Analysis
-
max time kernel
6s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16/10/2024, 22:47
Static task
static1
Behavioral task
behavioral1
Sample
4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe
-
Size
1.5MB
-
MD5
4f7036c4e9f9908a8236e7d6b375cd5b
-
SHA1
04763a9de555b49e6395402045bab7f65cf31e26
-
SHA256
ddb527fa24d05933be035b41451bff51537281ba5d014c1c1fbe98d82bd40da9
-
SHA512
7dfa4356abc0639daf96be7893d071e97e1220117e0a42eab3406f789aafa03af653dc0d758fd26c5cc0fe9b2b9df18784625ae1a4d1f79a802ca5747fc547d2
-
SSDEEP
24576:LRTtK4q3GZVHdl6BAiQ9DXaBNKBKlSY3BhC9zK1bcUiN36KLA4iKqdsveHM:LB9q3GZVH3YQ6jfvuK1YUicKk9+ves
Malware Config
Signatures
-
Executes dropped EXE 9 IoCs
pid Process 3896 E37CC5.EXE 2660 E37CC5.EXE 3020 E37CC5.EXE 3804 E37CC5.EXE 3088 E37CC5.EXE 2976 E37CC5.EXE 2312 E37CC5.EXE 4196 E37CC5.EXE 660 E37CC5.EXE -
Loads dropped DLL 64 IoCs
pid Process 1440 4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe 1440 4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe 1440 4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe 1440 4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe 1440 4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe 1440 4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe 1440 4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe 3896 E37CC5.EXE 3896 E37CC5.EXE 3896 E37CC5.EXE 3896 E37CC5.EXE 3896 E37CC5.EXE 3896 E37CC5.EXE 3896 E37CC5.EXE 2660 E37CC5.EXE 2660 E37CC5.EXE 2660 E37CC5.EXE 2660 E37CC5.EXE 2660 E37CC5.EXE 2660 E37CC5.EXE 2660 E37CC5.EXE 3020 E37CC5.EXE 3020 E37CC5.EXE 3020 E37CC5.EXE 3020 E37CC5.EXE 3020 E37CC5.EXE 3020 E37CC5.EXE 3020 E37CC5.EXE 3804 E37CC5.EXE 3804 E37CC5.EXE 3804 E37CC5.EXE 3804 E37CC5.EXE 3804 E37CC5.EXE 3804 E37CC5.EXE 3804 E37CC5.EXE 3088 E37CC5.EXE 3088 E37CC5.EXE 3088 E37CC5.EXE 3088 E37CC5.EXE 3088 E37CC5.EXE 3088 E37CC5.EXE 3088 E37CC5.EXE 2976 E37CC5.EXE 2976 E37CC5.EXE 2976 E37CC5.EXE 2976 E37CC5.EXE 2976 E37CC5.EXE 2976 E37CC5.EXE 2976 E37CC5.EXE 2312 E37CC5.EXE 2312 E37CC5.EXE 2312 E37CC5.EXE 2312 E37CC5.EXE 2312 E37CC5.EXE 2312 E37CC5.EXE 2312 E37CC5.EXE 4196 E37CC5.EXE 4196 E37CC5.EXE 4196 E37CC5.EXE 4196 E37CC5.EXE 4196 E37CC5.EXE 4196 E37CC5.EXE 4196 E37CC5.EXE 660 E37CC5.EXE -
Writes to the Master Boot Record (MBR) 1 TTPs 10 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE File opened for modification \??\PhysicalDrive0 E37CC5.EXE -
Drops file in System32 directory 5 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ADE119\E37CC5.EXE 4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\ADE119 4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\9E3B3C 4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\C021A2 4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe File created C:\Windows\SysWOW64\ADE119\E37CC5.EXE 4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 19 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E37CC5.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E37CC5.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E37CC5.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E37CC5.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E37CC5.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E37CC5.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E37CC5.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E37CC5.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language E37CC5.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe -
Suspicious behavior: AddClipboardFormatListener 4 IoCs
pid Process 5100 explorer.exe 1836 explorer.exe 4664 explorer.exe 2148 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 1440 4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe 1440 4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe 1440 4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe 1440 4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe 1440 4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe 1440 4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe 3896 E37CC5.EXE 3896 E37CC5.EXE 3896 E37CC5.EXE 3896 E37CC5.EXE 3896 E37CC5.EXE 3896 E37CC5.EXE 5100 explorer.exe 5100 explorer.exe 2660 E37CC5.EXE 2660 E37CC5.EXE 2660 E37CC5.EXE 2660 E37CC5.EXE 2660 E37CC5.EXE 2660 E37CC5.EXE 3020 E37CC5.EXE 3020 E37CC5.EXE 3020 E37CC5.EXE 3020 E37CC5.EXE 3020 E37CC5.EXE 3020 E37CC5.EXE 1836 explorer.exe 1836 explorer.exe 3804 E37CC5.EXE 3804 E37CC5.EXE 3804 E37CC5.EXE 3804 E37CC5.EXE 3804 E37CC5.EXE 3804 E37CC5.EXE 3088 E37CC5.EXE 3088 E37CC5.EXE 3088 E37CC5.EXE 3088 E37CC5.EXE 3088 E37CC5.EXE 4664 explorer.exe 4664 explorer.exe 3088 E37CC5.EXE 2976 E37CC5.EXE 2976 E37CC5.EXE 2976 E37CC5.EXE 2976 E37CC5.EXE 2976 E37CC5.EXE 2976 E37CC5.EXE 2148 explorer.exe 2148 explorer.exe 1020 explorer.exe 1020 explorer.exe 2312 E37CC5.EXE 2312 E37CC5.EXE 2312 E37CC5.EXE 2312 E37CC5.EXE 2312 E37CC5.EXE 2312 E37CC5.EXE 4196 E37CC5.EXE 4196 E37CC5.EXE 5000 explorer.exe 5000 explorer.exe 4196 E37CC5.EXE 4196 E37CC5.EXE -
Suspicious use of WriteProcessMemory 57 IoCs
description pid Process procid_target PID 1440 wrote to memory of 3952 1440 4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe 85 PID 1440 wrote to memory of 3952 1440 4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe 85 PID 1440 wrote to memory of 3952 1440 4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe 85 PID 1440 wrote to memory of 3896 1440 4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe 87 PID 1440 wrote to memory of 3896 1440 4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe 87 PID 1440 wrote to memory of 3896 1440 4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe 87 PID 3896 wrote to memory of 752 3896 E37CC5.EXE 88 PID 3896 wrote to memory of 752 3896 E37CC5.EXE 88 PID 3896 wrote to memory of 752 3896 E37CC5.EXE 88 PID 3896 wrote to memory of 2660 3896 E37CC5.EXE 89 PID 3896 wrote to memory of 2660 3896 E37CC5.EXE 89 PID 3896 wrote to memory of 2660 3896 E37CC5.EXE 89 PID 2660 wrote to memory of 2516 2660 E37CC5.EXE 120 PID 2660 wrote to memory of 2516 2660 E37CC5.EXE 120 PID 2660 wrote to memory of 2516 2660 E37CC5.EXE 120 PID 2660 wrote to memory of 3020 2660 E37CC5.EXE 93 PID 2660 wrote to memory of 3020 2660 E37CC5.EXE 93 PID 2660 wrote to memory of 3020 2660 E37CC5.EXE 93 PID 3020 wrote to memory of 1588 3020 E37CC5.EXE 95 PID 3020 wrote to memory of 1588 3020 E37CC5.EXE 95 PID 3020 wrote to memory of 1588 3020 E37CC5.EXE 95 PID 3020 wrote to memory of 3804 3020 E37CC5.EXE 96 PID 3020 wrote to memory of 3804 3020 E37CC5.EXE 96 PID 3020 wrote to memory of 3804 3020 E37CC5.EXE 96 PID 3804 wrote to memory of 224 3804 E37CC5.EXE 98 PID 3804 wrote to memory of 224 3804 E37CC5.EXE 98 PID 3804 wrote to memory of 224 3804 E37CC5.EXE 98 PID 3804 wrote to memory of 3088 3804 E37CC5.EXE 99 PID 3804 wrote to memory of 3088 3804 E37CC5.EXE 99 PID 3804 wrote to memory of 3088 3804 E37CC5.EXE 99 PID 3088 wrote to memory of 4976 3088 E37CC5.EXE 144 PID 3088 wrote to memory of 4976 3088 E37CC5.EXE 144 PID 3088 wrote to memory of 4976 3088 E37CC5.EXE 144 PID 3088 wrote to memory of 2976 3088 E37CC5.EXE 103 PID 3088 wrote to memory of 2976 3088 E37CC5.EXE 103 PID 3088 wrote to memory of 2976 3088 E37CC5.EXE 103 PID 2976 wrote to memory of 1788 2976 E37CC5.EXE 104 PID 2976 wrote to memory of 1788 2976 E37CC5.EXE 104 PID 2976 wrote to memory of 1788 2976 E37CC5.EXE 104 PID 2976 wrote to memory of 2312 2976 E37CC5.EXE 105 PID 2976 wrote to memory of 2312 2976 E37CC5.EXE 105 PID 2976 wrote to memory of 2312 2976 E37CC5.EXE 105 PID 2312 wrote to memory of 1628 2312 E37CC5.EXE 107 PID 2312 wrote to memory of 1628 2312 E37CC5.EXE 107 PID 2312 wrote to memory of 1628 2312 E37CC5.EXE 107 PID 2312 wrote to memory of 4196 2312 E37CC5.EXE 108 PID 2312 wrote to memory of 4196 2312 E37CC5.EXE 108 PID 2312 wrote to memory of 4196 2312 E37CC5.EXE 108 PID 4196 wrote to memory of 4980 4196 E37CC5.EXE 112 PID 4196 wrote to memory of 4980 4196 E37CC5.EXE 112 PID 4196 wrote to memory of 4980 4196 E37CC5.EXE 112 PID 4196 wrote to memory of 660 4196 E37CC5.EXE 113 PID 4196 wrote to memory of 660 4196 E37CC5.EXE 113 PID 4196 wrote to memory of 660 4196 E37CC5.EXE 113 PID 660 wrote to memory of 1332 660 E37CC5.EXE 133 PID 660 wrote to memory of 1332 660 E37CC5.EXE 133 PID 660 wrote to memory of 1332 660 E37CC5.EXE 133
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Users\Admin\AppData\Local\Temp\4f7036c4e9f9908a8236e7d6b375cd5b_JaffaCakes1182⤵
- System Location Discovery: System Language Discovery
PID:3952
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC53⤵
- System Location Discovery: System Language Discovery
PID:752
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC54⤵
- System Location Discovery: System Language Discovery
PID:2516
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC55⤵
- System Location Discovery: System Language Discovery
PID:1588
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE5⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3804 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC56⤵
- System Location Discovery: System Language Discovery
PID:224
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE6⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC57⤵
- System Location Discovery: System Language Discovery
PID:4976
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC58⤵
- System Location Discovery: System Language Discovery
PID:1788
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE8⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC59⤵
- System Location Discovery: System Language Discovery
PID:1628
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE9⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4196 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC510⤵
- System Location Discovery: System Language Discovery
PID:4980
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE10⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:660 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC511⤵PID:1332
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE11⤵PID:1380
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC512⤵PID:2516
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE12⤵PID:4848
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC513⤵PID:4420
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE13⤵PID:2988
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC514⤵PID:4976
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE14⤵PID:4268
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC515⤵PID:4884
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE15⤵PID:2068
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC516⤵PID:1332
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE16⤵PID:3328
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC517⤵PID:3632
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE17⤵PID:2812
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC518⤵PID:5116
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE18⤵PID:4984
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC519⤵PID:3592
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE19⤵PID:4976
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC520⤵PID:5048
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE20⤵PID:3500
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC521⤵PID:1040
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE21⤵PID:4100
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC522⤵PID:5184
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE22⤵PID:5248
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC523⤵PID:5352
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE23⤵PID:5412
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC524⤵PID:5516
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE24⤵PID:5568
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC525⤵PID:5676
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE25⤵PID:5728
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC526⤵PID:5852
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE26⤵PID:5908
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC527⤵PID:6008
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE27⤵PID:6072
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC528⤵PID:5196
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE28⤵PID:5280
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC529⤵PID:1248
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE29⤵PID:5588
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC530⤵PID:5780
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE30⤵PID:5872
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC531⤵PID:5896
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE31⤵PID:5584
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC532⤵PID:6040
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE32⤵PID:4276
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC533⤵PID:5180
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE33⤵PID:5712
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC534⤵PID:5232
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE34⤵PID:5128
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC535⤵PID:5840
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE35⤵PID:5484
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC536⤵PID:6252
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE36⤵PID:6332
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC537⤵PID:6428
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE37⤵PID:6500
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC538⤵PID:6604
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE38⤵PID:6668
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC539⤵PID:6784
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE39⤵PID:6840
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC540⤵PID:6956
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE40⤵PID:7012
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC541⤵PID:7140
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE41⤵PID:5644
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC542⤵PID:6360
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE42⤵PID:6480
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC543⤵PID:6688
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE43⤵PID:6732
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC544⤵PID:6424
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE44⤵PID:6820
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC545⤵PID:1120
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE45⤵PID:2528
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC546⤵PID:7112
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE46⤵PID:1668
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC547⤵PID:6880
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE47⤵PID:7008
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC548⤵PID:6300
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE48⤵PID:6536
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC549⤵PID:6844
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE49⤵PID:6876
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC550⤵PID:2748
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE50⤵PID:7140
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC551⤵PID:6024
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE51⤵PID:6860
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC552⤵PID:6292
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE52⤵PID:6880
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC553⤵PID:6652
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE53⤵PID:4240
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC554⤵PID:7228
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE54⤵PID:7296
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC555⤵PID:7420
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE55⤵PID:7460
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC556⤵PID:7572
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE56⤵PID:7620
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC557⤵PID:7724
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE57⤵PID:7768
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC558⤵PID:7864
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE58⤵PID:7916
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC559⤵PID:8024
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE59⤵PID:8084
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC560⤵PID:8180
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE60⤵PID:6844
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC561⤵PID:7348
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE61⤵PID:6880
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC562⤵PID:7432
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE62⤵PID:7644
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC563⤵PID:7784
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE63⤵PID:7460
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC564⤵PID:7892
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE64⤵PID:7856
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC565⤵PID:7952
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE65⤵PID:8184
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC566⤵PID:6696
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE66⤵PID:7612
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC567⤵PID:5756
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE67⤵PID:1180
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC568⤵PID:7552
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE68⤵PID:5824
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC569⤵PID:5784
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE69⤵PID:8076
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC570⤵PID:1176
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE70⤵PID:7212
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC571⤵PID:1908
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE71⤵PID:7912
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC572⤵PID:6464
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE72⤵PID:4404
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC573⤵PID:6264
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE73⤵PID:7936
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC574⤵PID:1152
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE74⤵PID:2760
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC575⤵PID:6916
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE75⤵PID:8096
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC576⤵PID:8268
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE76⤵PID:8320
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC577⤵PID:8432
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE77⤵PID:8524
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC578⤵PID:8640
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE78⤵PID:8668
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC579⤵PID:8768
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE79⤵PID:8804
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC580⤵PID:8928
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE80⤵PID:8980
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC581⤵PID:9104
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE81⤵PID:9172
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC582⤵PID:6864
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE82⤵PID:1152
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC583⤵PID:6432
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE83⤵PID:8728
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC584⤵PID:8616
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE84⤵PID:8784
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC585⤵PID:8944
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE85⤵PID:8908
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC586⤵PID:6112
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE86⤵PID:6864
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC587⤵PID:9176
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE87⤵PID:456
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC588⤵PID:8616
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE88⤵PID:8608
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC589⤵PID:8672
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE89⤵PID:3932
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC590⤵PID:9212
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE90⤵PID:8936
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC591⤵PID:6112
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE91⤵PID:5680
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC592⤵PID:7336
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE92⤵PID:5116
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC593⤵PID:5352
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE93⤵PID:456
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC594⤵PID:9296
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE94⤵PID:9328
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC595⤵PID:9464
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE95⤵PID:9492
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC596⤵PID:9640
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE96⤵PID:9684
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC597⤵PID:9768
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE97⤵PID:9816
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC598⤵PID:9920
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE98⤵PID:9968
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC599⤵PID:10096
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE99⤵PID:10152
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC5100⤵PID:9220
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE100⤵PID:5680
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC5101⤵PID:5664
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE101⤵PID:2608
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC5102⤵PID:9672
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE102⤵PID:9788
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC5103⤵PID:9956
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE103⤵PID:10184
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC5104⤵PID:9224
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE104⤵PID:10220
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC5105⤵PID:9848
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE105⤵PID:8048
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC5106⤵PID:9672
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE106⤵PID:9052
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC5107⤵PID:5856
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE107⤵PID:7964
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC5108⤵PID:6412
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE108⤵PID:9048
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC5109⤵PID:9296
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE109⤵PID:8752
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC5110⤵PID:7480
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE110⤵PID:9812
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC5111⤵PID:5400
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE111⤵PID:428
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC5112⤵PID:10312
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE112⤵PID:10352
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC5113⤵PID:10500
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE113⤵PID:10552
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC5114⤵PID:10708
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE114⤵PID:10736
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC5115⤵PID:10844
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE115⤵PID:10896
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC5116⤵PID:11004
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE116⤵PID:11032
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC5117⤵PID:11120
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE117⤵PID:11164
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC5118⤵PID:2732
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE118⤵PID:7032
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC5119⤵PID:10364
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE119⤵PID:3620
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC5120⤵PID:10684
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE120⤵PID:812
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC5121⤵PID:10936
-
-
C:\Windows\SysWOW64\ADE119\E37CC5.EXEC:\Windows\system32\ADE119\E37CC5.EXE121⤵PID:3832
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\ADE119\E37CC5122⤵PID:11016
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-