Analysis
-
max time kernel
8s -
max time network
61s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2024 13:47
Static task
static1
Behavioral task
behavioral1
Sample
068cd7ee76ccad7b61a72b3a4ce93425_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
068cd7ee76ccad7b61a72b3a4ce93425_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
068cd7ee76ccad7b61a72b3a4ce93425_JaffaCakes118.exe
-
Size
1.5MB
-
MD5
068cd7ee76ccad7b61a72b3a4ce93425
-
SHA1
7d3057f6dd1b1ab8dd8de4927e75def2af1ad860
-
SHA256
2e710d253330193e485d010ab35d2d029f6278d8130a59e4f7aed0653174ffdf
-
SHA512
94a0b4174476072e30996b27adc02d25dd01e534777ec0ccb7c2d8d5d8362786bea851b6979135119472a4f185d022df39f021bd6d77e3652a8547f6ec7746cc
-
SSDEEP
49152:jEUccAacQw1j8jeqE7/IsQSr8oKf/2s14/P:YoAaNw1IFsBr7KfN8P
Malware Config
Signatures
-
Executes dropped EXE 13 IoCs
pid Process 4624 XP-FEBFA1C7.EXE 2008 XP-FEBFA1C7.EXE 4524 XP-FEBFA1C7.EXE 4796 XP-FEBFA1C7.EXE 1572 XP-FEBFA1C7.EXE 3356 XP-FEBFA1C7.EXE 3428 XP-FEBFA1C7.EXE 2388 XP-FEBFA1C7.EXE 2856 XP-FEBFA1C7.EXE 2792 XP-FEBFA1C7.EXE 2832 XP-FEBFA1C7.EXE 2300 XP-FEBFA1C7.EXE 3128 XP-FEBFA1C7.EXE -
Loads dropped DLL 64 IoCs
pid Process 4276 068cd7ee76ccad7b61a72b3a4ce93425_JaffaCakes118.exe 4276 068cd7ee76ccad7b61a72b3a4ce93425_JaffaCakes118.exe 4276 068cd7ee76ccad7b61a72b3a4ce93425_JaffaCakes118.exe 4276 068cd7ee76ccad7b61a72b3a4ce93425_JaffaCakes118.exe 4276 068cd7ee76ccad7b61a72b3a4ce93425_JaffaCakes118.exe 4276 068cd7ee76ccad7b61a72b3a4ce93425_JaffaCakes118.exe 4276 068cd7ee76ccad7b61a72b3a4ce93425_JaffaCakes118.exe 4624 XP-FEBFA1C7.EXE 4624 XP-FEBFA1C7.EXE 4624 XP-FEBFA1C7.EXE 4624 XP-FEBFA1C7.EXE 4624 XP-FEBFA1C7.EXE 4624 XP-FEBFA1C7.EXE 4624 XP-FEBFA1C7.EXE 2008 XP-FEBFA1C7.EXE 2008 XP-FEBFA1C7.EXE 2008 XP-FEBFA1C7.EXE 2008 XP-FEBFA1C7.EXE 2008 XP-FEBFA1C7.EXE 2008 XP-FEBFA1C7.EXE 2008 XP-FEBFA1C7.EXE 4524 XP-FEBFA1C7.EXE 4524 XP-FEBFA1C7.EXE 4524 XP-FEBFA1C7.EXE 4524 XP-FEBFA1C7.EXE 4524 XP-FEBFA1C7.EXE 4524 XP-FEBFA1C7.EXE 4524 XP-FEBFA1C7.EXE 4796 XP-FEBFA1C7.EXE 4796 XP-FEBFA1C7.EXE 4796 XP-FEBFA1C7.EXE 4796 XP-FEBFA1C7.EXE 4796 XP-FEBFA1C7.EXE 4796 XP-FEBFA1C7.EXE 4796 XP-FEBFA1C7.EXE 1572 XP-FEBFA1C7.EXE 1572 XP-FEBFA1C7.EXE 1572 XP-FEBFA1C7.EXE 1572 XP-FEBFA1C7.EXE 1572 XP-FEBFA1C7.EXE 1572 XP-FEBFA1C7.EXE 1572 XP-FEBFA1C7.EXE 3356 XP-FEBFA1C7.EXE 3356 XP-FEBFA1C7.EXE 3356 XP-FEBFA1C7.EXE 3356 XP-FEBFA1C7.EXE 3356 XP-FEBFA1C7.EXE 3356 XP-FEBFA1C7.EXE 3356 XP-FEBFA1C7.EXE 3428 XP-FEBFA1C7.EXE 3428 XP-FEBFA1C7.EXE 3428 XP-FEBFA1C7.EXE 3428 XP-FEBFA1C7.EXE 3428 XP-FEBFA1C7.EXE 3428 XP-FEBFA1C7.EXE 3428 XP-FEBFA1C7.EXE 2388 XP-FEBFA1C7.EXE 2388 XP-FEBFA1C7.EXE 2388 XP-FEBFA1C7.EXE 2388 XP-FEBFA1C7.EXE 2388 XP-FEBFA1C7.EXE 2388 XP-FEBFA1C7.EXE 2388 XP-FEBFA1C7.EXE 2856 XP-FEBFA1C7.EXE -
Writes to the Master Boot Record (MBR) 1 TTPs 14 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 XP-FEBFA1C7.EXE File opened for modification \??\PhysicalDrive0 XP-FEBFA1C7.EXE File opened for modification \??\PhysicalDrive0 XP-FEBFA1C7.EXE File opened for modification \??\PhysicalDrive0 XP-FEBFA1C7.EXE File opened for modification \??\PhysicalDrive0 XP-FEBFA1C7.EXE File opened for modification \??\PhysicalDrive0 XP-FEBFA1C7.EXE File opened for modification \??\PhysicalDrive0 XP-FEBFA1C7.EXE File opened for modification \??\PhysicalDrive0 XP-FEBFA1C7.EXE File opened for modification \??\PhysicalDrive0 XP-FEBFA1C7.EXE File opened for modification \??\PhysicalDrive0 068cd7ee76ccad7b61a72b3a4ce93425_JaffaCakes118.exe File opened for modification \??\PhysicalDrive0 XP-FEBFA1C7.EXE File opened for modification \??\PhysicalDrive0 XP-FEBFA1C7.EXE File opened for modification \??\PhysicalDrive0 XP-FEBFA1C7.EXE File opened for modification \??\PhysicalDrive0 XP-FEBFA1C7.EXE -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\XP-FEBFA1C7.EXE 068cd7ee76ccad7b61a72b3a4ce93425_JaffaCakes118.exe File created C:\Windows\SysWOW64\XP-FEBFA1C7.EXE 068cd7ee76ccad7b61a72b3a4ce93425_JaffaCakes118.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000 explorer.exe -
Suspicious behavior: AddClipboardFormatListener 7 IoCs
pid Process 2844 explorer.exe 552 explorer.exe 1524 explorer.exe 2320 explorer.exe 704 explorer.exe 5108 explorer.exe 2260 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 4276 068cd7ee76ccad7b61a72b3a4ce93425_JaffaCakes118.exe 4276 068cd7ee76ccad7b61a72b3a4ce93425_JaffaCakes118.exe 4276 068cd7ee76ccad7b61a72b3a4ce93425_JaffaCakes118.exe 4276 068cd7ee76ccad7b61a72b3a4ce93425_JaffaCakes118.exe 4276 068cd7ee76ccad7b61a72b3a4ce93425_JaffaCakes118.exe 4276 068cd7ee76ccad7b61a72b3a4ce93425_JaffaCakes118.exe 4624 XP-FEBFA1C7.EXE 4624 XP-FEBFA1C7.EXE 4624 XP-FEBFA1C7.EXE 4624 XP-FEBFA1C7.EXE 4624 XP-FEBFA1C7.EXE 4624 XP-FEBFA1C7.EXE 2008 XP-FEBFA1C7.EXE 2008 XP-FEBFA1C7.EXE 2008 XP-FEBFA1C7.EXE 2008 XP-FEBFA1C7.EXE 2008 XP-FEBFA1C7.EXE 2008 XP-FEBFA1C7.EXE 2844 explorer.exe 2844 explorer.exe 4524 XP-FEBFA1C7.EXE 4524 XP-FEBFA1C7.EXE 4524 XP-FEBFA1C7.EXE 4524 XP-FEBFA1C7.EXE 4524 XP-FEBFA1C7.EXE 4524 XP-FEBFA1C7.EXE 552 explorer.exe 552 explorer.exe 4796 XP-FEBFA1C7.EXE 4796 XP-FEBFA1C7.EXE 4796 XP-FEBFA1C7.EXE 1524 explorer.exe 4796 XP-FEBFA1C7.EXE 1524 explorer.exe 4796 XP-FEBFA1C7.EXE 4796 XP-FEBFA1C7.EXE 1572 XP-FEBFA1C7.EXE 1572 XP-FEBFA1C7.EXE 1572 XP-FEBFA1C7.EXE 1572 XP-FEBFA1C7.EXE 1572 XP-FEBFA1C7.EXE 1572 XP-FEBFA1C7.EXE 3356 XP-FEBFA1C7.EXE 3356 XP-FEBFA1C7.EXE 3356 XP-FEBFA1C7.EXE 3356 XP-FEBFA1C7.EXE 3356 XP-FEBFA1C7.EXE 3356 XP-FEBFA1C7.EXE 2320 explorer.exe 2320 explorer.exe 3428 XP-FEBFA1C7.EXE 3428 XP-FEBFA1C7.EXE 3428 XP-FEBFA1C7.EXE 3428 XP-FEBFA1C7.EXE 3428 XP-FEBFA1C7.EXE 3428 XP-FEBFA1C7.EXE 704 explorer.exe 704 explorer.exe 2388 XP-FEBFA1C7.EXE 2388 XP-FEBFA1C7.EXE 2388 XP-FEBFA1C7.EXE 2388 XP-FEBFA1C7.EXE 2388 XP-FEBFA1C7.EXE 2388 XP-FEBFA1C7.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4276 wrote to memory of 992 4276 068cd7ee76ccad7b61a72b3a4ce93425_JaffaCakes118.exe 81 PID 4276 wrote to memory of 992 4276 068cd7ee76ccad7b61a72b3a4ce93425_JaffaCakes118.exe 81 PID 4276 wrote to memory of 992 4276 068cd7ee76ccad7b61a72b3a4ce93425_JaffaCakes118.exe 81 PID 4276 wrote to memory of 4624 4276 068cd7ee76ccad7b61a72b3a4ce93425_JaffaCakes118.exe 83 PID 4276 wrote to memory of 4624 4276 068cd7ee76ccad7b61a72b3a4ce93425_JaffaCakes118.exe 83 PID 4276 wrote to memory of 4624 4276 068cd7ee76ccad7b61a72b3a4ce93425_JaffaCakes118.exe 83 PID 4624 wrote to memory of 4620 4624 XP-FEBFA1C7.EXE 84 PID 4624 wrote to memory of 4620 4624 XP-FEBFA1C7.EXE 84 PID 4624 wrote to memory of 4620 4624 XP-FEBFA1C7.EXE 84 PID 4624 wrote to memory of 2008 4624 XP-FEBFA1C7.EXE 85 PID 4624 wrote to memory of 2008 4624 XP-FEBFA1C7.EXE 85 PID 4624 wrote to memory of 2008 4624 XP-FEBFA1C7.EXE 85 PID 2008 wrote to memory of 5040 2008 XP-FEBFA1C7.EXE 87 PID 2008 wrote to memory of 5040 2008 XP-FEBFA1C7.EXE 87 PID 2008 wrote to memory of 5040 2008 XP-FEBFA1C7.EXE 87 PID 2008 wrote to memory of 4524 2008 XP-FEBFA1C7.EXE 88 PID 2008 wrote to memory of 4524 2008 XP-FEBFA1C7.EXE 88 PID 2008 wrote to memory of 4524 2008 XP-FEBFA1C7.EXE 88 PID 4524 wrote to memory of 2712 4524 XP-FEBFA1C7.EXE 90 PID 4524 wrote to memory of 2712 4524 XP-FEBFA1C7.EXE 90 PID 4524 wrote to memory of 2712 4524 XP-FEBFA1C7.EXE 90 PID 4524 wrote to memory of 4796 4524 XP-FEBFA1C7.EXE 128 PID 4524 wrote to memory of 4796 4524 XP-FEBFA1C7.EXE 128 PID 4524 wrote to memory of 4796 4524 XP-FEBFA1C7.EXE 128 PID 4796 wrote to memory of 3624 4796 XP-FEBFA1C7.EXE 93 PID 4796 wrote to memory of 3624 4796 XP-FEBFA1C7.EXE 93 PID 4796 wrote to memory of 3624 4796 XP-FEBFA1C7.EXE 93 PID 4796 wrote to memory of 1572 4796 XP-FEBFA1C7.EXE 95 PID 4796 wrote to memory of 1572 4796 XP-FEBFA1C7.EXE 95 PID 4796 wrote to memory of 1572 4796 XP-FEBFA1C7.EXE 95 PID 1572 wrote to memory of 2144 1572 XP-FEBFA1C7.EXE 96 PID 1572 wrote to memory of 2144 1572 XP-FEBFA1C7.EXE 96 PID 1572 wrote to memory of 2144 1572 XP-FEBFA1C7.EXE 96 PID 1572 wrote to memory of 3356 1572 XP-FEBFA1C7.EXE 97 PID 1572 wrote to memory of 3356 1572 XP-FEBFA1C7.EXE 97 PID 1572 wrote to memory of 3356 1572 XP-FEBFA1C7.EXE 97 PID 3356 wrote to memory of 3724 3356 XP-FEBFA1C7.EXE 126 PID 3356 wrote to memory of 3724 3356 XP-FEBFA1C7.EXE 126 PID 3356 wrote to memory of 3724 3356 XP-FEBFA1C7.EXE 126 PID 3356 wrote to memory of 3428 3356 XP-FEBFA1C7.EXE 100 PID 3356 wrote to memory of 3428 3356 XP-FEBFA1C7.EXE 100 PID 3356 wrote to memory of 3428 3356 XP-FEBFA1C7.EXE 100 PID 3428 wrote to memory of 4128 3428 XP-FEBFA1C7.EXE 102 PID 3428 wrote to memory of 4128 3428 XP-FEBFA1C7.EXE 102 PID 3428 wrote to memory of 4128 3428 XP-FEBFA1C7.EXE 102 PID 3428 wrote to memory of 2388 3428 XP-FEBFA1C7.EXE 103 PID 3428 wrote to memory of 2388 3428 XP-FEBFA1C7.EXE 103 PID 3428 wrote to memory of 2388 3428 XP-FEBFA1C7.EXE 103 PID 2388 wrote to memory of 4540 2388 XP-FEBFA1C7.EXE 105 PID 2388 wrote to memory of 4540 2388 XP-FEBFA1C7.EXE 105 PID 2388 wrote to memory of 4540 2388 XP-FEBFA1C7.EXE 105 PID 2388 wrote to memory of 2856 2388 XP-FEBFA1C7.EXE 106 PID 2388 wrote to memory of 2856 2388 XP-FEBFA1C7.EXE 106 PID 2388 wrote to memory of 2856 2388 XP-FEBFA1C7.EXE 106 PID 2856 wrote to memory of 1012 2856 XP-FEBFA1C7.EXE 108 PID 2856 wrote to memory of 1012 2856 XP-FEBFA1C7.EXE 108 PID 2856 wrote to memory of 1012 2856 XP-FEBFA1C7.EXE 108 PID 2856 wrote to memory of 2792 2856 XP-FEBFA1C7.EXE 109 PID 2856 wrote to memory of 2792 2856 XP-FEBFA1C7.EXE 109 PID 2856 wrote to memory of 2792 2856 XP-FEBFA1C7.EXE 109 PID 2792 wrote to memory of 2000 2792 XP-FEBFA1C7.EXE 111 PID 2792 wrote to memory of 2000 2792 XP-FEBFA1C7.EXE 111 PID 2792 wrote to memory of 2000 2792 XP-FEBFA1C7.EXE 111 PID 2792 wrote to memory of 2832 2792 XP-FEBFA1C7.EXE 168
Processes
-
C:\Users\Admin\AppData\Local\Temp\068cd7ee76ccad7b61a72b3a4ce93425_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\068cd7ee76ccad7b61a72b3a4ce93425_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Users\Admin\AppData\Local\Temp\068cd7ee76ccad7b61a72b3a4ce93425_JaffaCakes1182⤵PID:992
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C73⤵PID:4620
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C74⤵PID:5040
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C75⤵PID:2712
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE5⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C76⤵PID:3624
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE6⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C77⤵PID:2144
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3356 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C78⤵PID:3724
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE8⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C79⤵PID:4128
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE9⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C710⤵PID:4540
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE10⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C711⤵PID:1012
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE11⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C712⤵PID:2000
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE12⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2832 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C713⤵PID:4824
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE13⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2300 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C714⤵PID:540
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE14⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:3128 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C715⤵PID:4668
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE15⤵PID:2620
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C716⤵PID:1812
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE16⤵PID:1308
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C717⤵PID:3724
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE17⤵PID:1104
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C718⤵PID:3600
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE18⤵PID:1092
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C719⤵PID:2964
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE19⤵PID:4000
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C720⤵PID:3176
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE20⤵PID:1384
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C721⤵PID:1084
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE21⤵PID:3168
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C722⤵PID:1120
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE22⤵PID:2820
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C723⤵PID:2428
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE23⤵PID:4972
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C724⤵PID:2172
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE24⤵PID:4240
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C725⤵PID:5032
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE25⤵PID:4824
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C726⤵PID:2200
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE26⤵PID:2556
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C727⤵PID:4840
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE27⤵PID:3448
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C728⤵PID:4644
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE28⤵PID:4564
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C729⤵PID:724
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE29⤵PID:4360
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C730⤵PID:3516
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE30⤵PID:2304
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C731⤵PID:2832
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE31⤵PID:5184
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C732⤵PID:5308
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE32⤵PID:5360
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C733⤵PID:5484
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE33⤵PID:5556
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C734⤵PID:5680
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE34⤵PID:5732
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C735⤵PID:5864
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE35⤵PID:5920
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C736⤵PID:6044
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE36⤵PID:6096
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C737⤵PID:5204
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE37⤵PID:5324
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C738⤵PID:5024
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE38⤵PID:5596
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C739⤵PID:5280
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE39⤵PID:5908
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C740⤵PID:5892
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE40⤵PID:5900
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C741⤵PID:5960
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE41⤵PID:5188
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C742⤵PID:5412
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE42⤵PID:4464
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C743⤵PID:5240
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE43⤵PID:5312
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C744⤵PID:6148
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE44⤵PID:6220
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C745⤵PID:6348
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE45⤵PID:6392
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C746⤵PID:6520
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE46⤵PID:6572
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C747⤵PID:6684
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE47⤵PID:6728
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C748⤵PID:6832
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE48⤵PID:6868
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C749⤵PID:6968
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE49⤵PID:7012
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C750⤵PID:7104
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE50⤵PID:7144
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C751⤵PID:5708
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE51⤵PID:6216
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C752⤵PID:6384
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE52⤵PID:5220
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C753⤵PID:6344
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE53⤵PID:6772
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C754⤵PID:6424
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE54⤵PID:7028
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C755⤵PID:6760
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE55⤵PID:2812
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C756⤵PID:1636
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE56⤵PID:7012
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C757⤵PID:6768
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE57⤵PID:7068
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C758⤵PID:6544
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE58⤵PID:6512
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C759⤵PID:6780
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE59⤵PID:7028
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C760⤵PID:6692
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE60⤵PID:6604
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C761⤵PID:5692
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE61⤵PID:6036
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C762⤵PID:5432
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE62⤵PID:6780
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C763⤵PID:7212
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE63⤵PID:7244
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C764⤵PID:7344
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE64⤵PID:7388
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C765⤵PID:7476
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE65⤵PID:7508
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C766⤵PID:7588
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE66⤵PID:7632
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C767⤵PID:7720
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE67⤵PID:7760
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C768⤵PID:7852
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE68⤵PID:7888
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C769⤵PID:8008
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE69⤵PID:8056
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C770⤵PID:8168
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE70⤵PID:6732
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C771⤵PID:1904
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE71⤵PID:7188
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C772⤵PID:7476
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE72⤵PID:7676
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C773⤵PID:7416
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE73⤵PID:1892
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C774⤵PID:8084
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE74⤵PID:7184
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C775⤵PID:8172
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE75⤵PID:8124
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C776⤵PID:6608
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE76⤵PID:7212
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C777⤵PID:7364
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE77⤵PID:5152
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C778⤵PID:6120
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE78⤵PID:4828
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C779⤵PID:6608
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE79⤵PID:3504
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C780⤵PID:6120
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE80⤵PID:7356
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C781⤵PID:7760
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE81⤵PID:8204
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C782⤵PID:8332
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE82⤵PID:8396
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C783⤵PID:8568
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE83⤵PID:8620
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C784⤵PID:8768
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE84⤵PID:8824
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C785⤵PID:8944
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE85⤵PID:8988
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C786⤵PID:9136
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE86⤵PID:9192
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C787⤵PID:8272
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE87⤵PID:6316
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C788⤵PID:8364
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE88⤵PID:8580
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C789⤵PID:6264
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE89⤵PID:8948
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C790⤵PID:9160
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE90⤵PID:5204
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C791⤵PID:7764
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE91⤵PID:8616
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C792⤵PID:4624
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE92⤵PID:7356
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C793⤵PID:8244
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE93⤵PID:5768
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C794⤵PID:6940
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE94⤵PID:8672
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C795⤵PID:4860
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE95⤵PID:8200
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C796⤵PID:6116
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE96⤵PID:6372
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C797⤵PID:5900
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE97⤵PID:4860
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C798⤵PID:6116
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE98⤵PID:4864
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C799⤵PID:8280
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE99⤵PID:9248
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C7100⤵PID:9360
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE100⤵PID:9396
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C7101⤵PID:9520
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE101⤵PID:9576
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C7102⤵PID:9668
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE102⤵PID:9708
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C7103⤵PID:9816
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE103⤵PID:9856
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C7104⤵PID:9972
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE104⤵PID:10024
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C7105⤵PID:10136
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE105⤵PID:10176
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C7106⤵PID:9284
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE106⤵PID:9224
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C7107⤵PID:1056
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE107⤵PID:8344
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C7108⤵PID:9756
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE108⤵PID:9684
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C7109⤵PID:9828
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE109⤵PID:9652
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C7110⤵PID:9740
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE110⤵PID:10148
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C7111⤵PID:10124
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE111⤵PID:6172
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C7112⤵PID:9408
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE112⤵PID:4688
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C7113⤵PID:9748
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE113⤵PID:9964
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C7114⤵PID:9584
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE114⤵PID:2576
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C7115⤵PID:7420
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE115⤵PID:6896
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C7116⤵PID:5796
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE116⤵PID:9708
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C7117⤵PID:5184
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE117⤵PID:7420
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C7118⤵PID:9704
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE118⤵PID:7232
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C7119⤵PID:8816
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE119⤵PID:8360
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C7120⤵PID:10340
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE120⤵PID:10368
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C7121⤵PID:10480
-
-
C:\Windows\SysWOW64\XP-FEBFA1C7.EXEC:\Windows\system32\XP-FEBFA1C7.EXE121⤵PID:10524
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\XP-FEBFA1C7122⤵PID:10664
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-