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1508
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2396
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:872
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:2160
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:3076
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:3084
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:3092
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:3100
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:3108
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:3120
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:3128
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:3136
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:3148
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:3156
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:3164
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3172
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:3180
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:3188
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:3196
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:3204
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:3212
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.me-meto-virus.com/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:3492
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3492 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:3944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:3964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:3972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:3980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:3996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:4068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:4080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:3240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:3264
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:3288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:1076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:3524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:3532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:3556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:3576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:3656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:3712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:3736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:3756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:3780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:3800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:3852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:3864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:3884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:3916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:3940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:4016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:3608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:3792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:4100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:4180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:4192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:4208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:4220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:4252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:4284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:4304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:4320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:4356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:4376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:4396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:4416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:4444
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:4468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:4492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:4508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:4528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:4572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:4612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:4636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:4644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:4664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:4688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:4708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:4736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:4752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:4776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:4792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:4808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:4832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:4852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:4904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:4928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:4956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:4976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:4992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:5024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:5044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:5076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:5096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:5116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:3960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:4272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:4332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:4436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:4632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:4684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:4788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:4968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:5124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:5164
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:5188
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:5216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:5236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:5260
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:5288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:5312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:5344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:5360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:5384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:5400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:5428
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:5452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:5476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:5504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:5524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:5548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:5596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:5620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:5644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:5664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:5712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:5736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:5756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:5776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:5800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:5824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:5864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:5876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:5900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:5928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:5948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:5976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:5996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:6020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:6040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:6068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:6096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:6116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:6140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:4280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:5136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:5324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:5440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:5560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:5748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:5788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:5960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:6160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:6176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:6200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:6224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:6244
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:6268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:6296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:6344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:6368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:6392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:6412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:6440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:6464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:6488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:6508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:6536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:6560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:6580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:6608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:6632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:6656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:6696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:6732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:6760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:6784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:6808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:6844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:6876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:6904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:6940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:6996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:7020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:7040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:7068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:7088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:7120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:7140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:7160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:5228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:6032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:6256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:6404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:6520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:6668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:6840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:6980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:7180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:7204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:7232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:7252
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7276
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:7312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:7320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:7340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:7368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:7396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:7416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:7436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:7464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:7492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:7516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:7536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:7564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:7584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:7608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:7636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:7660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:7680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:7704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:7748
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:7764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:7788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:7808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:7828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:7856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:7880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:7908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:7928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:7956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:7976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:8028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:8052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:8076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:8100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:8128
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:8152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:8176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:7132
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:6332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:7192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:7352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:7504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:1208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:7744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:7892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:8088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:8216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:8240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:8272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:8296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:8320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:8344
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:8396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:8416
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:8456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:8480
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:8500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:8524
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:8556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:8576
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:8592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:8612
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:8632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:8656
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:8672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:8692
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:8708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:8728
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:8752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:8784
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:8796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:8844
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:8864
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8772
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:8780
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8820
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:8828
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:8836
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:8604
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:8684
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:8764
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:8968
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:8960
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:8952
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:8980
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:8992
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9000
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9040
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9048
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9056
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9064
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9072
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8928
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9124
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:8468
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:8452
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:8428
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9224
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9236
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9248
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9268
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9276
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9284
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9292
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9300
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9308
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9316
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9324
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9332
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9340
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9348
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9356
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9364
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9372
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9380
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9388
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9396
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9404
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9412
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9420
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9428
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9436
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9444
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9452
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9460
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9468
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9476
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9484
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9492
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9500
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9508
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9516
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9524
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9536
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9544
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9552
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9560
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9568
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9576
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9584
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9592
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9600
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9608
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9616
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9624
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9632
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9640
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9652
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9660
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9668
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9676
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9684
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9692
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9700
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9708
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9716
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9724
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9732
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9740
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9748
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9756
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9764
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9772
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9780
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9788
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9796
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9804
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9812
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9820
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9828
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9836
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9844
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9864
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9888
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K start notepad.exe
    3⤵
    PID:10092
  - - C:\Windows\SysWOW64\notepad.exe
      notepad.exe
      4⤵
      PID:10596
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:10096
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:10128
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:8020
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:10152
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:10172
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:10160
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:10168
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:10176
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:10216
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:10228
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:10236
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9928
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9936
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9948
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9880
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9956
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9940
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9532
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9976
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:8000
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:8016
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:9952
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:10088
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:7724
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:10256
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:10264
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:10272
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:10280
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe
    3⤵
    PID:10288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:10820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:10852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:10876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:10892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:10900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:10924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:10940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:10956
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:10980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:10992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:11240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:10112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:10316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:10356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:10372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:10380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:10404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:9912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:3312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:10456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:10484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:10508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:10540
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:10604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:10632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:10648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:10676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:10688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:10744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:10776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:10792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:10200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:3396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:10936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:10952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:10332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:10504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:11644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11796
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12188
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:12044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:12000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12248
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12196
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:10812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:10772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:3700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11284
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12416
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:12440
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:12512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:12712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:12856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:12952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13024
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13076
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13096
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:11332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12636
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:12784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12480
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13328
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13500
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:13548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13708
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14248
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14296
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:12692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13364
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13488
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13584
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14140
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14616
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:14632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14920
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:15016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:15044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:15068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:15092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:15112
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:15136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:15168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:15184
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:15212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:15240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:15264
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:15288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:15308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:15336
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:14280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14348
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:13560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:14472
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd
    3⤵
    PID:10836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0956c38c735b8be39f1c5c79b10f5965

SHA1
10c3c49f91653363eaaed1763d68ef83ade25aea

SHA256
a295bc92ae50d9d275de1812d64ea042140c26b680aec260f552a58b94e9ab00

SHA512
74ad3dca0b290b165b7dbbdd5e094cd0ef91f14eb964f295fff8ca928be9b947534f88bb43f2df726a62ea9dc5d2cd443f837e930a67b89ca199336bdba5d5e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
90d534a153f09f6a4e7e2643a32b2973

SHA1
bf5c67ee3e77127839177fa916925d1a282d63e5

SHA256
8d2d3183fdb951f12271e0af0963a76762919f98ac9c3da3ef64f26f8184fdd5

SHA512
dcc8eec139d16137ad0108f59140d6e57da074bc746b1ec0fff1af91fad16ff129a35a18a4e1a976b3092451b96b81d5938794ab4f22ef431b3866e5b498e561

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
39527f70bf9810588048a8bc9a381c7b

SHA1
c05b4a96bc47a9e2d97c34d196a65e1b8ff9f4aa

SHA256
c3f2491690b4512b69930f91cf4eccd6b2475e1d8f23010659a73b8e5c0584eb

SHA512
50fc2d712d08874ac676da15c737a15e4cc8190af2f35dcde1502056e83f52a27b49a028b88d790225cc6484871ee12d6b54ffac2cbcc207c1f3bc654e1cbf7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0417e7d4c2f46290bb6da829f242bd26

SHA1
4745961ab421fab0950e8588ca437a8c1304c18e

SHA256
6152046038306246b5677613279a23e00cd0bb29faa320a0b2cb5e15dbe79ea7

SHA512
aa725cc669918e601fb6941ee53803f5806cd0be75ed0b3abc3e1caad2583fac10cdde27aaf7757aa7eb728dec9cb5adb64e420271f20f09e873c55832c41484

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4bb3531789eff18f863ca1ae47dcf679

SHA1
15c580500067e13dff9d7261a75155fc4ee317a1

SHA256
e45dc92f24cd24dbb27c3debb57eb418782cced3b2d011be7962de07ce9f134b

SHA512
1de5e0ddcb464182d0301aa594c7528f2f56a79c48070c5a5c84de6f32413184ca07562f8207ae28c9621ecd70ce999325a723ff6af5048a581f353fb2c10846

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0c3d5e498d80a1e59cbd56a184e56c5f

SHA1
92cb01b4893acd0631c8fd3b460e670ab0d73276

SHA256
1b57ec43e360ec32cf093d6eae32fc5d91cb0cdf929edcdf718c857eabee2710

SHA512
45659cb175b7deb03522e98af8b383dc36d65a3dfc7d73f02da17c07f34759382bd7da13fd210678ed977ee72952e0715fad0b89f13bf69be88a66600ef6d855

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
39295e29f1e0a21dd13033ffbfea8c11

SHA1
c7a3091ffe1d5a474f8a002c42830acc717cfe59

SHA256
486c1482d422a03acfe8d4a99ba6ca4ba7c580bb61d330d25a59428e4955d3be

SHA512
93326be11b806b628f1ea9f2a166731b93c9cd1646a971143f149e2d9551d1396c753dd602931e2457b0b7e75af63b1e60774f748e4c688ff152eef04f0125cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9db4e083b1ffbc8bffd35b1591914e98

SHA1
6a8e5a7593fedf6d42e698ae767a4c3efe8694f1

SHA256
f1c10351cf383db61314518e156805df13bfe710fe7adda389492e8d2c68fb4c

SHA512
bde00d8a71b2c02194f3e20a0d00ccfb733c0edd945fe84021b7aba2ca28b61c7f848ad0d83133e705ac8d84b31996b618fa303f4aee36060e5676ff7006bc30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe635975dbe2f0fb91e884c074f2632f

SHA1
885b0164b6b54d8b0b355c8aa0e497dc9a811b67

SHA256
e7a4625ec58a0e3f23034e6d74d2361e2fa192d041b8e1769ad0d6772810c935

SHA512
1ba39594e1150c8736986cf4aae47ab7203e6d06443fdbde14b86e469ed4a68324d2e1fbe8d0a116811ac6f799a410b386772383a699bf445e9048963bb0d483

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3f58f41e9b11bfc9fc573faac62873c7

SHA1
3aa3f4e77f919552b5c363cd1edb0e9d113aacdc

SHA256
4bd54a7caa8e0fa0dfa99c2d7889710f24ba13d0ab1d40095baf303cb3625d23

SHA512
db9eca48166f6e9846f9ec24ccfffdea52340d1f659f6522f94be1fbb397f8e8157cbfacca6a72f169aafe77b15212ed86a79a4da127a74ced334d548d037b2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
02ebd3571d4768ce20a535d1f935de16

SHA1
031e2704f493a337a0e53b5bd9b1e571eb64f529

SHA256
65fb3bd20b60384cc5966bf1b9867deb1ed6dce560e4775f17c4071faf26fb6f

SHA512
8db7dcc04c7b7b2f92e74403821d2ecaf9a94c852c36dd8d006dab9d62f86a082d4a1c0336efa0c74555b23d3d203fd9c33761764c5e858a4e872e200c48a658

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
96332062d49f20f0177c376832f40c86

SHA1
1b883dbdb019ae7bc754d0ba79e54be919289925

SHA256
5a9f597a515fcdc6a94ecb1efe642b3053a96cc4412780f6b19226ee79184df2

SHA512
d8c461f61bc30e003f1e1b9878b4bb833a8763e24d637adb3cc201542a4e905ffdc1b52dfa18ed2c130d4986743a50f0138bee3eed85cc81e42efe3d5687e188

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6ae8853c5367d4e57810104636cf92dc

SHA1
e94a95821e826aeada232e9a3a827c84cf548c86

SHA256
88a687047cf007847b44993b644c2af25c718fdaa5554d24e648100d7286ca96

SHA512
338a269e31e12e9d180dcec97a776cf19373bd476e4737c626a44bfec5309ede6bc233b1a9e8a8d709e4665f7015c6b034747594771e3894ddc3b057b14a82ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
73ee17a3bd047420368afaa2d7695c9d

SHA1
64d24d76b2fcdf24909685c0c89cfedcd2a9b27c

SHA256
ef84a8a6f4f06e2334b24c15fcc56d1e470c9832d09a111a68a604d076c0b37f

SHA512
f7a48fcf19c5c6e0deb1491f9b6c1ca01e6e452b0f399f2cb7e2bb14df8a4e0874b35ea7d81991af6d535d1895982175fb507fae4f045a28d1ea44b83387ba81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b8cab1d09dedf9818a002dad4aee63e

SHA1
9cd544af5dc78a7d5f0608fee59c7b17699ee7fb

SHA256
43ee3274076da265952b9cb4156afc3c5e3153c7a3605bd36023f6d7a2fe735d

SHA512
0e0bac90a834b43818505b41fdf3779a74be638af70dfe0fe425faacb53c5b17ee52c30ed542e5e8516fa58b025973ff4bd389bf727e9de1eb3cec0107c6c80f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c00461e3f348bcbbfe7e893c4072b644

SHA1
a1264ce9a9c03e74f217e8db30e9754c9a0ea99c

SHA256
371532547321c864d1dc9463b85abae8b16954ad39c76df56c291ed825c59494

SHA512
2f2bd63c3ba3358cd7d3217b4d324df82139ee8c0096ae2cc2ade5d5919301c102f85aba61b524bd73aa5bbefd9a18dbc89fdc5737aa2abe1f57fb7d61e9b5ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c605e4515981cce7f5db1e3941915954

SHA1
d07b5485c29b6ba8475651a748d277c3db225575

SHA256
fecd3cb8360a37ef4af67d605fb472f0ebdc02a6b72e31c9d825d16e78688065

SHA512
4bc52cfae9dc588a430f98e10f63d9067b3a46591fb5bcc14c176bec697dca33a55c447bccaf318a41f83b34f3a196e42e9b8ee3dd4d3846ad58af57789aa2b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
03fa773e4dfa45fb13df0571ca3fcfd7

SHA1
2d25e833c06758df29afb2caf14c1d55bd870d8b

SHA256
1ebb0f93e210bb5ce789f21e1e8ed5e6a6a700454ab31879126862e35d2390e6

SHA512
1057cdc2d6abb47159eecca030180d91d53f5904f643339331a2b1d0888be9a0e6f1bac0083755aba3055d96d075238e23eff469e307841d63aac83518b6f9ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d557f45323cbd56a9939bed0336fe0f1

SHA1
b388542e64a8ca2035bb37cdd9d25af8fbbefd6e

SHA256
a862a442717f7af6edefa936f2e6c26493ca31293eaae18e995aaf7f499ed5c9

SHA512
7577bd5b0fea94786a6b60738df7c1e04d7e201ff2ac9bd0bedb02c7f3f77da33b03a2f51196cec16e0ff8050c99dea7b1c81720eb094f82e3573e9a8f4ab81d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1c613804f6301dcb3f9813e5d5f4d997

SHA1
f5e0b00ff307e7b03b40ecf9fbaaff2d6bee3721

SHA256
03337d6aec5a5019533569f758b3f4dbcfc13eb71ef8bf831391e1080a977320

SHA512
35826e4ed57e578b453214aff8245081323c2611a25c7ef6358c3544d1db93ed05fe87a1da7d25d0d628e2e9cbfc3adbf368e4badc04fc369ad5013244f716d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c3265cb0270cea98f5a30dec507a045

SHA1
3b6f4394d0703f6d0900d8131e4a3d9e08ea03b0

SHA256
52e7bf7dfa6011e43a7f0c2c709a28a3a9ef258f4a86035672bd64023055f447

SHA512
7afa21c32cea4dc1712b64f61e1082c6f250e3c804290fa7cc1418dcb6fe19ada6976e9fd41fb9bf26e19a93cf5e0a075428fc9ea0de6597eec139101fc54773

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9cf631d17a944d80fdf6dbf73ca3688e

SHA1
74e40fa5faff7f9fcd86b30eb77c976de0349f7e

SHA256
c87c6625cb3d66fc95e9e485f378e9ca72949828aa88654e546ab453c4167406

SHA512
4217ca204a742e4243b3d9d0cd5b8ad38f261c39a4ed7ed4d59305d5d61bd440ee33a869e5829231daec5ca0e9b8e7141baa4affdbd98a52a0f31d77654cfc0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5adc89c4c5875e6c511061e6ed59913b

SHA1
991602b328e91f5634a62df1e3c1a6a7a39c0031

SHA256
fc690e65c155c9d22a4bb4f35a0d6018069c0cd1d9bf6bfdbbe85dfe0a41033d

SHA512
b80e4bc86948cb318a6a1dbebdb1176da3590fad75e6626cb7f26eea1b356e6218e1922a98973d2f5586fe93bc90d90e3fbaa0512116bf3877d3f5bb1bd788cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f6abf1280a585da31a6f7d8105f21c4c

SHA1
cf47f3307c08db56ba0a40e604f55c659ef0cd25

SHA256
f91d17e3a56ac35ca6573f9928719b526f35a18c16815a46fcc670b309671ef7

SHA512
a13ed9f47bbdf75c66fb92bb39e2a68403d3afa9bd449c47ed0d1fba5359045b5fc749c52c069b1975444a54e7e4fd5d3618dc3c4e755b6b0ce7e20ec87a66d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bfb8b95cff6244b7bd2ce0c740eb53e5

SHA1
b1350addaf8a83b4881b289e47198456f77c4046

SHA256
293222b81f093d6004378a28043ae93898618a8476d0571ed9a3103a89ea2998

SHA512
a22198b6205b297ae097b5ee81a30f265d55a87063c792910374696f4e5b0be370018780f011471230a8ebe6897a0a82080a689fe25b25d68662efa75a42c583

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c0763f67221ddd5d3348436d72cfd59b

SHA1
8ec3a7b953a38eb888f807bab228c81271e4dca4

SHA256
c52e7bc2843326afd97128f4ae7a50535e0c8074b787244ec7462f57180d4fb5

SHA512
b02dd9f4eaa186fda6f89955855ac60b87213872355298c557195f7a8b2415a68c8ba98df28a57caa83b9e9fef8d8079ef88e7406c16c192a14fce6dd4d98219

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
979f23a60c72ebc1dfc5bff41c836cc2

SHA1
3afb802b02cb22f8261ced434570e503bce1c79b

SHA256
b2422a591f13b0e8e906fda803603b34b566fdbad9ec72d67af8dac3e723db78

SHA512
77d160244783868b5a5ad41926dea0b95e9597884aa2c3bf3f63b39d34c00e1c861bba4000ee585bd506e96711e75e87934226758ef13c850cb9f3ea4349a391

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{563FD0C1-6EA6-11EF-B699-EE9D5ADBD8E3}.dat

Filesize
3KB

MD5
8f42b3a9b768ce47d1b896bdf7653934

SHA1
0a402882b551ddfcd456b854747c48b4c01aab4b

SHA256
9d959951a549e0c122f5b781926a2b5bfee18a3d08c3efc6c32e3cfd597ddbcb

SHA512
f2d937451319fb5412b86c7a489f406f515907211402956d3d5b1e57d9dd189e8136141ae69723874876b49c90b6003c5b4fcdc80a4d9f6e1811d44873bdf65d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{563FD0C1-6EA6-11EF-B699-EE9D5ADBD8E3}.dat

Filesize
5KB

MD5
f7f49534bcad3e5a3f26bd373abcced3

SHA1
83041ff395567715f6beecfc1f034a914b3ca1e6

SHA256
0c1d57f933d63e13722ec27adb80fefa84707e4d02bd97112ec781de509ad31c

SHA512
a9be3b9b910a638df011e2cadf5a6f9d10050e3d8055b063367748b7b94a3214640eda5b18b502699194884c3eceac6d4c9f3a422e6f0205d69cce70292d02f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{563FD0C1-6EA6-11EF-B699-EE9D5ADBD8E3}.dat

Filesize
5KB

MD5
ba6425b2cc64e6fa7899238555f92e42

SHA1
ffa5deb9e05b2365353a7f10649895d3742404b5

SHA256
a1a597c81b3b6ed249567d18c1aabdebca5f359f4e680c155b2910600880b7af

SHA512
83c734dc3a710cf93d781b0abf070ffd354f4c4376aa4c6aaaa236ef488de785a2df565af2c7bccca91e3d578cd6b5690328daa2565a232432a1150e357d6feb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{56C05B01-6EA6-11EF-B699-EE9D5ADBD8E3}.dat

Filesize
3KB

MD5
607989428c3a93f5f7db2021db63fa28

SHA1
989df2a9263a2859cffe680b6c11de294c72150c

SHA256
4f80d233a0001861270b0a3a03129e39fe9dad301d093d729f2ea7f2b08b26d5

SHA512
6ae8c5bc0382a243b5b68be267bff3ef9e42b3cd8fd65ec6c539c2a5e6917d76675d17e0d5c161da1a876ac66392b1fe4e6b9e802d1e70b32f400593554eea36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{56C05B01-6EA6-11EF-B699-EE9D5ADBD8E3}.dat

Filesize
5KB

MD5
948ba5f8f1bab086983663501c3577b8

SHA1
b58db3396fd507d5622a1a40de9deb649afae9f7

SHA256
6ce0cd35a427c299f750b895fd10be43dcde7f6205c75408402ed98c12047750

SHA512
44b9d03c2b1826c66f475ef15c03b3156c956b04caad4691dfcd5cecddab60c20bed5356ce31c170ff604bccb9a65ccf7f78a19a837bca5c19a3c1f907f5830d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{58634D01-6EA6-11EF-B699-EE9D5ADBD8E3}.dat

Filesize
3KB

MD5
9585aefd082a41da5d456f291f37a26a

SHA1
607d5e6054326aa7101da7101977b7a521cea6f2

SHA256
b36423114a3e83a2cb4e5a2623d3fd1162ab75782c09940e128a013540db1ba3

SHA512
917d571831b5e9e9a7afbdba30bab2c115fbf8b0b78be4707313ab31d94ceafd3149eea9900d8e8dfb5821562414cba01f31595b24eacd052f6d97efeda317af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\bl977i7\imagestore.dat

Filesize
2KB

MD5
bbfcce6c8dcb55a23f695e3c04513a56

SHA1
00ad3b0f5a24092308e0725df05b2b43ad4cf4ac

SHA256
332a1555a35853f4bbc96bfe435bf82291d3ac1c0c260290665be46205468544

SHA512
795eef458031c52b2e1598ee997826ae295af1c8552e1ff1b9129607b006e340932daca555c5580c059d04f343a02b09b711c16f3974080b9673a6d3dce41854

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\633SXO0D\KMF0ROHG.htm

Filesize
114B

MD5
e89f75f918dbdcee28604d4e09dd71d7

SHA1
f9d9055e9878723a12063b47d4a1a5f58c3eb1e9

SHA256
6dc9c7fc93bb488bb0520a6c780a8d3c0fb5486a4711aca49b4c53fac7393023

SHA512
8df0ab2e3679b64a6174deff4259ae5680f88e3ae307e0ea2dfff88ec4ba14f3477c9fe3a5aa5da3a8e857601170a5108ed75f6d6975958ac7a314e4a336aed0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\httpErrorPagesScripts[1]

Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PLSLTMYI\lander[1].htm

Filesize
64B

MD5
eb034c3c78cf2191513bbf397e17ef05

SHA1
38a1b3ac29c5230d2d892927b9416ca4f77a54ff

SHA256
cba99fc737bdd792a7ed912f37a3faece27be02bb245239e6a239bbbba5bc43e

SHA512
445e8d795ca2f7718a14fa9e154fbc756b067a925b039ad1c0a1a1e2ca920501dd4640d933736587e1afd2cc01000614f64b053ab70c37eb6d36a2cfeacd8302

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QS2MOPHD\NewErrorPageTemplate[2]

Filesize
1KB

MD5
cdf81e591d9cbfb47a7f97a2bcdb70b9

SHA1
8f12010dfaacdecad77b70a3e781c707cf328496

SHA256
204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

SHA512
977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QS2MOPHD\favicon[2].ico

Filesize
2KB

MD5
9a6420f6e04c717f55b64b1557bc98ba

SHA1
7f60deb9ef6e713e739428313fcff0eb9ed06eee

SHA256
23a9124f8fb8dc7411a74451eee25c12b9dd206a66d0598e55a7f35c76d38549

SHA512
c76c32e147a50f89c0bfe7c3c3dc6ece208f08f73a4656030a13f5d8dc03b0dbe854ed2871d84964af9288cc409449a70a90a747a12750acb910c6ac7d544a07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y1738IZL\dnserror[1]

Filesize
1KB

MD5
73c70b34b5f8f158d38a94b9d7766515

SHA1
e9eaa065bd6585a1b176e13615fd7e6ef96230a9

SHA256
3ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4

SHA512
927dcd4a8cfdeb0f970cb4ee3f059168b37e1e4e04733ed3356f77ca0448d2145e1abdd4f7ce1c6ca23c1e3676056894625b17987cc56c84c78e73f60e08fc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y1738IZL\errorPageStrings[1]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Temp\B2E1\batfile.bat

Filesize
48KB

MD5
eaf5ac7432975a30acc52869af03b8fc

SHA1
e72abde35fb94247ef276c0a8e064527465c57d5

SHA256
3e96edde8cacf1ebd98e965b1c64aae24662801491fd45b6370bb272ff84a1dd

SHA512
909683c38860bb2391b1b0e52326b8c96739b2432130a30748b6e4de79c64c6c939681c605b05d6132b18538fbf2b15b58361f14f3549a23f0b73ce4a13938d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1C09.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1D82.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/1712-8-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download