123f132125a7ad09ec4425cda1abdd53f13a81edcf898ae20aae6cc437c81610

Analysis

max time kernel
10s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc21bca4422d199799a4dacded4ae2e6_JaffaCakes118.exe
Size

1.4MB
MD5

fc21bca4422d199799a4dacded4ae2e6
SHA1

433a7fd02275508538d6a77d6a377691943fe98b
SHA256

123f132125a7ad09ec4425cda1abdd53f13a81edcf898ae20aae6cc437c81610
SHA512

282a5d2183f00a7904ef240187426d6812a52fdbc5c7eb74dc3ae6bf9e05c489978471ae57ab067263b795128612c1ffe836dfdd2e293307647d8eb2b5932edb
SSDEEP

24576:bitK0LJ2Jiw+EAGXeniVKsg9khYCSeJdxR3RqwnjRNPCDXusLBiYXQgQ:bitKwJ2JiwBAGXhVbOQjJd7hxLC7tViX

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 17 IoCs

Processes:

XP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXE

pid	process
3564	XP-FEBFA1C7.EXE
540	XP-FEBFA1C7.EXE
3724	XP-FEBFA1C7.EXE
3608	XP-FEBFA1C7.EXE
5104	XP-FEBFA1C7.EXE
4740	XP-FEBFA1C7.EXE
4992	XP-FEBFA1C7.EXE
2928	XP-FEBFA1C7.EXE
2120	XP-FEBFA1C7.EXE
1620	XP-FEBFA1C7.EXE
4064	XP-FEBFA1C7.EXE
4768	XP-FEBFA1C7.EXE
3140	XP-FEBFA1C7.EXE
1696	XP-FEBFA1C7.EXE
3332	XP-FEBFA1C7.EXE
3788	XP-FEBFA1C7.EXE
2420	XP-FEBFA1C7.EXE

Loads dropped DLL 64 IoCs

Processes:

fc21bca4422d199799a4dacded4ae2e6_JaffaCakes118.exeXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXE

pid	process
2944	fc21bca4422d199799a4dacded4ae2e6_JaffaCakes118.exe
2944	fc21bca4422d199799a4dacded4ae2e6_JaffaCakes118.exe
2944	fc21bca4422d199799a4dacded4ae2e6_JaffaCakes118.exe
2944	fc21bca4422d199799a4dacded4ae2e6_JaffaCakes118.exe
2944	fc21bca4422d199799a4dacded4ae2e6_JaffaCakes118.exe
2944	fc21bca4422d199799a4dacded4ae2e6_JaffaCakes118.exe
2944	fc21bca4422d199799a4dacded4ae2e6_JaffaCakes118.exe
3564	XP-FEBFA1C7.EXE
3564	XP-FEBFA1C7.EXE
3564	XP-FEBFA1C7.EXE
3564	XP-FEBFA1C7.EXE
3564	XP-FEBFA1C7.EXE
3564	XP-FEBFA1C7.EXE
3564	XP-FEBFA1C7.EXE
540	XP-FEBFA1C7.EXE
540	XP-FEBFA1C7.EXE
540	XP-FEBFA1C7.EXE
540	XP-FEBFA1C7.EXE
540	XP-FEBFA1C7.EXE
540	XP-FEBFA1C7.EXE
540	XP-FEBFA1C7.EXE
3724	XP-FEBFA1C7.EXE
3724	XP-FEBFA1C7.EXE
3724	XP-FEBFA1C7.EXE
3724	XP-FEBFA1C7.EXE
3724	XP-FEBFA1C7.EXE
3724	XP-FEBFA1C7.EXE
3724	XP-FEBFA1C7.EXE
3608	XP-FEBFA1C7.EXE
3608	XP-FEBFA1C7.EXE
3608	XP-FEBFA1C7.EXE
3608	XP-FEBFA1C7.EXE
3608	XP-FEBFA1C7.EXE
3608	XP-FEBFA1C7.EXE
3608	XP-FEBFA1C7.EXE
5104	XP-FEBFA1C7.EXE
5104	XP-FEBFA1C7.EXE
5104	XP-FEBFA1C7.EXE
5104	XP-FEBFA1C7.EXE
5104	XP-FEBFA1C7.EXE
5104	XP-FEBFA1C7.EXE
5104	XP-FEBFA1C7.EXE
4740	XP-FEBFA1C7.EXE
4740	XP-FEBFA1C7.EXE
4740	XP-FEBFA1C7.EXE
4740	XP-FEBFA1C7.EXE
4740	XP-FEBFA1C7.EXE
4740	XP-FEBFA1C7.EXE
4740	XP-FEBFA1C7.EXE
4992	XP-FEBFA1C7.EXE
4992	XP-FEBFA1C7.EXE
4992	XP-FEBFA1C7.EXE
4992	XP-FEBFA1C7.EXE
4992	XP-FEBFA1C7.EXE
4992	XP-FEBFA1C7.EXE
4992	XP-FEBFA1C7.EXE
2928	XP-FEBFA1C7.EXE
2928	XP-FEBFA1C7.EXE
2928	XP-FEBFA1C7.EXE
2928	XP-FEBFA1C7.EXE
2928	XP-FEBFA1C7.EXE
2928	XP-FEBFA1C7.EXE
2928	XP-FEBFA1C7.EXE
2120	XP-FEBFA1C7.EXE

Writes to the Master Boot Record (MBR) 1 TTPs 17 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

XP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEfc21bca4422d199799a4dacded4ae2e6_JaffaCakes118.exeXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXE

description	ioc	process
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	fc21bca4422d199799a4dacded4ae2e6_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE
File opened for modification	\??\PhysicalDrive0	XP-FEBFA1C7.EXE

Drops file in System32 directory 2 IoCs

Processes:

fc21bca4422d199799a4dacded4ae2e6_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\XP-FEBFA1C7.EXE	fc21bca4422d199799a4dacded4ae2e6_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\XP-FEBFA1C7.EXE	fc21bca4422d199799a4dacded4ae2e6_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 58 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe

Modifies registry class 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe

Suspicious behavior: AddClipboardFormatListener 13 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

pid	process
2936	explorer.exe
3344	explorer.exe
4208	explorer.exe
4836	explorer.exe
1232	explorer.exe
3000	explorer.exe
1716	explorer.exe
4152	explorer.exe
884	explorer.exe
1572	explorer.exe
4000	explorer.exe
812	explorer.exe
2052	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

fc21bca4422d199799a4dacded4ae2e6_JaffaCakes118.exeXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEexplorer.exeXP-FEBFA1C7.EXEexplorer.exeXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEexplorer.exeexplorer.exeXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEexplorer.exeXP-FEBFA1C7.EXEexplorer.exe

pid	process
2944	fc21bca4422d199799a4dacded4ae2e6_JaffaCakes118.exe
2944	fc21bca4422d199799a4dacded4ae2e6_JaffaCakes118.exe
2944	fc21bca4422d199799a4dacded4ae2e6_JaffaCakes118.exe
2944	fc21bca4422d199799a4dacded4ae2e6_JaffaCakes118.exe
2944	fc21bca4422d199799a4dacded4ae2e6_JaffaCakes118.exe
2944	fc21bca4422d199799a4dacded4ae2e6_JaffaCakes118.exe
3564	XP-FEBFA1C7.EXE
3564	XP-FEBFA1C7.EXE
3564	XP-FEBFA1C7.EXE
3564	XP-FEBFA1C7.EXE
3564	XP-FEBFA1C7.EXE
3564	XP-FEBFA1C7.EXE
540	XP-FEBFA1C7.EXE
540	XP-FEBFA1C7.EXE
540	XP-FEBFA1C7.EXE
540	XP-FEBFA1C7.EXE
540	XP-FEBFA1C7.EXE
540	XP-FEBFA1C7.EXE
3344	explorer.exe
3344	explorer.exe
3724	XP-FEBFA1C7.EXE
3724	XP-FEBFA1C7.EXE
3724	XP-FEBFA1C7.EXE
3724	XP-FEBFA1C7.EXE
3724	XP-FEBFA1C7.EXE
2936	explorer.exe
2936	explorer.exe
3724	XP-FEBFA1C7.EXE
3608	XP-FEBFA1C7.EXE
3608	XP-FEBFA1C7.EXE
3608	XP-FEBFA1C7.EXE
3608	XP-FEBFA1C7.EXE
3608	XP-FEBFA1C7.EXE
3608	XP-FEBFA1C7.EXE
5104	XP-FEBFA1C7.EXE
5104	XP-FEBFA1C7.EXE
5104	XP-FEBFA1C7.EXE
5104	XP-FEBFA1C7.EXE
5104	XP-FEBFA1C7.EXE
5104	XP-FEBFA1C7.EXE
4208	explorer.exe
4208	explorer.exe
4836	explorer.exe
4836	explorer.exe
4740	XP-FEBFA1C7.EXE
4740	XP-FEBFA1C7.EXE
4740	XP-FEBFA1C7.EXE
4740	XP-FEBFA1C7.EXE
4740	XP-FEBFA1C7.EXE
4740	XP-FEBFA1C7.EXE
4992	XP-FEBFA1C7.EXE
4992	XP-FEBFA1C7.EXE
4992	XP-FEBFA1C7.EXE
4992	XP-FEBFA1C7.EXE
4992	XP-FEBFA1C7.EXE
4992	XP-FEBFA1C7.EXE
1232	explorer.exe
1232	explorer.exe
2928	XP-FEBFA1C7.EXE
2928	XP-FEBFA1C7.EXE
2928	XP-FEBFA1C7.EXE
2928	XP-FEBFA1C7.EXE
2928	XP-FEBFA1C7.EXE
3000	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fc21bca4422d199799a4dacded4ae2e6_JaffaCakes118.exeXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXEXP-FEBFA1C7.EXE

description	pid	process	target process
PID 2944 wrote to memory of 3248	2944	fc21bca4422d199799a4dacded4ae2e6_JaffaCakes118.exe	explorer.exe
PID 2944 wrote to memory of 3248	2944	fc21bca4422d199799a4dacded4ae2e6_JaffaCakes118.exe	explorer.exe
PID 2944 wrote to memory of 3248	2944	fc21bca4422d199799a4dacded4ae2e6_JaffaCakes118.exe	explorer.exe
PID 2944 wrote to memory of 3564	2944	fc21bca4422d199799a4dacded4ae2e6_JaffaCakes118.exe	XP-FEBFA1C7.EXE
PID 2944 wrote to memory of 3564	2944	fc21bca4422d199799a4dacded4ae2e6_JaffaCakes118.exe	XP-FEBFA1C7.EXE
PID 2944 wrote to memory of 3564	2944	fc21bca4422d199799a4dacded4ae2e6_JaffaCakes118.exe	XP-FEBFA1C7.EXE
PID 3564 wrote to memory of 4968	3564	XP-FEBFA1C7.EXE	explorer.exe
PID 3564 wrote to memory of 4968	3564	XP-FEBFA1C7.EXE	explorer.exe
PID 3564 wrote to memory of 4968	3564	XP-FEBFA1C7.EXE	explorer.exe
PID 3564 wrote to memory of 540	3564	XP-FEBFA1C7.EXE	XP-FEBFA1C7.EXE
PID 3564 wrote to memory of 540	3564	XP-FEBFA1C7.EXE	XP-FEBFA1C7.EXE
PID 3564 wrote to memory of 540	3564	XP-FEBFA1C7.EXE	XP-FEBFA1C7.EXE
PID 540 wrote to memory of 3224	540	XP-FEBFA1C7.EXE	explorer.exe
PID 540 wrote to memory of 3224	540	XP-FEBFA1C7.EXE	explorer.exe
PID 540 wrote to memory of 3224	540	XP-FEBFA1C7.EXE	explorer.exe
PID 540 wrote to memory of 3724	540	XP-FEBFA1C7.EXE	XP-FEBFA1C7.EXE
PID 540 wrote to memory of 3724	540	XP-FEBFA1C7.EXE	XP-FEBFA1C7.EXE
PID 540 wrote to memory of 3724	540	XP-FEBFA1C7.EXE	XP-FEBFA1C7.EXE
PID 3724 wrote to memory of 4736	3724	XP-FEBFA1C7.EXE	explorer.exe
PID 3724 wrote to memory of 4736	3724	XP-FEBFA1C7.EXE	explorer.exe
PID 3724 wrote to memory of 4736	3724	XP-FEBFA1C7.EXE	explorer.exe
PID 3724 wrote to memory of 3608	3724	XP-FEBFA1C7.EXE	XP-FEBFA1C7.EXE
PID 3724 wrote to memory of 3608	3724	XP-FEBFA1C7.EXE	XP-FEBFA1C7.EXE
PID 3724 wrote to memory of 3608	3724	XP-FEBFA1C7.EXE	XP-FEBFA1C7.EXE
PID 3608 wrote to memory of 4492	3608	XP-FEBFA1C7.EXE	explorer.exe
PID 3608 wrote to memory of 4492	3608	XP-FEBFA1C7.EXE	explorer.exe
PID 3608 wrote to memory of 4492	3608	XP-FEBFA1C7.EXE	explorer.exe
PID 3608 wrote to memory of 5104	3608	XP-FEBFA1C7.EXE	XP-FEBFA1C7.EXE
PID 3608 wrote to memory of 5104	3608	XP-FEBFA1C7.EXE	XP-FEBFA1C7.EXE
PID 3608 wrote to memory of 5104	3608	XP-FEBFA1C7.EXE	XP-FEBFA1C7.EXE
PID 5104 wrote to memory of 1888	5104	XP-FEBFA1C7.EXE	explorer.exe
PID 5104 wrote to memory of 1888	5104	XP-FEBFA1C7.EXE	explorer.exe
PID 5104 wrote to memory of 1888	5104	XP-FEBFA1C7.EXE	explorer.exe
PID 5104 wrote to memory of 4740	5104	XP-FEBFA1C7.EXE	XP-FEBFA1C7.EXE
PID 5104 wrote to memory of 4740	5104	XP-FEBFA1C7.EXE	XP-FEBFA1C7.EXE
PID 5104 wrote to memory of 4740	5104	XP-FEBFA1C7.EXE	XP-FEBFA1C7.EXE
PID 4740 wrote to memory of 4724	4740	XP-FEBFA1C7.EXE	explorer.exe
PID 4740 wrote to memory of 4724	4740	XP-FEBFA1C7.EXE	explorer.exe
PID 4740 wrote to memory of 4724	4740	XP-FEBFA1C7.EXE	explorer.exe
PID 4740 wrote to memory of 4992	4740	XP-FEBFA1C7.EXE	XP-FEBFA1C7.EXE
PID 4740 wrote to memory of 4992	4740	XP-FEBFA1C7.EXE	XP-FEBFA1C7.EXE
PID 4740 wrote to memory of 4992	4740	XP-FEBFA1C7.EXE	XP-FEBFA1C7.EXE
PID 4992 wrote to memory of 2184	4992	XP-FEBFA1C7.EXE	explorer.exe
PID 4992 wrote to memory of 2184	4992	XP-FEBFA1C7.EXE	explorer.exe
PID 4992 wrote to memory of 2184	4992	XP-FEBFA1C7.EXE	explorer.exe
PID 4992 wrote to memory of 2928	4992	XP-FEBFA1C7.EXE	XP-FEBFA1C7.EXE
PID 4992 wrote to memory of 2928	4992	XP-FEBFA1C7.EXE	XP-FEBFA1C7.EXE
PID 4992 wrote to memory of 2928	4992	XP-FEBFA1C7.EXE	XP-FEBFA1C7.EXE
PID 2928 wrote to memory of 3192	2928	XP-FEBFA1C7.EXE	explorer.exe
PID 2928 wrote to memory of 3192	2928	XP-FEBFA1C7.EXE	explorer.exe
PID 2928 wrote to memory of 3192	2928	XP-FEBFA1C7.EXE	explorer.exe
PID 2928 wrote to memory of 2120	2928	XP-FEBFA1C7.EXE	explorer.exe
PID 2928 wrote to memory of 2120	2928	XP-FEBFA1C7.EXE	explorer.exe
PID 2928 wrote to memory of 2120	2928	XP-FEBFA1C7.EXE	explorer.exe
PID 2120 wrote to memory of 3540	2120	XP-FEBFA1C7.EXE	explorer.exe
PID 2120 wrote to memory of 3540	2120	XP-FEBFA1C7.EXE	explorer.exe
PID 2120 wrote to memory of 3540	2120	XP-FEBFA1C7.EXE	explorer.exe
PID 2120 wrote to memory of 1620	2120	XP-FEBFA1C7.EXE	XP-FEBFA1C7.EXE
PID 2120 wrote to memory of 1620	2120	XP-FEBFA1C7.EXE	XP-FEBFA1C7.EXE
PID 2120 wrote to memory of 1620	2120	XP-FEBFA1C7.EXE	XP-FEBFA1C7.EXE
PID 1620 wrote to memory of 3736	1620	XP-FEBFA1C7.EXE	explorer.exe
PID 1620 wrote to memory of 3736	1620	XP-FEBFA1C7.EXE	explorer.exe
PID 1620 wrote to memory of 3736	1620	XP-FEBFA1C7.EXE	explorer.exe
PID 1620 wrote to memory of 4064	1620	XP-FEBFA1C7.EXE	explorer.exe

C:\Users\Admin\AppData\Local\Temp\fc21bca4422d199799a4dacded4ae2e6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fc21bca4422d199799a4dacded4ae2e6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2944

C:\Windows\SysWOW64\explorer.exe
explorer C:\Users\Admin\AppData\Local\Temp\fc21bca4422d199799a4dacded4ae2e6_JaffaCakes118
2⤵
PID:3248

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3564

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
3⤵
PID:4968

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:540

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
4⤵
PID:3224

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3724

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
5⤵
PID:4736

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3608

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
6⤵
PID:4492

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5104

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
7⤵
PID:1888

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4740

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
8⤵
PID:4724

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4992

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
9⤵
PID:2184

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2928

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
10⤵
PID:3192

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:2120

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
11⤵
PID:3540

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
11⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
12⤵
PID:3736

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
12⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:4064

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
13⤵
PID:1080

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
13⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:4768

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
14⤵
PID:3352

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
14⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:3140

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
15⤵
PID:1496

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
15⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:1696

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
16⤵
PID:2704

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
16⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:3332

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
17⤵
PID:1148

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
17⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:3788

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
18⤵
PID:3564

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
18⤵
- Executes dropped EXE
PID:2420

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
19⤵
PID:1976

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
19⤵
PID:4980

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
20⤵
PID:4064

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
20⤵
PID:5184

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
21⤵
PID:5304

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
21⤵
PID:5372

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
22⤵
PID:5476

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
22⤵
PID:5520

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
23⤵
PID:5664

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
23⤵
PID:5720

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
24⤵
PID:5828

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
24⤵
PID:5896

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
25⤵
PID:5992

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
25⤵
PID:6056

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
26⤵
PID:3084

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
26⤵
PID:2604

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
27⤵
PID:5420

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
27⤵
PID:4748

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
28⤵
PID:5688

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
28⤵
PID:5852

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
29⤵
PID:6072

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
29⤵
PID:4112

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
30⤵
PID:4976

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
30⤵
PID:5724

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
31⤵
PID:5936

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
31⤵
PID:6108

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
32⤵
PID:5156

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
32⤵
PID:6072

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
33⤵
PID:5652

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
33⤵
PID:5420

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
34⤵
PID:6176

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
34⤵
PID:6240

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
35⤵
PID:6356

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
35⤵
PID:6424

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
36⤵
PID:6516

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
36⤵
PID:6608

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
37⤵
PID:6752

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
37⤵
PID:6808

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
38⤵
PID:6948

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
38⤵
PID:6992

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
39⤵
PID:7136

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
39⤵
PID:6216

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
40⤵
PID:6228

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
40⤵
PID:5664

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
41⤵
PID:6744

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
41⤵
PID:6856

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
42⤵
PID:6512

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
42⤵
PID:7040

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
43⤵
PID:6948

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
43⤵
PID:6608

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
44⤵
PID:5140

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
44⤵
PID:6516

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
45⤵
PID:3680

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
45⤵
PID:6476

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
46⤵
PID:6280

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
46⤵
PID:6736

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
47⤵
PID:7104

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
47⤵
PID:6240

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
48⤵
PID:6264

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
48⤵
PID:6956

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
49⤵
PID:7244

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
49⤵
PID:7344

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
50⤵
PID:7508

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
50⤵
PID:7592

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
51⤵
PID:7736

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
51⤵
PID:7856

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
52⤵
PID:8004

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
52⤵
PID:8056

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
53⤵
PID:8156

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
53⤵
PID:6500

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
54⤵
PID:7424

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
54⤵
PID:7244

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
55⤵
PID:7892

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
55⤵
PID:7828

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
56⤵
PID:8016

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
56⤵
PID:7644

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
57⤵
PID:7932

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
57⤵
PID:6956

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
58⤵
PID:6280

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
58⤵
PID:1800

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
59⤵
PID:2200

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
59⤵
PID:7476

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
60⤵
PID:8148

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
60⤵
PID:7244

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
61⤵
PID:8308

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
61⤵
PID:8384

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
62⤵
PID:8476

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
62⤵
PID:8572

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
63⤵
PID:8672

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
63⤵
PID:8756

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
64⤵
PID:8860

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
64⤵
PID:8928

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
65⤵
PID:9060

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
65⤵
PID:9152

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
66⤵
PID:8244

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
66⤵
PID:8380

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
67⤵
PID:7740

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
67⤵
PID:8360

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
68⤵
PID:8500

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
68⤵
PID:8952

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
69⤵
PID:3776

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
69⤵
PID:8632

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
70⤵
PID:8852

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
70⤵
PID:8780

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
71⤵
PID:9136

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
71⤵
PID:8724

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
72⤵
PID:5600

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
72⤵
PID:8956

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
73⤵
PID:7900

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
73⤵
PID:7784

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
74⤵
PID:400

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
74⤵
PID:8652

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
75⤵
PID:8880

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
75⤵
PID:8964

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
76⤵
PID:5684

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
76⤵
PID:9164

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
77⤵
PID:7900

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
77⤵
PID:5804

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
78⤵
PID:8360

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
78⤵
PID:8216

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
79⤵
PID:7900

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
79⤵
PID:9272

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
80⤵
PID:9440

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
80⤵
PID:9508

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
81⤵
PID:9636

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
81⤵
PID:9684

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
82⤵
PID:9796

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
82⤵
PID:9832

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
83⤵
PID:9936

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
83⤵
PID:10000

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
84⤵
PID:10108

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
84⤵
PID:10172

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
85⤵
PID:6296

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
85⤵
PID:6584

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
86⤵
PID:9268

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
86⤵
PID:9628

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
87⤵
PID:5316

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
87⤵
PID:9676

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
88⤵
PID:10060

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
88⤵
PID:9540

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
89⤵
PID:10112

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
89⤵
PID:8956

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
90⤵
PID:9304

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
90⤵
PID:10000

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
91⤵
PID:9796

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
91⤵
PID:9348

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
92⤵
PID:8904

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
92⤵
PID:9648

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
93⤵
PID:9428

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
93⤵
PID:10200

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
94⤵
PID:4628

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
94⤵
PID:9672

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
95⤵
PID:6308

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
95⤵
PID:9756

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
96⤵
PID:8964

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
96⤵
PID:7792

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
97⤵
PID:5020

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
97⤵
PID:4636

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
98⤵
PID:1684

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
98⤵
PID:4184

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
99⤵
PID:10380

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
99⤵
PID:10428

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
100⤵
PID:10580

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
100⤵
PID:10672

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
101⤵
PID:10804

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
101⤵
PID:10856

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
102⤵
PID:10948

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
102⤵
PID:11004

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
103⤵
PID:11128

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
103⤵
PID:11196

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
104⤵
PID:10312

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
104⤵
PID:7952

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
105⤵
PID:8532

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
105⤵
PID:8344

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
106⤵
PID:10652

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
106⤵
PID:10372

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
107⤵
PID:2472

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
107⤵
PID:11080

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
108⤵
PID:10948

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
108⤵
PID:10920

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
109⤵
PID:9756

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
109⤵
PID:1620

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
110⤵
PID:10256

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
110⤵
PID:9676

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
111⤵
PID:11132

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
111⤵
PID:8344

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
112⤵
PID:2024

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
112⤵
PID:7836

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
113⤵
PID:8756

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
113⤵
PID:9088

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
114⤵
PID:11116

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
114⤵
PID:11224

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
115⤵
PID:8364

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
115⤵
PID:11240

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
116⤵
PID:11068

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
116⤵
PID:10512

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
117⤵
PID:11304

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
117⤵
PID:11368

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
118⤵
PID:11472

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
118⤵
PID:11552

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
119⤵
PID:11672

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
119⤵
PID:11716

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
120⤵
PID:11836

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
120⤵
PID:11912

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
121⤵
PID:12032

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
121⤵
PID:12100

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
122⤵
PID:12204

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
122⤵
PID:12268

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
123⤵
PID:11348

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
123⤵
PID:11224

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
124⤵
PID:10252

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
124⤵
PID:11748

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
125⤵
PID:11892

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
125⤵
PID:6756

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
126⤵
PID:11632

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
126⤵
PID:12252

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
127⤵
PID:12032

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
127⤵
PID:2216

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
128⤵
PID:10128

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
128⤵
PID:4464

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
129⤵
PID:12168

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
129⤵
PID:12272

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
130⤵
PID:8088

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
130⤵
PID:11892

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
131⤵
PID:11848

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
131⤵
PID:11768

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
132⤵
PID:4404

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
132⤵
PID:6652

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
133⤵
PID:1980

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
133⤵
PID:1544

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
134⤵
PID:8240

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
134⤵
PID:12192

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
135⤵
PID:11340

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
135⤵
PID:8984

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
136⤵
PID:7344

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
136⤵
PID:10288

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
137⤵
PID:11816

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
137⤵
PID:11340

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
138⤵
PID:11260

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
138⤵
PID:3196

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
139⤵
PID:8492

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
139⤵
PID:12300

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
140⤵
PID:12436

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
140⤵
PID:12524

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
141⤵
PID:12628

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
141⤵
PID:12680

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
142⤵
PID:12804

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
142⤵
PID:12876

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
143⤵
PID:12980

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
143⤵
PID:13052

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
144⤵
PID:13224

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
144⤵
PID:13288

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
145⤵
PID:11076

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
145⤵
PID:11444

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
146⤵
PID:12444

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
146⤵
PID:10400

C:\Windows\SysWOW64\explorer.exe
explorer C:\Windows\SysWOW64\XP-FEBFA1C7
147⤵
PID:9108

C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
C:\Windows\system32\XP-FEBFA1C7.EXE
147⤵
PID:12920

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3344

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2936

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4208

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4836

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1232

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3000

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:1716

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:4152

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:884

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:1572

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:4000

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:812

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
PID:2052

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:3568

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4032

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:2812

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2120

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:3140

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5196

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5388

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5540

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5728

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5904

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6064

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5248

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2420

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5276

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6012

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5812

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5124

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5408

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5412

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6248

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6416

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6616

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6824

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7000

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5992

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6544

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6872

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6484

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5900

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6536

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6752

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2416

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6556

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5828

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7368

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7604

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7864

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8068

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7184

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7668

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7736

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7276

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7424

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7856

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7268

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8200

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8392

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8584

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8792

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8968

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9204

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8056

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8328

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8728

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8720

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8800

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7780

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8916

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1924

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9184

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4540

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7816

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8932

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6844

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9280

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9516

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9696

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9876

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10008

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10180

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9356

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9624

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9652

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9616

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9500

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6564

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9996

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9452

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9976

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7944

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4180

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7304

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5176

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10268

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10448

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10684

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10864

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11012

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11208

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7832

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:2072

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4184

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11100

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11148

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10620

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6308

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5940

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9756

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5736

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5424

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:8344

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9496

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11388

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11564

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11760

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11924

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:12092

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:12280

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:10720

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11796

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:12044

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11572

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11480

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9684

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:6836

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1380

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11868

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9544

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4324

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11540

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:9028

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4900

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11748

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11204

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:12292

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:12532

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:12688

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:12884

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:13068

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:13296

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:11152

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7980

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:12340

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E_4\RegEx.fnr
Filesize
212KB

MD5
895dd12a54a923789f8f1d8b66bd88e9

SHA1
7d2ce84efc2498bf086f58160f86be3a80c6c405

SHA256
9a03c58c57efd52ff82e083c65ba40b010fedcbe1bf517c66da9c010c7628035

SHA512
31d5b12d524fa7b9bf7a2a518a72509e549aad18c0c0e01deb7b0044b7dd65dfc5fcaebcd552a849e442cccf622eda5e44ef46b9b7e9328618016210e3c80848

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\com.run
Filesize
264KB

MD5
95ebaae66a69f881f2fa08c71952ce72

SHA1
9e9d41fcfee90e1dc6625245a5ce36bcf2d76c90

SHA256
c5d2384cf2f17820430b1ed6ee0ea825bce5ada497f7c0784a9c4933ad9a1bc1

SHA512
66deab517f99683a5f7e01ba4b8258eed3a309f7e88226d7dffd629558b34064d0c7eda99cc64c0c96d030e67e9af79bd5e98899b6f1bb52a14dd02160550f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\dp1.fne
Filesize
112KB

MD5
c57939798d01772689b016fcf3eae47e

SHA1
ce5a58f240a9c559a65afb3542f9b466549cc4ce

SHA256
e8f8a0dd4e2a64ec93f4f69ff2e1e10779814875f7fc82c8d0778213d8ab830e

SHA512
6c568a020777aced750927171ef945552e368aac140e6ebb3ffee41fa4719fd368ec37b055db43883491dcd24e56eb0efd2bf3fe3a265057bf479b61253af3a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\eAPI.fne
Filesize
316KB

MD5
c23c63a788d8ca38d955f5baebef719f

SHA1
44a48309e17d85d5bfdd3dc1df7cfa2d4368a219

SHA256
3c10310e4d7bf84bf54ed60feca7016c9a4c0d39f934bc4b6f8d7a47fd0875c4

SHA512
497a3bb56dcca1540eb2e6f5cd2c4f6ddd7883af578d757f92d08a13e1703af8b0fb67e77775647fd20e7754c6c981dd0136b2203305acdbbd76a4e07a718a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\internet.fne
Filesize
180KB

MD5
b0c160001c8e88f403bf03af1059bd38

SHA1
098acfa81475e684e2e9eda4b706472166b00b43

SHA256
888db1c9c5f564dbead3ea204b3faf771d87d76d9a01607d30d15bab4854d5e3

SHA512
5f0927f375515dd15256c5ee5890a8c20f41f2037a0033886ec4344b39e3c1aa67c1c68d028a04bda0833fb4d6b6f9729e7d1d1e9b6953e609c5b126a982cc86

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\krnln.fnr
Filesize
1.0MB

MD5
38dccb9d4114a3c2dd0003f6233bac77

SHA1
2445a1f9b6f8ecc73f361e65d6950f2feecad0b5

SHA256
f299b9bcee69b693723bf971bcd23ec948ccc7d6d202d7c2466cc9c0a3af4429

SHA512
66ca9f2d6e16d64eadbd54ecfe4edef490ec704e9d6854c4ebbe1eb2adf2d8f943fbd1fbb66853afb0945df0861e3d0947a12d466b7fdada191959a06d2a4e44

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\shell.fne
Filesize
40KB

MD5
c8208124af35856e0eba72d33620799b

SHA1
865140d1c6335158224e0ed3532c98b51c43c57a

SHA256
a086913320e410392db05bf6cf42340c8a2d93537e2e67f0fd41af9c6b086b1a

SHA512
c97f36443d0ee470bc407fef503e861aa69bcb1d00bc1abc4a1f9bc23a892c54db68385a882cf891f9f03f481537fa13428224f241f769645c67a145992a0eaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\E_4\spec.fne
Filesize
72KB

MD5
600e6bb9bdbd8f2f19e123d8e5300718

SHA1
52a657a1b4a64e27e325d528f79775d8faafcb7d

SHA256
3804522b131463c597d91ac5e68327297fd69ba4e41cf9d5d9b38bcd0b28bdc1

SHA512
9a88b1c10125deff65f8097b3098222e116eaeb83bbe70b7106d42e0d9a9b155031e9979e1998a2114428fecbc57e115f09df023030c3690e2a97fe3e82a8f90

Download Submit
C:\Windows\SysWOW64\XP-FEBFA1C7.EXE
Filesize
1.4MB

MD5
fc21bca4422d199799a4dacded4ae2e6

SHA1
433a7fd02275508538d6a77d6a377691943fe98b

SHA256
123f132125a7ad09ec4425cda1abdd53f13a81edcf898ae20aae6cc437c81610

SHA512
282a5d2183f00a7904ef240187426d6812a52fdbc5c7eb74dc3ae6bf9e05c489978471ae57ab067263b795128612c1ffe836dfdd2e293307647d8eb2b5932edb

Download Submit
memory/540-145-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/540-75-0x0000000002140000-0x000000000218B000-memory.dmp

Filesize
300KB

Download
memory/540-62-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/540-81-0x0000000002410000-0x0000000002421000-memory.dmp

Filesize
68KB

Download
memory/540-80-0x00000000023F0000-0x000000000240E000-memory.dmp

Filesize
120KB

Download
memory/540-72-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/540-140-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/2120-183-0x00000000021D0000-0x000000000221B000-memory.dmp

Filesize
300KB

Download
memory/2120-180-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2120-184-0x00000000026F0000-0x000000000270E000-memory.dmp

Filesize
120KB

Download
memory/2120-185-0x0000000002730000-0x0000000002741000-memory.dmp

Filesize
68KB

Download
memory/2928-173-0x0000000002880000-0x000000000289E000-memory.dmp

Filesize
120KB

Download
memory/2928-170-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/2928-175-0x0000000002F80000-0x0000000002F91000-memory.dmp

Filesize
68KB

Download
memory/2928-169-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2928-171-0x00000000022E0000-0x000000000232B000-memory.dmp

Filesize
300KB

Download
memory/2944-124-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2944-29-0x0000000002A40000-0x0000000002A5E000-memory.dmp

Filesize
120KB

Download
memory/2944-30-0x0000000002A60000-0x0000000002A71000-memory.dmp

Filesize
68KB

Download
memory/2944-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2944-18-0x00000000024F0000-0x000000000253B000-memory.dmp

Filesize
300KB

Download
memory/2944-10-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/2944-125-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/3564-60-0x0000000002820000-0x0000000002831000-memory.dmp

Filesize
68KB

Download
memory/3564-139-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/3564-51-0x0000000002320000-0x000000000236B000-memory.dmp

Filesize
300KB

Download
memory/3564-59-0x0000000002800000-0x000000000281E000-memory.dmp

Filesize
120KB

Download
memory/3564-138-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3564-46-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3564-47-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/3564-52-0x0000000002320000-0x000000000236B000-memory.dmp

Filesize
300KB

Download
memory/3608-122-0x0000000002660000-0x000000000267E000-memory.dmp

Filesize
120KB

Download
memory/3608-116-0x0000000002110000-0x000000000215B000-memory.dmp

Filesize
300KB

Download
memory/3608-162-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3608-121-0x0000000002110000-0x000000000215B000-memory.dmp

Filesize
300KB

Download
memory/3608-113-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/3608-103-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3608-164-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/3608-123-0x0000000003080000-0x0000000003091000-memory.dmp

Filesize
68KB

Download
memory/3724-101-0x0000000003080000-0x0000000003091000-memory.dmp

Filesize
68KB

Download
memory/3724-92-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/3724-95-0x0000000000680000-0x00000000006CB000-memory.dmp

Filesize
300KB

Download
memory/3724-152-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3724-153-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/3724-100-0x0000000002900000-0x000000000291E000-memory.dmp

Filesize
120KB

Download
memory/4740-148-0x0000000002120000-0x000000000216B000-memory.dmp

Filesize
300KB

Download
memory/4740-181-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/4740-151-0x0000000002830000-0x0000000002841000-memory.dmp

Filesize
68KB

Download
memory/4740-150-0x0000000002810000-0x000000000282E000-memory.dmp

Filesize
120KB

Download
memory/4740-149-0x0000000002120000-0x000000000216B000-memory.dmp

Filesize
300KB

Download
memory/4740-147-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/4740-141-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4740-182-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4992-158-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/4992-163-0x0000000002490000-0x00000000024A1000-memory.dmp

Filesize
68KB

Download
memory/4992-161-0x0000000002470000-0x000000000248E000-memory.dmp

Filesize
120KB

Download
memory/4992-160-0x0000000001F90000-0x0000000001FDB000-memory.dmp

Filesize
300KB

Download
memory/4992-159-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/5104-172-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/5104-174-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download
memory/5104-137-0x0000000003060000-0x0000000003071000-memory.dmp

Filesize
68KB

Download
memory/5104-136-0x0000000002F40000-0x0000000002F5E000-memory.dmp

Filesize
120KB

Download
memory/5104-135-0x0000000002340000-0x000000000238B000-memory.dmp

Filesize
300KB

Download
memory/5104-134-0x0000000010000000-0x000000001011C000-memory.dmp

Filesize
1.1MB

Download