Analysis
-
max time kernel
7s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15/10/2024, 23:32
Static task
static1
Behavioral task
behavioral1
Sample
4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe
-
Size
1.4MB
-
MD5
4a7eb850f3c69ed3968eee8a12c25de8
-
SHA1
6c52b479b0d6a3bdaf7d3872c58014b21bda94fa
-
SHA256
9505d7744be75ec3b2226f8e2b46bde83f975480ef599584dbcff94e2fa2d837
-
SHA512
de8ffe1ef368d2414bef4176851ac162c22996e9f8edb13e922520d78eb7ee02161f2d327e598b6dce55b1b0e2043b3f98b0447229c9c317e2e2ac46479a4867
-
SSDEEP
24576:quQTQALVtguzmcpv1F+SPzPGwbE0Uu2vxauO39q95vRKiFeTw6WY5YtIb3XaAG:qhTdbtacp/xHyvUuy9qn0iGxWY5YIM
Malware Config
Signatures
-
Executes dropped EXE 11 IoCs
pid Process 2060 DECB07.EXE 2952 DECB07.EXE 3420 DECB07.EXE 3352 DECB07.EXE 2652 DECB07.EXE 2396 DECB07.EXE 3464 DECB07.EXE 1904 DECB07.EXE 432 DECB07.EXE 656 DECB07.EXE 1160 DECB07.EXE -
Loads dropped DLL 64 IoCs
pid Process 2260 4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe 2260 4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe 2260 4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe 2260 4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe 2260 4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe 2260 4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe 2260 4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe 2060 DECB07.EXE 2060 DECB07.EXE 2060 DECB07.EXE 2060 DECB07.EXE 2060 DECB07.EXE 2060 DECB07.EXE 2060 DECB07.EXE 2952 DECB07.EXE 2952 DECB07.EXE 2952 DECB07.EXE 2952 DECB07.EXE 2952 DECB07.EXE 2952 DECB07.EXE 2952 DECB07.EXE 3420 DECB07.EXE 3420 DECB07.EXE 3420 DECB07.EXE 3420 DECB07.EXE 3420 DECB07.EXE 3420 DECB07.EXE 3420 DECB07.EXE 3352 DECB07.EXE 3352 DECB07.EXE 3352 DECB07.EXE 3352 DECB07.EXE 3352 DECB07.EXE 3352 DECB07.EXE 3352 DECB07.EXE 2652 DECB07.EXE 2652 DECB07.EXE 2652 DECB07.EXE 2652 DECB07.EXE 2652 DECB07.EXE 2652 DECB07.EXE 2652 DECB07.EXE 2396 DECB07.EXE 2396 DECB07.EXE 2396 DECB07.EXE 2396 DECB07.EXE 2396 DECB07.EXE 2396 DECB07.EXE 2396 DECB07.EXE 3464 DECB07.EXE 3464 DECB07.EXE 3464 DECB07.EXE 3464 DECB07.EXE 3464 DECB07.EXE 3464 DECB07.EXE 3464 DECB07.EXE 1904 DECB07.EXE 1904 DECB07.EXE 1904 DECB07.EXE 1904 DECB07.EXE 1904 DECB07.EXE 1904 DECB07.EXE 1904 DECB07.EXE 432 DECB07.EXE -
Writes to the Master Boot Record (MBR) 1 TTPs 12 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE File opened for modification \??\PhysicalDrive0 DECB07.EXE -
Drops file in System32 directory 22 IoCs
description ioc Process File created C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File created C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File created C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File created C:\Windows\SysWOW64\B526A5\DECB07.EXE 4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File opened for modification C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File opened for modification C:\Windows\SysWOW64\B526A5\DECB07.EXE 4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File opened for modification C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File created C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File opened for modification C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File created C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File opened for modification C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File created C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File created C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File opened for modification C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File created C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File created C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File opened for modification C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File created C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File opened for modification C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE File opened for modification C:\Windows\SysWOW64\B526A5\DECB07.EXE DECB07.EXE -
System Location Discovery: System Language Discovery 1 TTPs 24 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DECB07.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DECB07.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DECB07.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DECB07.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DECB07.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DECB07.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DECB07.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DECB07.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DECB07.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DECB07.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DECB07.EXE -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe -
Suspicious behavior: AddClipboardFormatListener 6 IoCs
pid Process 4816 explorer.exe 2696 explorer.exe 528 explorer.exe 1116 explorer.exe 4108 explorer.exe 2896 explorer.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 2260 4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe 2260 4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe 2260 4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe 2260 4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe 2260 4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe 2260 4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe 2060 DECB07.EXE 2060 DECB07.EXE 2060 DECB07.EXE 2060 DECB07.EXE 2060 DECB07.EXE 2060 DECB07.EXE 2952 DECB07.EXE 2952 DECB07.EXE 2952 DECB07.EXE 2952 DECB07.EXE 2952 DECB07.EXE 2952 DECB07.EXE 4816 explorer.exe 4816 explorer.exe 3420 DECB07.EXE 3420 DECB07.EXE 3420 DECB07.EXE 3420 DECB07.EXE 3420 DECB07.EXE 3420 DECB07.EXE 3352 DECB07.EXE 3352 DECB07.EXE 3352 DECB07.EXE 3352 DECB07.EXE 3352 DECB07.EXE 3352 DECB07.EXE 2696 explorer.exe 2696 explorer.exe 2652 DECB07.EXE 2652 DECB07.EXE 2652 DECB07.EXE 2652 DECB07.EXE 2652 DECB07.EXE 2652 DECB07.EXE 528 explorer.exe 528 explorer.exe 2396 DECB07.EXE 2396 DECB07.EXE 2396 DECB07.EXE 2396 DECB07.EXE 2396 DECB07.EXE 2396 DECB07.EXE 1116 explorer.exe 1116 explorer.exe 3464 DECB07.EXE 3464 DECB07.EXE 3464 DECB07.EXE 3464 DECB07.EXE 3464 DECB07.EXE 3464 DECB07.EXE 4108 explorer.exe 4108 explorer.exe 1904 DECB07.EXE 1904 DECB07.EXE 1904 DECB07.EXE 1904 DECB07.EXE 1904 DECB07.EXE 1904 DECB07.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2260 wrote to memory of 928 2260 4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe 84 PID 2260 wrote to memory of 928 2260 4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe 84 PID 2260 wrote to memory of 928 2260 4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe 84 PID 2260 wrote to memory of 2060 2260 4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe 87 PID 2260 wrote to memory of 2060 2260 4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe 87 PID 2260 wrote to memory of 2060 2260 4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe 87 PID 2060 wrote to memory of 2676 2060 DECB07.EXE 88 PID 2060 wrote to memory of 2676 2060 DECB07.EXE 88 PID 2060 wrote to memory of 2676 2060 DECB07.EXE 88 PID 2060 wrote to memory of 2952 2060 DECB07.EXE 89 PID 2060 wrote to memory of 2952 2060 DECB07.EXE 89 PID 2060 wrote to memory of 2952 2060 DECB07.EXE 89 PID 2952 wrote to memory of 4768 2952 DECB07.EXE 152 PID 2952 wrote to memory of 4768 2952 DECB07.EXE 152 PID 2952 wrote to memory of 4768 2952 DECB07.EXE 152 PID 2952 wrote to memory of 3420 2952 DECB07.EXE 92 PID 2952 wrote to memory of 3420 2952 DECB07.EXE 92 PID 2952 wrote to memory of 3420 2952 DECB07.EXE 92 PID 3420 wrote to memory of 1072 3420 DECB07.EXE 94 PID 3420 wrote to memory of 1072 3420 DECB07.EXE 94 PID 3420 wrote to memory of 1072 3420 DECB07.EXE 94 PID 3420 wrote to memory of 3352 3420 DECB07.EXE 95 PID 3420 wrote to memory of 3352 3420 DECB07.EXE 95 PID 3420 wrote to memory of 3352 3420 DECB07.EXE 95 PID 3352 wrote to memory of 1572 3352 DECB07.EXE 98 PID 3352 wrote to memory of 1572 3352 DECB07.EXE 98 PID 3352 wrote to memory of 1572 3352 DECB07.EXE 98 PID 3352 wrote to memory of 2652 3352 DECB07.EXE 99 PID 3352 wrote to memory of 2652 3352 DECB07.EXE 99 PID 3352 wrote to memory of 2652 3352 DECB07.EXE 99 PID 2652 wrote to memory of 840 2652 DECB07.EXE 101 PID 2652 wrote to memory of 840 2652 DECB07.EXE 101 PID 2652 wrote to memory of 840 2652 DECB07.EXE 101 PID 2652 wrote to memory of 2396 2652 DECB07.EXE 102 PID 2652 wrote to memory of 2396 2652 DECB07.EXE 102 PID 2652 wrote to memory of 2396 2652 DECB07.EXE 102 PID 2396 wrote to memory of 4932 2396 DECB07.EXE 104 PID 2396 wrote to memory of 4932 2396 DECB07.EXE 104 PID 2396 wrote to memory of 4932 2396 DECB07.EXE 104 PID 2396 wrote to memory of 3464 2396 DECB07.EXE 105 PID 2396 wrote to memory of 3464 2396 DECB07.EXE 105 PID 2396 wrote to memory of 3464 2396 DECB07.EXE 105 PID 3464 wrote to memory of 2904 3464 DECB07.EXE 107 PID 3464 wrote to memory of 2904 3464 DECB07.EXE 107 PID 3464 wrote to memory of 2904 3464 DECB07.EXE 107 PID 3464 wrote to memory of 1904 3464 DECB07.EXE 108 PID 3464 wrote to memory of 1904 3464 DECB07.EXE 108 PID 3464 wrote to memory of 1904 3464 DECB07.EXE 108 PID 1904 wrote to memory of 2400 1904 DECB07.EXE 110 PID 1904 wrote to memory of 2400 1904 DECB07.EXE 110 PID 1904 wrote to memory of 2400 1904 DECB07.EXE 110 PID 1904 wrote to memory of 432 1904 DECB07.EXE 111 PID 1904 wrote to memory of 432 1904 DECB07.EXE 111 PID 1904 wrote to memory of 432 1904 DECB07.EXE 111 PID 432 wrote to memory of 392 432 DECB07.EXE 113 PID 432 wrote to memory of 392 432 DECB07.EXE 113 PID 432 wrote to memory of 392 432 DECB07.EXE 113 PID 432 wrote to memory of 656 432 DECB07.EXE 149 PID 432 wrote to memory of 656 432 DECB07.EXE 149 PID 432 wrote to memory of 656 432 DECB07.EXE 149 PID 656 wrote to memory of 1020 656 DECB07.EXE 116 PID 656 wrote to memory of 1020 656 DECB07.EXE 116 PID 656 wrote to memory of 1020 656 DECB07.EXE 116 PID 656 wrote to memory of 1160 656 DECB07.EXE 117
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Users\Admin\AppData\Local\Temp\4a7eb850f3c69ed3968eee8a12c25de8_JaffaCakes1182⤵
- System Location Discovery: System Language Discovery
PID:928
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB073⤵
- System Location Discovery: System Language Discovery
PID:2676
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE3⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB074⤵
- System Location Discovery: System Language Discovery
PID:4768
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB075⤵
- System Location Discovery: System Language Discovery
PID:1072
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE5⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB076⤵
- System Location Discovery: System Language Discovery
PID:1572
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE6⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB077⤵
- System Location Discovery: System Language Discovery
PID:840
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE7⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB078⤵
- System Location Discovery: System Language Discovery
PID:4932
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE8⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB079⤵
- System Location Discovery: System Language Discovery
PID:2904
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE9⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0710⤵
- System Location Discovery: System Language Discovery
PID:2400
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE10⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0711⤵
- System Location Discovery: System Language Discovery
PID:392
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE11⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0712⤵
- System Location Discovery: System Language Discovery
PID:1020
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE12⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:1160 -
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0713⤵
- System Location Discovery: System Language Discovery
PID:5108
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE13⤵PID:5116
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0714⤵PID:3272
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE14⤵PID:3100
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0715⤵PID:2864
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE15⤵PID:1912
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0716⤵PID:3624
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE16⤵PID:4476
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0717⤵PID:2524
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE17⤵PID:4772
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0718⤵PID:4060
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE18⤵PID:4496
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0719⤵PID:1636
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE19⤵PID:2868
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0720⤵PID:2252
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE20⤵PID:4176
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0721⤵PID:4440
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE21⤵PID:4196
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0722⤵PID:316
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE22⤵PID:1048
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0723⤵PID:656
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE23⤵PID:4472
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0724⤵PID:4768
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE24⤵PID:1168
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0725⤵PID:2352
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE25⤵PID:872
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0726⤵PID:2388
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE26⤵PID:1604
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0727⤵PID:5172
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE27⤵PID:5236
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0728⤵PID:5360
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE28⤵PID:5448
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0729⤵PID:5556
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE29⤵PID:5620
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0730⤵PID:5720
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE30⤵PID:5792
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0731⤵PID:5916
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE31⤵PID:5996
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0732⤵PID:6116
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE32⤵PID:5000
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0733⤵PID:4724
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE33⤵PID:5200
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0734⤵PID:5668
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE34⤵PID:5808
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0735⤵PID:5452
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE35⤵PID:6036
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0736⤵PID:5976
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE36⤵PID:5844
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0737⤵PID:6100
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE37⤵PID:2388
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0738⤵PID:1364
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE38⤵PID:5516
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0739⤵PID:5448
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE39⤵PID:2244
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0740⤵PID:5568
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE40⤵PID:5732
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0741⤵PID:5264
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE41⤵PID:6232
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0742⤵PID:6376
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE42⤵PID:6428
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0743⤵PID:6552
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE43⤵PID:6620
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0744⤵PID:6748
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE44⤵PID:6820
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0745⤵PID:6916
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE45⤵PID:6988
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0746⤵PID:7100
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE46⤵PID:7164
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0747⤵PID:5548
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE47⤵PID:6488
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0748⤵PID:6404
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE48⤵PID:6236
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0749⤵PID:6764
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE49⤵PID:6444
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0750⤵PID:6244
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE50⤵PID:4300
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0751⤵PID:7108
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE51⤵PID:6660
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0752⤵PID:3764
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE52⤵PID:4520
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0753⤵PID:1068
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE53⤵PID:6856
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0754⤵PID:6632
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE54⤵PID:7020
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0755⤵PID:6760
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE55⤵PID:6676
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0756⤵PID:5208
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE56⤵PID:6616
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0757⤵PID:4416
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE57⤵PID:7180
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0758⤵PID:7292
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE58⤵PID:7364
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0759⤵PID:7492
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE59⤵PID:7560
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0760⤵PID:7676
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE60⤵PID:7708
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0761⤵PID:7816
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE61⤵PID:7864
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0762⤵PID:7956
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE62⤵PID:7996
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0763⤵PID:8124
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE63⤵PID:8164
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0764⤵PID:2932
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE64⤵PID:1592
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0765⤵PID:7316
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE65⤵PID:7580
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0766⤵PID:7184
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE66⤵PID:7900
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0767⤵PID:8040
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE67⤵PID:7984
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0768⤵PID:6852
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE68⤵PID:8108
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0769⤵PID:2472
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE69⤵PID:7324
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0770⤵PID:7580
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE70⤵PID:1612
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0771⤵PID:7212
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE71⤵PID:7896
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0772⤵PID:1048
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE72⤵PID:5932
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0773⤵PID:8308
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE73⤵PID:8344
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0774⤵PID:8488
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE74⤵PID:8524
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0775⤵PID:8640
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE75⤵PID:8732
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0776⤵PID:8852
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE76⤵PID:8912
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0777⤵PID:9012
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE77⤵PID:9076
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0778⤵PID:9184
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE78⤵PID:8248
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0779⤵PID:2064
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE79⤵PID:3820
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0780⤵PID:8308
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE80⤵PID:8520
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0781⤵PID:8460
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE81⤵PID:8684
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0782⤵PID:8856
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE82⤵PID:8624
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0783⤵PID:7212
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE83⤵PID:9208
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0784⤵PID:7772
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE84⤵PID:8488
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0785⤵PID:3632
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE85⤵PID:8920
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0786⤵PID:8816
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE86⤵PID:8872
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0787⤵PID:9028
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE87⤵PID:6268
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0788⤵PID:1756
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE88⤵PID:6248
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0789⤵PID:2000
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE89⤵PID:8488
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0790⤵PID:3784
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE90⤵PID:6060
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0791⤵PID:7964
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE91⤵PID:8496
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0792⤵PID:9024
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE92⤵PID:5304
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0793⤵PID:9244
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE93⤵PID:9288
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0794⤵PID:9412
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE94⤵PID:9472
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0795⤵PID:9568
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE95⤵PID:9628
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0796⤵PID:9732
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE96⤵PID:9768
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0797⤵PID:9880
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE97⤵PID:9908
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0798⤵PID:10052
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE98⤵PID:10104
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB0799⤵PID:10224
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE99⤵PID:5296
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB07100⤵PID:4840
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE100⤵PID:6052
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB07101⤵PID:9568
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE101⤵PID:9808
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB07102⤵PID:9528
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE102⤵PID:9724
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB07103⤵PID:4420
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE103⤵PID:9332
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB07104⤵PID:5368
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE104⤵PID:9272
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB07105⤵PID:7396
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE105⤵PID:9568
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB07106⤵PID:7704
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE106⤵PID:5488
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB07107⤵PID:10212
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE107⤵PID:7684
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB07108⤵PID:6260
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE108⤵PID:9264
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB07109⤵PID:8884
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE109⤵PID:6828
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB07110⤵PID:9332
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE110⤵PID:10264
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB07111⤵PID:10380
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE111⤵PID:10420
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB07112⤵PID:10532
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE112⤵PID:10564
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB07113⤵PID:10684
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE113⤵PID:10724
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB07114⤵PID:10828
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE114⤵PID:10860
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB07115⤵PID:10996
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE115⤵PID:11048
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB07116⤵PID:11224
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE116⤵PID:6868
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB07117⤵PID:9332
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE117⤵PID:10464
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB07118⤵PID:10544
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE118⤵PID:10752
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB07119⤵PID:10892
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE119⤵PID:10664
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB07120⤵PID:11124
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE120⤵PID:10764
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB07121⤵PID:10900
-
-
C:\Windows\SysWOW64\B526A5\DECB07.EXEC:\Windows\system32\B526A5\DECB07.EXE121⤵PID:11232
-
C:\Windows\SysWOW64\explorer.exeexplorer C:\Windows\SysWOW64\B526A5\DECB07122⤵PID:6844
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-