Analysis
-
max time kernel
48s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16/10/2024, 22:47
Static task
static1
Behavioral task
behavioral1
Sample
4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe
-
Size
1.5MB
-
MD5
4f7036c4e9f9908a8236e7d6b375cd5b
-
SHA1
04763a9de555b49e6395402045bab7f65cf31e26
-
SHA256
ddb527fa24d05933be035b41451bff51537281ba5d014c1c1fbe98d82bd40da9
-
SHA512
7dfa4356abc0639daf96be7893d071e97e1220117e0a42eab3406f789aafa03af653dc0d758fd26c5cc0fe9b2b9df18784625ae1a4d1f79a802ca5747fc547d2
-
SSDEEP
24576:LRTtK4q3GZVHdl6BAiQ9DXaBNKBKlSY3BhC9zK1bcUiN36KLA4iKqdsveHM:LB9q3GZVH3YQ6jfvuK1YUicKk9+ves
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 1244 E37CC5.EXE 2752 E37CC5.EXE 2776 E37CC5.EXE 1976 E37CC5.EXE 1980 E37CC5.EXE 288 E37CC5.EXE 624 E37CC5.EXE 2148 E37CC5.EXE 1520 E37CC5.EXE 2024 E37CC5.EXE 2824 E37CC5.EXE 1324 E37CC5.EXE 1328 E37CC5.EXE 2944 E37CC5.EXE 1244 E37CC5.EXE 1032 E37CC5.EXE 768 E37CC5.EXE 1884 E37CC5.EXE 2960 E37CC5.EXE 1732 E37CC5.EXE 1944 E37CC5.EXE 2640 E37CC5.EXE 1644 E37CC5.EXE 1868 E37CC5.EXE 1324 E37CC5.EXE 2432 E37CC5.EXE 1644 E37CC5.EXE 3192 E37CC5.EXE 3344 E37CC5.EXE 3476 E37CC5.EXE 3608 E37CC5.EXE 3736 E37CC5.EXE 3888 E37CC5.EXE 4028 E37CC5.EXE 1540 E37CC5.EXE 3308 E37CC5.EXE 1644 E37CC5.EXE 3688 E37CC5.EXE 3088 E37CC5.EXE 3364 E37CC5.EXE 2432 E37CC5.EXE 4004 E37CC5.EXE 2212 E37CC5.EXE 4036 E37CC5.EXE 3464 E37CC5.EXE 3984 E37CC5.EXE 4168 E37CC5.EXE 4284 E37CC5.EXE 4416 E37CC5.EXE 4520 E37CC5.EXE 4632 E37CC5.EXE 4748 E37CC5.EXE 4880 E37CC5.EXE 5012 E37CC5.EXE 4004 E37CC5.EXE 4304 E37CC5.EXE 4544 E37CC5.EXE 4764 E37CC5.EXE 4636 E37CC5.EXE 4880 E37CC5.EXE 4392 E37CC5.EXE 4848 E37CC5.EXE 4532 E37CC5.EXE 4752 E37CC5.EXE -
Loads dropped DLL 64 IoCs
pid Process 352 4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe 352 4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe 352 4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe 352 4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe 352 4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe 352 4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe 1244 E37CC5.EXE 1244 E37CC5.EXE 1244 E37CC5.EXE 1244 E37CC5.EXE 1244 E37CC5.EXE 1244 E37CC5.EXE 2752 E37CC5.EXE 2752 E37CC5.EXE 2752 E37CC5.EXE 2752 E37CC5.EXE 2752 E37CC5.EXE 2752 E37CC5.EXE 2776 E37CC5.EXE 2776 E37CC5.EXE 2776 E37CC5.EXE 2776 E37CC5.EXE 2776 E37CC5.EXE 2776 E37CC5.EXE 1976 E37CC5.EXE 1976 E37CC5.EXE 1976 E37CC5.EXE 1976 E37CC5.EXE 1976 E37CC5.EXE 1976 E37CC5.EXE 1980 E37CC5.EXE 1980 E37CC5.EXE 1980 E37CC5.EXE 1980 E37CC5.EXE 1980 E37CC5.EXE 1980 E37CC5.EXE 288 E37CC5.EXE 288 E37CC5.EXE 288 E37CC5.EXE 288 E37CC5.EXE 288 E37CC5.EXE 288 E37CC5.EXE 624 E37CC5.EXE 624 E37CC5.EXE 624 E37CC5.EXE 624 E37CC5.EXE 624 E37CC5.EXE 624 E37CC5.EXE 2148 E37CC5.EXE 2148 E37CC5.EXE 2148 E37CC5.EXE 2148 E37CC5.EXE 2148 E37CC5.EXE 2148 E37CC5.EXE 1520 E37CC5.EXE 1520 E37CC5.EXE 1520 E37CC5.EXE 1520 E37CC5.EXE 1520 E37CC5.EXE 1520 E37CC5.EXE 2024 E37CC5.EXE 2024 E37CC5.EXE 2024 E37CC5.EXE 2024 E37CC5.EXE -
Writes to the Master Boot Record (MBR) 1 TTPs 64 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ADE119\E37CC5.EXE 4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ADE119 4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\9E3B3C 4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\C021A2 4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe File created C:\Windows\SysWOW64\ADE119\E37CC5.EXE 4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe -
Drops file in Windows directory 17 IoCs
description ioc Process File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico explorer.exe File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico explorer.exe File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico explorer.exe File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico explorer.exe File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico explorer.exe File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico explorer.exe File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico explorer.exe File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico explorer.exe File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico explorer.exe File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico explorer.exe File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico explorer.exe File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico explorer.exe File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico explorer.exe File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico explorer.exe File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico explorer.exe File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico explorer.exe File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico explorer.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E37CC5.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E37CC5.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E37CC5.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E37CC5.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E37CC5.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E37CC5.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E37CC5.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E37CC5.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E37CC5.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E37CC5.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E37CC5.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E37CC5.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E37CC5.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E37CC5.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E37CC5.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E37CC5.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E37CC5.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E37CC5.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E37CC5.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E37CC5.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E37CC5.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E37CC5.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E37CC5.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E37CC5.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E37CC5.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E37CC5.EXE -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000f00000000000000000000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000f00000000000000000000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000f00000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 352 4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe 352 4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe 352 4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe 352 4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe 352 4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe 352 4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe 1244 E37CC5.EXE 1244 E37CC5.EXE 1244 E37CC5.EXE 1244 E37CC5.EXE 1244 E37CC5.EXE 1244 E37CC5.EXE 2752 E37CC5.EXE 2752 E37CC5.EXE 2752 E37CC5.EXE 2752 E37CC5.EXE 2752 E37CC5.EXE 2752 E37CC5.EXE 2776 E37CC5.EXE 2776 E37CC5.EXE 2776 E37CC5.EXE 2776 E37CC5.EXE 2776 E37CC5.EXE 2776 E37CC5.EXE 1976 E37CC5.EXE 1976 E37CC5.EXE 1976 E37CC5.EXE 1976 E37CC5.EXE 1976 E37CC5.EXE 1976 E37CC5.EXE 1980 E37CC5.EXE 1980 E37CC5.EXE 1980 E37CC5.EXE 1980 E37CC5.EXE 1980 E37CC5.EXE 1980 E37CC5.EXE 288 E37CC5.EXE 288 E37CC5.EXE 288 E37CC5.EXE 288 E37CC5.EXE 288 E37CC5.EXE 288 E37CC5.EXE 624 E37CC5.EXE 624 E37CC5.EXE 624 E37CC5.EXE 624 E37CC5.EXE 624 E37CC5.EXE 624 E37CC5.EXE 2148 E37CC5.EXE 2148 E37CC5.EXE 2148 E37CC5.EXE 2148 E37CC5.EXE 2148 E37CC5.EXE 2148 E37CC5.EXE 1520 E37CC5.EXE 1520 E37CC5.EXE 1520 E37CC5.EXE 1520 E37CC5.EXE 1520 E37CC5.EXE 1520 E37CC5.EXE 2024 E37CC5.EXE 2024 E37CC5.EXE 2024 E37CC5.EXE 2024 E37CC5.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 352 wrote to memory of 3044 352 4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe 30 PID 352 wrote to memory of 3044 352 4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe 30 PID 352 wrote to memory of 3044 352 4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe 30 PID 352 wrote to memory of 3044 352 4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe 30 PID 352 wrote to memory of 1244 352 4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe 32 PID 352 wrote to memory of 1244 352 4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe 32 PID 352 wrote to memory of 1244 352 4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe 32 PID 352 wrote to memory of 1244 352 4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe 32 PID 1244 wrote to memory of 2648 1244 E37CC5.EXE 33 PID 1244 wrote to memory of 2648 1244 E37CC5.EXE 33 PID 1244 wrote to memory of 2648 1244 E37CC5.EXE 33 PID 1244 wrote to memory of 2648 1244 E37CC5.EXE 33 PID 1244 wrote to memory of 2752 1244 E37CC5.EXE 34 PID 1244 wrote to memory of 2752 1244 E37CC5.EXE 34 PID 1244 wrote to memory of 2752 1244 E37CC5.EXE 34 PID 1244 wrote to memory of 2752 1244 E37CC5.EXE 34 PID 2752 wrote to memory of 2584 2752 E37CC5.EXE 36 PID 2752 wrote to memory of 2584 2752 E37CC5.EXE 36 PID 2752 wrote to memory of 2584 2752 E37CC5.EXE 36 PID 2752 wrote to memory of 2584 2752 E37CC5.EXE 36 PID 2752 wrote to memory of 2776 2752 E37CC5.EXE 38 PID 2752 wrote to memory of 2776 2752 E37CC5.EXE 38 PID 2752 wrote to memory of 2776 2752 E37CC5.EXE 38 PID 2752 wrote to memory of 2776 2752 E37CC5.EXE 38 PID 2776 wrote to memory of 2716 2776 E37CC5.EXE 39 PID 2776 wrote to memory of 2716 2776 E37CC5.EXE 39 PID 2776 wrote to memory of 2716 2776 E37CC5.EXE 39 PID 2776 wrote to memory of 2716 2776 E37CC5.EXE 39 PID 2776 wrote to memory of 1976 2776 E37CC5.EXE 40 PID 2776 wrote to memory of 1976 2776 E37CC5.EXE 40 PID 2776 wrote to memory of 1976 2776 E37CC5.EXE 40 PID 2776 wrote to memory of 1976 2776 E37CC5.EXE 40 PID 1976 wrote to memory of 2952 1976 E37CC5.EXE 42 PID 1976 wrote to memory of 2952 1976 E37CC5.EXE 42 PID 1976 wrote to memory of 2952 1976 E37CC5.EXE 42 PID 1976 wrote to memory of 2952 1976 E37CC5.EXE 42 PID 1976 wrote to memory of 1980 1976 E37CC5.EXE 43 PID 1976 wrote to memory of 1980 1976 E37CC5.EXE 43 PID 1976 wrote to memory of 1980 1976 E37CC5.EXE 43 PID 1976 wrote to memory of 1980 1976 E37CC5.EXE 43 PID 1980 wrote to memory of 2120 1980 E37CC5.EXE 45 PID 1980 wrote to memory of 2120 1980 E37CC5.EXE 45 PID 1980 wrote to memory of 2120 1980 E37CC5.EXE 45 PID 1980 wrote to memory of 2120 1980 E37CC5.EXE 45 PID 1980 wrote to memory of 288 1980 E37CC5.EXE 47 PID 1980 wrote to memory of 288 1980 E37CC5.EXE 47 PID 1980 wrote to memory of 288 1980 E37CC5.EXE 47 PID 1980 wrote to memory of 288 1980 E37CC5.EXE 47 PID 288 wrote to memory of 1032 288 E37CC5.EXE 77 PID 288 wrote to memory of 1032 288 E37CC5.EXE 77 PID 288 wrote to memory of 1032 288 E37CC5.EXE 77 PID 288 wrote to memory of 1032 288 E37CC5.EXE 77 PID 288 wrote to memory of 624 288 E37CC5.EXE 50 PID 288 wrote to memory of 624 288 E37CC5.EXE 50 PID 288 wrote to memory of 624 288 E37CC5.EXE 50 PID 288 wrote to memory of 624 288 E37CC5.EXE 50 PID 624 wrote to memory of 2324 624 E37CC5.EXE 51 PID 624 wrote to memory of 2324 624 E37CC5.EXE 51 PID 624 wrote to memory of 2324 624 E37CC5.EXE 51 PID 624 wrote to memory of 2324 624 E37CC5.EXE 51 PID 624 wrote to memory of 2148 624 E37CC5.EXE 52 PID 624 wrote to memory of 2148 624 E37CC5.EXE 52 PID 624 wrote to memory of 2148 624 E37CC5.EXE 52 PID 624 wrote to memory of 2148 624 E37CC5.EXE 52
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:352 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Users\Admin\AppData\Local\Temp\4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes1182⤵
- System Location Discovery: System Language Discovery
PID:3044
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC53⤵PID:2648
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC54⤵PID:2584
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC55⤵
- System Location Discovery: System Language Discovery
PID:2716
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE5⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC56⤵
- System Location Discovery: System Language Discovery
PID:2952
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE6⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC57⤵PID:2120
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:288 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC58⤵
- System Location Discovery: System Language Discovery
PID:1032
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE8⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC59⤵
- System Location Discovery: System Language Discovery
PID:2324
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE9⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2148 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC510⤵PID:772
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE10⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1520 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC511⤵PID:2156
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE11⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2024 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC512⤵
- System Location Discovery: System Language Discovery
PID:2640
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE12⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:2824 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC513⤵
- System Location Discovery: System Language Discovery
PID:2552
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE13⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:1324 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC514⤵
- System Location Discovery: System Language Discovery
PID:2180
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE14⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:1328 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC515⤵PID:2876
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE15⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2944 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC516⤵
- System Location Discovery: System Language Discovery
PID:1580
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE16⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:1244 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC517⤵
- System Location Discovery: System Language Discovery
PID:2476
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE17⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:1032 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC518⤵
- System Location Discovery: System Language Discovery
PID:2068
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE18⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:768 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC519⤵PID:1868
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE19⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:1884 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC520⤵PID:2968
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE20⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2960 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC521⤵
- System Location Discovery: System Language Discovery
PID:2928
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE21⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:1732 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC522⤵
- System Location Discovery: System Language Discovery
PID:2340
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE22⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:1944 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC523⤵PID:1328
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE23⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2640 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC524⤵
- System Location Discovery: System Language Discovery
PID:2296
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE24⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:1644 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC525⤵
- System Location Discovery: System Language Discovery
PID:2664
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE25⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:1868 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC526⤵PID:1716
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE26⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:1324 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC527⤵PID:2664
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE27⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2432 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC528⤵PID:2876
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE28⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:1644 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC529⤵
- System Location Discovery: System Language Discovery
PID:3132
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE29⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:3192 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC530⤵
- System Location Discovery: System Language Discovery
PID:3304
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE30⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:3344 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC531⤵
- System Location Discovery: System Language Discovery
PID:3436
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE31⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:3476 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC532⤵PID:3556
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE32⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:3608 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC533⤵PID:3688
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE33⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:3736 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC534⤵
- System Location Discovery: System Language Discovery
PID:3844
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE34⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:3888 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC535⤵PID:3980
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE35⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:4028 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC536⤵
- System Location Discovery: System Language Discovery
PID:3128
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE36⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:1540 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC537⤵
- System Location Discovery: System Language Discovery
PID:3352
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE37⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:3308 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC538⤵PID:3460
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE38⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:1644 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC539⤵PID:3756
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE39⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:3688 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC540⤵PID:3480
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE40⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:3088 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC541⤵
- System Location Discovery: System Language Discovery
PID:3144
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE41⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:3364 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC542⤵PID:3888
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE42⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:2432 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC543⤵
- System Location Discovery: System Language Discovery
PID:3872
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE43⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:4004 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC544⤵PID:4052
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE44⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:2212 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC545⤵
- System Location Discovery: System Language Discovery
PID:3868
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE45⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:4036 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC546⤵
- System Location Discovery: System Language Discovery
PID:3440
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE46⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:3464 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC547⤵
- System Location Discovery: System Language Discovery
PID:2960
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE47⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:3984 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC548⤵
- System Location Discovery: System Language Discovery
PID:4132
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE48⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:4168 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC549⤵
- System Location Discovery: System Language Discovery
PID:4244
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE49⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:4284 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC550⤵
- System Location Discovery: System Language Discovery
PID:4372
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE50⤵
- Executes dropped EXE
PID:4416 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC551⤵PID:4484
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE51⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:4520 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC552⤵
- System Location Discovery: System Language Discovery
PID:4592
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE52⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:4632 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC553⤵
- System Location Discovery: System Language Discovery
PID:4708
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE53⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:4748 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC554⤵PID:4836
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE54⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:4880 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC555⤵
- System Location Discovery: System Language Discovery
PID:4968
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE55⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:5012 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC556⤵
- System Location Discovery: System Language Discovery
PID:5088
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE56⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:4004 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC557⤵
- System Location Discovery: System Language Discovery
PID:4144
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE57⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:4304 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC558⤵PID:4388
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE58⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:4544 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC559⤵PID:4600
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE59⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:4764 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC560⤵
- System Location Discovery: System Language Discovery
PID:4932
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE60⤵
- Executes dropped EXE
PID:4636 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC561⤵PID:3964
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE61⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:4880 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC562⤵
- System Location Discovery: System Language Discovery
PID:4172
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE62⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:4392 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC563⤵PID:4900
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE63⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:4848 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC564⤵
- System Location Discovery: System Language Discovery
PID:5012
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE64⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:4532 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC565⤵PID:4768
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE65⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:4752 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC566⤵
- System Location Discovery: System Language Discovery
PID:5148
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE66⤵
- Writes to the Master Boot Record (MBR)
PID:5180 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC567⤵PID:5264
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE67⤵PID:5300
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC568⤵PID:5368
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE68⤵PID:5400
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC569⤵PID:5468
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE69⤵PID:5516
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC570⤵PID:5596
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE70⤵PID:5628
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC571⤵PID:5708
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE71⤵PID:5744
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC572⤵PID:5812
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE72⤵PID:5844
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC573⤵PID:5948
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE73⤵PID:5980
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC574⤵PID:6060
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE74⤵PID:6100
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC575⤵PID:4900
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE75⤵PID:5244
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC576⤵PID:5288
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE76⤵PID:5332
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC577⤵PID:5180
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE77⤵PID:5304
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC578⤵PID:5784
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE78⤵PID:5704
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC579⤵PID:5632
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE79⤵PID:5948
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC580⤵PID:4532
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE80⤵PID:4652
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC581⤵PID:5500
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE81⤵PID:5796
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC582⤵PID:6104
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE82⤵PID:5204
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC583⤵PID:6104
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE83⤵PID:6168
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC584⤵PID:6248
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE84⤵PID:6280
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC585⤵PID:6368
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE85⤵PID:6408
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC586⤵PID:6500
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE86⤵PID:6540
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC587⤵PID:6624
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE87⤵PID:6664
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC588⤵PID:6748
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE88⤵PID:6796
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC589⤵PID:6872
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE89⤵PID:6920
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC590⤵PID:7020
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE90⤵PID:7060
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC591⤵PID:7152
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE91⤵PID:4652
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC592⤵PID:1988
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE92⤵PID:6416
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC593⤵PID:6480
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE93⤵PID:6556
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC594⤵PID:6712
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE94⤵PID:6408
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC595⤵PID:6904
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE95⤵PID:6896
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC596⤵PID:6796
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE96⤵PID:6180
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC597⤵PID:6508
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE97⤵PID:6480
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC598⤵PID:6668
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE98⤵PID:2592
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC599⤵PID:6848
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE99⤵PID:6508
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC5100⤵PID:6556
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE100⤵PID:6816
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC5101⤵PID:7236
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE101⤵PID:7280
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC5102⤵PID:7352
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE102⤵PID:7396
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC5103⤵PID:7464
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE103⤵PID:7500
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC5104⤵PID:7576
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE104⤵PID:7608
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC5105⤵PID:7708
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE105⤵PID:7748
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC5106⤵PID:7824
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE106⤵PID:7856
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC5107⤵PID:7944
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE107⤵PID:7976
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC5108⤵PID:8052
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE108⤵PID:8096
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC5109⤵PID:8184
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE109⤵PID:6668
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC5110⤵PID:7412
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE110⤵PID:7376
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC5111⤵PID:7620
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE111⤵PID:7584
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC5112⤵PID:7868
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE112⤵PID:7840
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC5113⤵PID:8112
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE113⤵PID:8052
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC5114⤵PID:7540
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE114⤵PID:7580
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC5115⤵PID:7808
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE115⤵PID:7856
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC5116⤵PID:7384
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE116⤵PID:8084
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC5117⤵PID:8196
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE117⤵PID:8232
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC5118⤵PID:8340
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE118⤵PID:8380
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC5119⤵PID:8468
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE119⤵PID:8504
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC5120⤵PID:8604
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE120⤵PID:8636
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC5121⤵PID:8736
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE121⤵PID:8772
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC5122⤵PID:8852
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-