Analysis
-
max time kernel
54s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15/10/2024, 23:32
Static task
static1
Behavioral task
behavioral1
Sample
4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe
-
Size
1.4MB
-
MD5
4a7eb850f3c69ed3968eee8a12c25de8
-
SHA1
6c52b479b0d6a3bdaf7d3872c58014b21bda94fa
-
SHA256
9505d7744be75ec3b2226f8e2b46bde83f975480ef599584dbcff94e2fa2d837
-
SHA512
de8ffe1ef368d2414bef4176851ac162c22996e9f8edb13e922520d78eb7ee02161f2d327e598b6dce55b1b0e2043b3f98b0447229c9c317e2e2ac46479a4867
-
SSDEEP
24576:quQTQALVtguzmcpv1F+SPzPGwbE0Uu2vxauO39q95vRKiFeTw6WY5YtIb3XaAG:qhTdbtacp/xHyvUuy9qn0iGxWY5YIM
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 2340 DECB07.EXE 2896 DECB07.EXE 1520 DECB07.EXE 1660 DECB07.EXE 1180 DECB07.EXE 2376 DECB07.EXE 1072 DECB07.EXE 2184 DECB07.EXE 1588 DECB07.EXE 2792 DECB07.EXE 2608 DECB07.EXE 1076 DECB07.EXE 1308 DECB07.EXE 960 DECB07.EXE 784 DECB07.EXE 2372 DECB07.EXE 2620 DECB07.EXE 2964 DECB07.EXE 2624 DECB07.EXE 528 DECB07.EXE 2948 DECB07.EXE 1616 DECB07.EXE 1384 DECB07.EXE 2844 DECB07.EXE 2648 DECB07.EXE 2984 DECB07.EXE 1544 DECB07.EXE 1644 DECB07.EXE 3184 DECB07.EXE 3340 DECB07.EXE 3500 DECB07.EXE 3652 DECB07.EXE 3804 DECB07.EXE 3956 DECB07.EXE 4092 DECB07.EXE 3168 DECB07.EXE 3524 DECB07.EXE 3756 DECB07.EXE 3932 DECB07.EXE 3140 DECB07.EXE 3640 DECB07.EXE 3504 DECB07.EXE 3528 DECB07.EXE 3896 DECB07.EXE 3752 DECB07.EXE 2648 DECB07.EXE 4168 DECB07.EXE 4296 DECB07.EXE 4456 DECB07.EXE 4596 DECB07.EXE 4744 DECB07.EXE 4864 DECB07.EXE 5008 DECB07.EXE 4112 DECB07.EXE 4252 DECB07.EXE 4608 DECB07.EXE 4296 DECB07.EXE 5024 DECB07.EXE 4100 DECB07.EXE 4624 DECB07.EXE 4800 DECB07.EXE 4608 DECB07.EXE 4768 DECB07.EXE 5032 DECB07.EXE -
Loads dropped DLL 64 IoCs
pid Process 1704 4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe 1704 4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe 1704 4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe 1704 4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe 1704 4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe 1704 4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe 2340 DECB07.EXE 2340 DECB07.EXE 2340 DECB07.EXE 2340 DECB07.EXE 2340 DECB07.EXE 2340 DECB07.EXE 2896 DECB07.EXE 2896 DECB07.EXE 2896 DECB07.EXE 2896 DECB07.EXE 2896 DECB07.EXE 2896 DECB07.EXE 1520 DECB07.EXE 1520 DECB07.EXE 1520 DECB07.EXE 1520 DECB07.EXE 1520 DECB07.EXE 1520 DECB07.EXE 1660 DECB07.EXE 1660 DECB07.EXE 1660 DECB07.EXE 1660 DECB07.EXE 1660 DECB07.EXE 1660 DECB07.EXE 1180 DECB07.EXE 1180 DECB07.EXE 1180 DECB07.EXE 1180 DECB07.EXE 1180 DECB07.EXE 1180 DECB07.EXE 2376 DECB07.EXE 2376 DECB07.EXE 2376 DECB07.EXE 2376 DECB07.EXE 2376 DECB07.EXE 2376 DECB07.EXE 1072 DECB07.EXE 1072 DECB07.EXE 1072 DECB07.EXE 1072 DECB07.EXE 1072 DECB07.EXE 1072 DECB07.EXE 2184 DECB07.EXE 2184 DECB07.EXE 2184 DECB07.EXE 2184 DECB07.EXE 2184 DECB07.EXE 2184 DECB07.EXE 1588 DECB07.EXE 1588 DECB07.EXE 1588 DECB07.EXE 1588 DECB07.EXE 1588 DECB07.EXE 1588 DECB07.EXE 2792 DECB07.EXE 2792 DECB07.EXE 2792 DECB07.EXE 2792 DECB07.EXE -
Writes to the Master Boot Record (MBR) 1 TTPs 64 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File created C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File opened for modification C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File opened for modification C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File opened for modification C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File opened for modification C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File opened for modification C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File created C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File opened for modification C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File created C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File created C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File created C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File opened for modification C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File created C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File opened for modification C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File created C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File created C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File created C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File opened for modification C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File created C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File created C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File opened for modification C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File opened for modification C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File opened for modification C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File opened for modification C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File created C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File created C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File opened for modification C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File opened for modification C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File opened for modification C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File opened for modification C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File opened for modification C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File created C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File opened for modification C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File created C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File created C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File opened for modification C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File opened for modification C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File opened for modification C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File created C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File created C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File created C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File opened for modification C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File created C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File created C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File opened for modification C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File opened for modification C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File created C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File opened for modification C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File created C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File opened for modification C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File created C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File opened for modification C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File created C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File created C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File created C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File created C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File opened for modification C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File opened for modification C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File opened for modification C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File created C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File opened for modification C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File created C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File created C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE -
Drops file in Windows directory 14 IoCs
description ioc Process File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico explorer.exe File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico explorer.exe File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico explorer.exe File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico explorer.exe File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico explorer.exe File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico explorer.exe File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico explorer.exe File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico explorer.exe File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico explorer.exe File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico explorer.exe File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico explorer.exe File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico explorer.exe File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico explorer.exe File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico explorer.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DECB07.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DECB07.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DECB07.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DECB07.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DECB07.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DECB07.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DECB07.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DECB07.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DECB07.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DECB07.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DECB07.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DECB07.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DECB07.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DECB07.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DECB07.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DECB07.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DECB07.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DECB07.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DECB07.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DECB07.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DECB07.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DECB07.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DECB07.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DECB07.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DECB07.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DECB07.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DECB07.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DECB07.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DECB07.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DECB07.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DECB07.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DECB07.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DECB07.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DECB07.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DECB07.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DECB07.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DECB07.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DECB07.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DECB07.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000f00000000000000000000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000f00000000000000000000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000f00000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000f00000000000000000000000 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 1704 4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe 1704 4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe 1704 4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe 1704 4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe 1704 4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe 1704 4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe 2340 DECB07.EXE 2340 DECB07.EXE 2340 DECB07.EXE 2340 DECB07.EXE 2340 DECB07.EXE 2340 DECB07.EXE 2896 DECB07.EXE 2896 DECB07.EXE 2896 DECB07.EXE 2896 DECB07.EXE 2896 DECB07.EXE 2896 DECB07.EXE 1520 DECB07.EXE 1520 DECB07.EXE 1520 DECB07.EXE 1520 DECB07.EXE 1520 DECB07.EXE 1520 DECB07.EXE 1660 DECB07.EXE 1660 DECB07.EXE 1660 DECB07.EXE 1660 DECB07.EXE 1660 DECB07.EXE 1660 DECB07.EXE 1180 DECB07.EXE 1180 DECB07.EXE 1180 DECB07.EXE 1180 DECB07.EXE 1180 DECB07.EXE 1180 DECB07.EXE 2376 DECB07.EXE 2376 DECB07.EXE 2376 DECB07.EXE 2376 DECB07.EXE 2376 DECB07.EXE 2376 DECB07.EXE 1072 DECB07.EXE 1072 DECB07.EXE 1072 DECB07.EXE 1072 DECB07.EXE 1072 DECB07.EXE 1072 DECB07.EXE 2184 DECB07.EXE 2184 DECB07.EXE 2184 DECB07.EXE 2184 DECB07.EXE 2184 DECB07.EXE 2184 DECB07.EXE 1588 DECB07.EXE 1588 DECB07.EXE 1588 DECB07.EXE 1588 DECB07.EXE 1588 DECB07.EXE 1588 DECB07.EXE 2792 DECB07.EXE 2792 DECB07.EXE 2792 DECB07.EXE 2792 DECB07.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1704 wrote to memory of 2572 1704 4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe 30 PID 1704 wrote to memory of 2572 1704 4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe 30 PID 1704 wrote to memory of 2572 1704 4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe 30 PID 1704 wrote to memory of 2572 1704 4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe 30 PID 1704 wrote to memory of 2340 1704 4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe 32 PID 1704 wrote to memory of 2340 1704 4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe 32 PID 1704 wrote to memory of 2340 1704 4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe 32 PID 1704 wrote to memory of 2340 1704 4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe 32 PID 2340 wrote to memory of 2836 2340 DECB07.EXE 33 PID 2340 wrote to memory of 2836 2340 DECB07.EXE 33 PID 2340 wrote to memory of 2836 2340 DECB07.EXE 33 PID 2340 wrote to memory of 2836 2340 DECB07.EXE 33 PID 2340 wrote to memory of 2896 2340 DECB07.EXE 34 PID 2340 wrote to memory of 2896 2340 DECB07.EXE 34 PID 2340 wrote to memory of 2896 2340 DECB07.EXE 34 PID 2340 wrote to memory of 2896 2340 DECB07.EXE 34 PID 2896 wrote to memory of 1416 2896 DECB07.EXE 36 PID 2896 wrote to memory of 1416 2896 DECB07.EXE 36 PID 2896 wrote to memory of 1416 2896 DECB07.EXE 36 PID 2896 wrote to memory of 1416 2896 DECB07.EXE 36 PID 2896 wrote to memory of 1520 2896 DECB07.EXE 37 PID 2896 wrote to memory of 1520 2896 DECB07.EXE 37 PID 2896 wrote to memory of 1520 2896 DECB07.EXE 37 PID 2896 wrote to memory of 1520 2896 DECB07.EXE 37 PID 1520 wrote to memory of 1364 1520 DECB07.EXE 39 PID 1520 wrote to memory of 1364 1520 DECB07.EXE 39 PID 1520 wrote to memory of 1364 1520 DECB07.EXE 39 PID 1520 wrote to memory of 1364 1520 DECB07.EXE 39 PID 1520 wrote to memory of 1660 1520 DECB07.EXE 40 PID 1520 wrote to memory of 1660 1520 DECB07.EXE 40 PID 1520 wrote to memory of 1660 1520 DECB07.EXE 40 PID 1520 wrote to memory of 1660 1520 DECB07.EXE 40 PID 1660 wrote to memory of 2016 1660 DECB07.EXE 42 PID 1660 wrote to memory of 2016 1660 DECB07.EXE 42 PID 1660 wrote to memory of 2016 1660 DECB07.EXE 42 PID 1660 wrote to memory of 2016 1660 DECB07.EXE 42 PID 1660 wrote to memory of 1180 1660 DECB07.EXE 92 PID 1660 wrote to memory of 1180 1660 DECB07.EXE 92 PID 1660 wrote to memory of 1180 1660 DECB07.EXE 92 PID 1660 wrote to memory of 1180 1660 DECB07.EXE 92 PID 1180 wrote to memory of 936 1180 DECB07.EXE 45 PID 1180 wrote to memory of 936 1180 DECB07.EXE 45 PID 1180 wrote to memory of 936 1180 DECB07.EXE 45 PID 1180 wrote to memory of 936 1180 DECB07.EXE 45 PID 1180 wrote to memory of 2376 1180 DECB07.EXE 46 PID 1180 wrote to memory of 2376 1180 DECB07.EXE 46 PID 1180 wrote to memory of 2376 1180 DECB07.EXE 46 PID 1180 wrote to memory of 2376 1180 DECB07.EXE 46 PID 2376 wrote to memory of 1376 2376 DECB07.EXE 48 PID 2376 wrote to memory of 1376 2376 DECB07.EXE 48 PID 2376 wrote to memory of 1376 2376 DECB07.EXE 48 PID 2376 wrote to memory of 1376 2376 DECB07.EXE 48 PID 2376 wrote to memory of 1072 2376 DECB07.EXE 50 PID 2376 wrote to memory of 1072 2376 DECB07.EXE 50 PID 2376 wrote to memory of 1072 2376 DECB07.EXE 50 PID 2376 wrote to memory of 1072 2376 DECB07.EXE 50 PID 1072 wrote to memory of 2412 1072 DECB07.EXE 51 PID 1072 wrote to memory of 2412 1072 DECB07.EXE 51 PID 1072 wrote to memory of 2412 1072 DECB07.EXE 51 PID 1072 wrote to memory of 2412 1072 DECB07.EXE 51 PID 1072 wrote to memory of 2184 1072 DECB07.EXE 52 PID 1072 wrote to memory of 2184 1072 DECB07.EXE 52 PID 1072 wrote to memory of 2184 1072 DECB07.EXE 52 PID 1072 wrote to memory of 2184 1072 DECB07.EXE 52
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Users\Admin\AppData\Local\Temp\4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes1182⤵
- System Location Discovery: System Language Discovery
PID:2572
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB073⤵
- System Location Discovery: System Language Discovery
PID:2836
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB074⤵
- System Location Discovery: System Language Discovery
PID:1416
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB075⤵PID:1364
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE5⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB076⤵PID:2016
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE6⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB077⤵PID:936
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB078⤵PID:1376
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB079⤵PID:2412
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE9⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2184 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0710⤵
- System Location Discovery: System Language Discovery
PID:2976
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE10⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1588 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0711⤵PID:2668
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE11⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2792 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0712⤵
- System Location Discovery: System Language Discovery
PID:2984
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE12⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0713⤵PID:2836
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE13⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1076 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0714⤵PID:1452
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE14⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:1308 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0715⤵PID:704
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE15⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:960 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0716⤵
- System Location Discovery: System Language Discovery
PID:1420
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE16⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:784 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0717⤵PID:2972
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE17⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2372 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0718⤵PID:2244
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE18⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:2620 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0719⤵
- System Location Discovery: System Language Discovery
PID:1616
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE19⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:2964 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0720⤵PID:1536
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE20⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2624 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0721⤵PID:2896
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE21⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:528 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0722⤵PID:2972
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE22⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:2948 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0723⤵PID:1644
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE23⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1616 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0724⤵PID:2340
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE24⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1384 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0725⤵PID:1660
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE25⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2844 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0726⤵
- System Location Discovery: System Language Discovery
PID:1968
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE26⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2648 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0727⤵
- System Location Discovery: System Language Discovery
PID:2040
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE27⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:2984 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0728⤵PID:2780
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1544 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0729⤵PID:1768
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE29⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:1644 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0730⤵PID:3140
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE30⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:3184 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0731⤵PID:3276
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE31⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3340 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0732⤵
- System Location Discovery: System Language Discovery
PID:3452
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE32⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3500 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0733⤵
- System Location Discovery: System Language Discovery
PID:3596
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE33⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:3652 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0734⤵PID:3744
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE34⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3804 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0735⤵
- System Location Discovery: System Language Discovery
PID:3900
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE35⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:3956 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0736⤵
- System Location Discovery: System Language Discovery
PID:4052
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4092 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0737⤵PID:3204
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE37⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:3168 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0738⤵PID:3276
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE38⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:3524 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0739⤵PID:3688
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE39⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:3756 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0740⤵
- System Location Discovery: System Language Discovery
PID:3908
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE40⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:3932 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0741⤵
- System Location Discovery: System Language Discovery
PID:4068
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE41⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:3140 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0742⤵
- System Location Discovery: System Language Discovery
PID:3808
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE42⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:3640 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0743⤵
- System Location Discovery: System Language Discovery
PID:3188
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE43⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:3504 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0744⤵PID:3288
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE44⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:3528 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0745⤵PID:3688
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE45⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3896 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0746⤵PID:3196
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE46⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:3752 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0747⤵PID:3620
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE47⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:2648 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0748⤵
- System Location Discovery: System Language Discovery
PID:4124
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE48⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:4168 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0749⤵PID:4252
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE49⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4296 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0750⤵PID:4392
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE50⤵
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0751⤵PID:4548
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE51⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4596 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0752⤵PID:4692
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE52⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4744 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0753⤵
- System Location Discovery: System Language Discovery
PID:4820
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE53⤵
- Executes dropped EXE
PID:4864 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0754⤵PID:4964
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE54⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:5008 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0755⤵PID:5116
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE55⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:4112 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0756⤵PID:4320
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE56⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:4252 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0757⤵PID:4428
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE57⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:4608 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0758⤵PID:4768
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE58⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4296 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0759⤵PID:4820
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5024 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0760⤵
- System Location Discovery: System Language Discovery
PID:4132
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE60⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:4100 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0761⤵PID:4864
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE61⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:4624 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0762⤵PID:4832
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4800 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0763⤵PID:4460
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE63⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:4608 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0764⤵
- System Location Discovery: System Language Discovery
PID:4368
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE64⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:4768 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0765⤵PID:3924
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE65⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:5032 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0766⤵PID:4440
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE66⤵
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4748 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0767⤵PID:5192
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE67⤵
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5228 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0768⤵PID:5304
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE68⤵
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:5352 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0769⤵
- System Location Discovery: System Language Discovery
PID:5448
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE69⤵
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:5484 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0770⤵PID:5568
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE70⤵
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5604 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0771⤵
- System Location Discovery: System Language Discovery
PID:5676
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE71⤵
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:5712 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0772⤵PID:5792
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE72⤵
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:5832 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0773⤵
- System Location Discovery: System Language Discovery
PID:5904
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE73⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:5948 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0774⤵PID:6016
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE74⤵
- Drops file in System32 directory
PID:6048 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0775⤵PID:6128
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE75⤵
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
PID:4260 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0776⤵
- System Location Discovery: System Language Discovery
PID:5184
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE76⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:5032 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0777⤵PID:5448
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE77⤵
- Writes to the Master Boot Record (MBR)
PID:5592 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0778⤵PID:5676
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE78⤵PID:5488
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0779⤵PID:5920
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE79⤵PID:6060
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0780⤵PID:5200
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE80⤵PID:5328
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0781⤵PID:5460
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE81⤵PID:5820
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0782⤵PID:5904
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE82⤵PID:5920
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0783⤵PID:5796
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE83⤵PID:5308
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0784⤵PID:5956
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE84⤵PID:6164
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0785⤵PID:6248
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE85⤵PID:6296
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0786⤵PID:6392
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE86⤵PID:6436
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0787⤵PID:6520
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE87⤵PID:6556
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0788⤵PID:6660
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE88⤵PID:6692
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0789⤵PID:6768
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE89⤵PID:6820
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0790⤵PID:6900
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE90⤵PID:6940
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0791⤵PID:7036
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE91⤵PID:7084
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0792⤵PID:6176
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE92⤵PID:4456
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0793⤵PID:6452
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE93⤵PID:6168
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0794⤵PID:6680
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE94⤵PID:6840
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0795⤵PID:6800
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE95⤵PID:2992
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0796⤵PID:7100
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE96⤵PID:7048
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0797⤵PID:2476
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE97⤵PID:5304
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0798⤵PID:6668
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE98⤵PID:2420
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0799⤵PID:932
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE99⤵PID:6840
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB07100⤵PID:6952
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE100⤵PID:7036
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB07101⤵PID:3048
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE101⤵PID:7192
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB07102⤵PID:7280
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE102⤵PID:7316
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB07103⤵PID:7388
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE103⤵PID:7424
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB07104⤵PID:7520
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE104⤵PID:7564
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB07105⤵PID:7644
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE105⤵PID:7688
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB07106⤵PID:7784
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE106⤵PID:7820
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB07107⤵PID:7920
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE107⤵PID:7952
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB07108⤵PID:8048
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE108⤵PID:8084
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB07109⤵PID:8180
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE109⤵PID:7228
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB07110⤵PID:7288
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE110⤵PID:7444
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB07111⤵PID:3328
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE111⤵PID:7712
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB07112⤵PID:7800
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE112⤵PID:7960
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB07113⤵PID:8140
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE113⤵PID:7040
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB07114⤵PID:7576
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE114⤵PID:8084
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB07115⤵PID:7880
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE115⤵PID:7200
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB07116⤵PID:7296
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE116⤵PID:7332
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB07117⤵PID:8236
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE117⤵PID:8272
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB07118⤵PID:8360
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE118⤵PID:8400
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB07119⤵PID:8484
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE119⤵PID:8524
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB07120⤵PID:8604
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE120⤵PID:8640
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB07121⤵PID:8724
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE121⤵PID:8768
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB07122⤵PID:8856
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-